From 0234fcbc3952fb5b90c47522a86bd6663a39822c Mon Sep 17 00:00:00 2001 From: Fraser Molyneux Date: Fri, 27 Sep 2024 23:25:41 +0100 Subject: [PATCH] Refactoring permissions --- terraform/api_management_role_assignments.tf | 5 ++++ terraform/function_app.tf | 6 ----- terraform/function_app_role_assignments.tf | 24 ++++++++++++++++++++ terraform/key_vault_role_assignments.tf | 11 --------- 4 files changed, 29 insertions(+), 17 deletions(-) create mode 100644 terraform/api_management_role_assignments.tf delete mode 100644 terraform/key_vault_role_assignments.tf diff --git a/terraform/api_management_role_assignments.tf b/terraform/api_management_role_assignments.tf new file mode 100644 index 0000000..7e1e1f0 --- /dev/null +++ b/terraform/api_management_role_assignments.tf @@ -0,0 +1,5 @@ +resource "azurerm_role_assignment" "apim_kv_role_assignment" { + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Secrets User" + principal_id = data.azurerm_api_management.core.identity.0.principal_id +} diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 99574a0..0f33a3f 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -63,12 +63,6 @@ resource "azurerm_linux_function_app" "app" { } } -resource "azurerm_role_assignment" "app-to-storage" { - scope = azurerm_storage_account.function_app_storage.id - role_definition_name = "Storage Blob Data Owner" - principal_id = azurerm_linux_function_app.app.identity[0].principal_id -} - data "azurerm_function_app_host_keys" "app" { name = azurerm_linux_function_app.app.name resource_group_name = azurerm_resource_group.rg.name diff --git a/terraform/function_app_role_assignments.tf b/terraform/function_app_role_assignments.tf index e05d962..dca1c67 100644 --- a/terraform/function_app_role_assignments.tf +++ b/terraform/function_app_role_assignments.tf @@ -1,3 +1,27 @@ +resource "azurerm_role_assignment" "app-to-storage" { + scope = azurerm_storage_account.function_app_storage.id + role_definition_name = "Storage Blob Data Owner" + principal_id = azurerm_linux_function_app.app.identity[0].principal_id +} + +resource "azurerm_role_assignment" "app-to-servicebus-receiver" { + scope = azurerm_servicebus_namespace.ingest.id + role_definition_name = "Azure Service Bus Data Receiver" + principal_id = azurerm_linux_function_app.app.identity.0.principal_id +} + +resource "azurerm_role_assignment" "app-to-servicebus-sender" { + scope = azurerm_servicebus_namespace.ingest.id + role_definition_name = "Azure Service Bus Data Sender" + principal_id = azurerm_linux_function_app.app.identity.0.principal_id +} + +resource "azurerm_role_assignment" "web_app_kv_role_assignment" { + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_linux_function_app.app.identity.0.principal_id +} + resource "azuread_app_role_assignment" "repository_api" { app_role_id = data.azuread_service_principal.repository_api.app_roles[index(data.azuread_service_principal.repository_api.app_roles.*.display_name, "ServiceAccount")].id principal_object_id = azurerm_linux_function_app.app.identity.0.principal_id diff --git a/terraform/key_vault_role_assignments.tf b/terraform/key_vault_role_assignments.tf deleted file mode 100644 index a5e64ae..0000000 --- a/terraform/key_vault_role_assignments.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "azurerm_role_assignment" "apim_kv_role_assignment" { - scope = azurerm_key_vault.kv.id - role_definition_name = "Key Vault Secrets User" - principal_id = data.azurerm_api_management.core.identity.0.principal_id -} - -resource "azurerm_role_assignment" "web_app_kv_role_assignment" { - scope = azurerm_key_vault.kv.id - role_definition_name = "Key Vault Secrets User" - principal_id = azurerm_linux_function_app.app.identity.0.principal_id -}