-
Notifications
You must be signed in to change notification settings - Fork 0
/
roles.tf
276 lines (260 loc) · 12.2 KB
/
roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
module "custom_roles" {
source = "./roles/custom_roles"
for_each = var.custom_role_definitions
global_settings = local.global_settings
subscription_primary = data.azurerm_subscription.primary.id
custom_role = each.value
assignable_scopes = local.assignable_scopes[each.key]
}
#
# Roles assignments
#
# Require the modules output an rbac_id that is set to the principal_id
#
resource "azurerm_role_assignment" "for" {
for_each = try(local.roles_to_process, {})
principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : local.services_roles[each.value.object_id_resource_type][each.value.object_id_key_resource].rbac_id
role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
scope = local.services_roles[each.value.scope_resource_key][each.value.scope_key_resource].id
}
data "azurerm_management_group" "level" {
for_each = {
for key, value in try(var.role_mapping.built_in_role_mapping.management_group, {}) : key => value
}
name = lower(each.key) == "root" ? data.azurerm_client_config.current.tenant_id : each.key
}
locals {
/*
aks_ingress_application_gateway_identities = tomap(
{
for key, value in try(module.aks_clusters, {}) :
key => {
rbac_id = value.addon_profile[0].ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
} if can(value.addon_profile[0].ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id)
}
)
*/
management_groups = tomap(
{
for key, value in try(var.role_mapping.built_in_role_mapping.management_group, {}) :
key => {
id = data.azurerm_management_group.level[key].id
}
}
)
services_roles = {
#machine_learning_compute_instance = module.machine_learning_compute_instance
#aks_clusters = local.combined_objects_aks_clusters
#aks_ingress_application_gateway_identities = local.aks_ingress_application_gateway_identities
#api_management = local.combined_objects_api_management
#app_config = local.combined_objects_app_config
#app_service_environments = local.combined_objects_app_service_environments
#app_service_plans = local.combined_objects_app_service_plans
#app_services = local.combined_objects_app_services
#application_gateway_platforms = local.combined_objects_application_gateway_platforms
#application_gateways = local.combined_objects_application_gateways
#availability_sets = local.combined_objects_availability_sets
azure_container_registries = local.combined_objects_azure_container_registries
#azuread_applications = local.combined_objects_azuread_applications
#azuread_apps = local.combined_objects_azuread_apps
#azuread_groups = local.combined_objects_azuread_groups
#azuread_service_principals = local.combined_objects_azuread_service_principals
#azuread_users = local.combined_objects_azuread_users
#azurerm_firewalls = local.combined_objects_azurerm_firewalls
#backup_vaults = local.combined_objects_backup_vaults
#batch_accounts = local.combined_objects_batch_accounts
data_factory = local.combined_objects_data_factory
databricks_workspaces = local.combined_objects_databricks_workspaces
#dns_zones = local.combined_objects_dns_zones
#event_hub_namespaces = local.combined_objects_event_hub_namespaces
keyvaults = local.combined_objects_keyvaults
#kusto_clusters = local.combined_objects_kusto_clusters
logged_in = local.logged_in
#machine_learning_workspaces = local.combined_objects_machine_learning
managed_identities = local.combined_objects_managed_identities
management_group = local.management_groups
#mssql_databases = local.combined_objects_mssql_databases
#mssql_elastic_pools = local.combined_objects_mssql_elastic_pools
#mssql_managed_databases = local.combined_objects_mssql_managed_databases
#mssql_managed_instances = local.combined_objects_mssql_managed_instances
#mssql_servers = local.combined_objects_mssql_servers
#mysql_servers = local.combined_objects_mysql_servers
#network_watchers = local.combined_objects_network_watchers
networking = local.combined_objects_networking
#postgresql_servers = local.combined_objects_postgresql_servers
private_dns = local.combined_objects_private_dns
#proximity_placement_groups = local.combined_objects_proximity_placement_groups
public_ip_addresses = local.combined_objects_public_ip_addresses
purview_accounts = local.combined_objects_purview_accounts
recovery_vaults = local.combined_objects_recovery_vaults
resource_groups = local.combined_objects_resource_groups
storage_accounts = local.combined_objects_storage_accounts
storage_containers = local.combined_objects_storage_containers
synapse_workspaces = local.combined_objects_synapse_workspaces
#subscriptions = local.combined_objects_subscriptions
virtual_subnets = local.combined_objects_virtual_subnets
log_analytics = local.current_objects_log_analytics
}
current_objects_log_analytics = merge(local.combined_objects_log_analytics, local.combined_diagnostics.log_analytics)
logged_in = tomap(
{
user = {
rbac_id = local.client_config.logged_user_objectId
}
app = {
rbac_id = local.client_config.logged_aad_app_objectId
}
}
)
# Process assingnable_scopes and return a list with the object ids
# assignment_type: can be any of the `local.services_roles` keys
# attrs:
# id: An object id provided as string - takes precedence over lz_key / key
# lz_key: Remote landingzone key
# key: The resource key
# example:
# local.services_roles["resource_groups"]["LANDING_ZONE_KEY"]["RESOURCE_GROUP_KEY"].id
assignable_scopes = {
for k, v in try(var.custom_role_definitions, {}) : k => flatten([
for assignment_type, attrs in try(v.assignable_scopes, {}) : [
for attr in attrs : [
try(attr.id, local.services_roles[assignment_type][attr.key].id)
]
]
])
}
roles_to_process = {
for mapping in
flatten(
[ # Variable
for key_mode, all_role_mapping in var.role_mapping : [ # built_in_role_mapping = {
for key, role_mappings in all_role_mapping : [ # aks_clusters = {
for scope_key_resource, role_mapping in role_mappings : [ # seacluster = {
for role_definition_name, resources in role_mapping : [ # "Azure Kubernetes Service Cluster Admin Role" = {
for object_id_key, object_resources in resources : [ # azuread_group_keys = {
for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
{ # "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
mode = key_mode # "mode" = "built_in_role_mapping"
scope_resource_key = key
#scope_lz_key = try(role_mapping.lz_key, null)
scope_key_resource = scope_key_resource
role_definition_name = role_definition_name
object_id_resource_type = object_id_key
object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins"
#object_id_lz_key = try(object_resources.lz_key, null)
}
]
] if role_definition_name != "lz_key"
]
]
]
]
) : format("%s_%s_%s_%s", mapping.object_id_resource_type, mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), mapping.object_id_key_resource) => mapping
}
}
# The code transform this input format to
# custom_role_mapping = {
# subscription_keys = {
# logged_in_subscription = {
# "caf-launchpad-contributor" = {
# azuread_group_keys = [
# "keyvault_level0_rw", "keyvault_level1_rw", "keyvault_level2_rw", "keyvault_level3_rw", "keyvault_level4_rw",
# ]
# managed_identity_keys = [
# "level0", "level1", "level2", "level3", "level4"
# ]
# }
# }
# }
# }
# built_in_role_mapping = {
# aks_clusters = {
# seacluster = {
# "Azure Kubernetes Service Cluster Admin Role" = {
# azuread_group_keys = {
# keys = [ "aks_admins" ]
# }
# managed_identity_keys = {
# keys = [ "jumpbox" ]
# }
# }
# }
# }
# azure_container_registries = {
# acr1 = {
# "AcrPull" = {
# aks_cluster_keys = {
# keys = [ "seacluster" ]
# }
# }
# }
# }
# storage_accounts = {
# scripts_region1 = {
# "Storage Blob Data Contributor" = {
# logged_in = {
# keys = [ "user" ]
# }
# managed_identities = {
# lz_key = "launchpad"
# keys = [ "level0", "level1" ]
# }
# }
# }
# }
# }
# ......
## Generates a transformed structure for azurerm_role_assignment to process
# built_in_roles = {
# "acr1_AcrPull_seacluster" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "seacluster"
# "object_id_resource_type" = "aks_cluster_keys"
# "role_definition_name" = "AcrPull"
# "scope_key_resource" = "acr1"
# "scope_resource_key" = "azure_container_registries"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_level0" = {
# "lz_key" = "launchpad"
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "level0"
# "object_id_resource_type" = "managed_identities"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_level1" = {
# "lz_key" = "launchpad"
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "level1"
# "object_id_resource_type" = "managed_identities"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_user" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "user"
# "object_id_resource_type" = "logged_in"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "aks_admins"
# "object_id_resource_type" = "azuread_group_keys"
# "role_definition_name" = "Azure Kubernetes Service Cluster Admin Role"
# "scope_key_resource" = "seacluster"
# "scope_resource_key" = "aks_clusters"
# }
# "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_jumpbox" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "jumpbox"
# "object_id_resource_type" = "managed_identity_keys"
# "role_definition_name" = "Azure Kubernetes Service Cluster Admin Role"
# "scope_key_resource" = "seacluster"
# "scope_resource_key" = "aks_clusters"
# }
# .......