From 57e204e15509e40243551dccfe077f3452a31369 Mon Sep 17 00:00:00 2001 From: patrickmoore-nc <94625903+patrickmoore-nc@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:53:42 +0000 Subject: [PATCH] feat: DTOSS-4810 Add optional RBAC role assignment to Key Vault module (#55) --- infrastructure/modules/function-app/rbac.tf | 2 +- infrastructure/modules/key-vault/rbac.tf | 10 ++++++++++ infrastructure/modules/key-vault/variables.tf | 6 ++++++ infrastructure/modules/storage/rbac.tf | 6 +++--- infrastructure/modules/storage/variables.tf | 6 +++--- 5 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 infrastructure/modules/key-vault/rbac.tf diff --git a/infrastructure/modules/function-app/rbac.tf b/infrastructure/modules/function-app/rbac.tf index c10be714..e60cec35 100644 --- a/infrastructure/modules/function-app/rbac.tf +++ b/infrastructure/modules/function-app/rbac.tf @@ -1,7 +1,7 @@ module "rbac_assignmnents" { + # This results in a numbered index, necessary to avoid keying on values that are only known after apply (scope is a resource id) for_each = { for idx, assignment in var.rbac_role_assignments : idx => assignment } - source = "../rbac-assignment" principal_id = azurerm_linux_function_app.function_app.identity.0.principal_id diff --git a/infrastructure/modules/key-vault/rbac.tf b/infrastructure/modules/key-vault/rbac.tf new file mode 100644 index 00000000..6c0771bb --- /dev/null +++ b/infrastructure/modules/key-vault/rbac.tf @@ -0,0 +1,10 @@ +# Need to give the deployment service principal the required permissions to the key vault +module "rbac_assignmnents" { + for_each = var.enable_rbac_authorization ? toset(var.rbac_roles) : [] + + source = "../rbac-assignment" + + principal_id = data.azurerm_client_config.current.object_id + role_definition_name = each.key + scope = azurerm_key_vault.keyvault.id +} diff --git a/infrastructure/modules/key-vault/variables.tf b/infrastructure/modules/key-vault/variables.tf index 969177a2..2b93e7ed 100644 --- a/infrastructure/modules/key-vault/variables.tf +++ b/infrastructure/modules/key-vault/variables.tf @@ -46,6 +46,12 @@ variable "purge_protection_enabled" { default = false } +variable "rbac_roles" { + description = "List of RBAC roles to assign to the Key Vault." + type = list(string) + default = [] +} + variable "soft_delete_retention" { type = number description = "Name of the Key Vault which is created." diff --git a/infrastructure/modules/storage/rbac.tf b/infrastructure/modules/storage/rbac.tf index c6ba06a6..5d74a239 100644 --- a/infrastructure/modules/storage/rbac.tf +++ b/infrastructure/modules/storage/rbac.tf @@ -1,11 +1,11 @@ -# Need to give the depolyment service principal the required permissions to the storage account +# Need to give the deployment service principal the required permissions to the storage account module "rbac_assignmnents" { - for_each = { for idx, assignment in var.rbac_roles : idx => assignment } + for_each = toset(var.rbac_roles) source = "../rbac-assignment" principal_id = data.azurerm_client_config.current.object_id - role_definition_name = each.value + role_definition_name = each.key scope = azurerm_storage_account.storage_account.id } diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf index c4cfbf5c..fceac1ff 100644 --- a/infrastructure/modules/storage/variables.tf +++ b/infrastructure/modules/storage/variables.tf @@ -63,9 +63,9 @@ variable "public_network_access_enabled" { } variable "rbac_roles" { - description = "Map of RBAC roles to assign to the Storage Account." - type = map(string) - default = {} + description = "List of RBAC roles to assign to the Storage Account." + type = list(string) + default = [] } variable "tags" {