feat: DTOSS-4810 Add optional RBAC role assignment to Key Vault module (

#55)
NHSDigital · Nov 20, 2024 · 57e204e · 57e204e
1 parent 36f0b2d
commit 57e204e
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 7 deletions.
diff --git a/infrastructure/modules/function-app/rbac.tf b/infrastructure/modules/function-app/rbac.tf
@@ -1,7 +1,7 @@
 module "rbac_assignmnents" {
+  # This results in a numbered index, necessary to avoid keying on values that are only known after apply (scope is a resource id)
   for_each = { for idx, assignment in var.rbac_role_assignments : idx => assignment }
 
-
   source = "../rbac-assignment"
 
   principal_id         = azurerm_linux_function_app.function_app.identity.0.principal_id

diff --git a/infrastructure/modules/key-vault/rbac.tf b/infrastructure/modules/key-vault/rbac.tf
@@ -0,0 +1,10 @@
+# Need to give the deployment service principal the required permissions to the key vault
+module "rbac_assignmnents" {
+  for_each = var.enable_rbac_authorization ? toset(var.rbac_roles) : []
+
+  source = "../rbac-assignment"
+
+  principal_id         = data.azurerm_client_config.current.object_id
+  role_definition_name = each.key
+  scope                = azurerm_key_vault.keyvault.id
+}
diff --git a/infrastructure/modules/key-vault/variables.tf b/infrastructure/modules/key-vault/variables.tf
@@ -46,6 +46,12 @@ variable "purge_protection_enabled" {
   default     = false
 }
 
+variable "rbac_roles" {
+  description = "List of RBAC roles to assign to the Key Vault."
+  type        = list(string)
+  default     = []
+}
+
 variable "soft_delete_retention" {
   type        = number
   description = "Name of the  Key Vault which is created."

diff --git a/infrastructure/modules/storage/rbac.tf b/infrastructure/modules/storage/rbac.tf
@@ -1,11 +1,11 @@
-# Need to give the depolyment service principal the required permissions to the storage account
+# Need to give the deployment service principal the required permissions to the storage account
 module "rbac_assignmnents" {
-  for_each = { for idx, assignment in var.rbac_roles : idx => assignment }
+  for_each = toset(var.rbac_roles)
 
   source = "../rbac-assignment"
 
   principal_id         = data.azurerm_client_config.current.object_id
-  role_definition_name = each.value
+  role_definition_name = each.key
   scope                = azurerm_storage_account.storage_account.id
 }
 

diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
@@ -63,9 +63,9 @@ variable "public_network_access_enabled" {
 }
 
 variable "rbac_roles" {
-  description = "Map of RBAC roles to assign to the Storage Account."
-  type        = map(string)
-  default     = {}
+  description = "List of RBAC roles to assign to the Storage Account."
+  type        = list(string)
+  default     = []
 }
 
 variable "tags" {