-
Notifications
You must be signed in to change notification settings - Fork 571
/
resources.role_assignments.tf
160 lines (135 loc) · 6.97 KB
/
resources.role_assignments.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
resource "azurerm_role_assignment" "enterprise_scale" {
for_each = local.azurerm_role_assignment_enterprise_scale
# Special handling of OPTIONAL name to ensure consistent and correct
# mapping of Terraform state ADDR value to Azure Resource ID value.
name = basename(each.key)
# Mandatory resource attributes
scope = each.value.scope_id
principal_id = each.value.principal_id
# Optional resource attributes
role_definition_name = lookup(each.value, "role_definition_name", null)
role_definition_id = lookup(each.value, "role_definition_id", null)
# Set explicit dependency on Management Group, Policy, and Role Definition deployments
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_role_definition,
]
}
# The following module is used to generate the Role
# Assignments for Policy Assignments as needed.
# This was implemented to fix issue:
# https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/266
module "role_assignments_for_policy" {
for_each = local.es_role_assignments_by_policy_assignment
source = "./modules/role_assignments_for_policy"
# Mandatory resource attributes
policy_assignment_id = each.key
scope_id = azurerm_management_group_policy_assignment.enterprise_scale[each.key].management_group_id
principal_id = (
lookup(azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0], "type", "") == "UserAssigned"
? jsondecode(data.azapi_resource.user_msi[each.key].output).properties.principalId # workarround as azurerm_management_group_policy_assignment does not export the principal_id when using UserAssigned identity
: azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0].principal_id
)
role_definition_ids = each.value
# Optional resource attributes
additional_scope_ids = local.empty_list
# Set explicit dependency on Management Group, Policy Definition, Policy Set Definition, and Policy Assignment deployments
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}
# The data source will retrieve the principalId of a user msi
# used for the policy assignment
#
data "azapi_resource" "user_msi" {
for_each = {
for ik, iv in local.es_role_assignments_by_policy_assignment : ik => iv
if try(local.azurerm_management_group_policy_assignment_enterprise_scale[ik].template.identity.type, null) == "UserAssigned"
}
resource_id = one(azurerm_management_group_policy_assignment.enterprise_scale[each.key].identity[0].identity_ids)
type = "Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31"
response_export_values = ["properties.principalId"]
}
# The following resource is left to help manage the
# upgrade to using module.role_assignments_for_policy
# To be removed in `v2.0.0`
resource "azurerm_role_assignment" "policy_assignment" {
for_each = local.empty_map
# Mandatory resource attributes
name = basename(each.key)
scope = each.value.scope_id
principal_id = each.value.principal_id
}
resource "time_sleep" "after_azurerm_role_assignment" {
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_role_definition,
azurerm_role_assignment.enterprise_scale,
module.role_assignments_for_policy,
]
triggers = {
"azurerm_role_assignment_enterprise_scale" = jsonencode(keys(azurerm_role_assignment.enterprise_scale))
"module_role_assignments_for_policy" = jsonencode(keys(module.role_assignments_for_policy))
}
create_duration = local.create_duration_delay["after_azurerm_role_assignment"]
destroy_duration = local.destroy_duration_delay["after_azurerm_role_assignment"]
}
# Role Assignment required to resolve bug as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/794
# Role assignment will add "Private DNS Zone Contributor" role def for the policy assignment's Managed Identity
# on the connectivity management group
resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" {
for_each = local.connectivity_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-Private-DNS-Zones") } : {}
role_definition_name = "Private DNS Zone Contributor"
scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-connectivity"
principal_id = each.value.identity[0].principal_id
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}
resource "azurerm_role_assignment" "deploy_azsqldb_auditing_connectivity" {
for_each = local.connectivity_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-AzSqlDb-Auditing") } : {}
role_definition_name = "Log Analytics Contributor"
scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-connectivity"
principal_id = each.value.identity[0].principal_id
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}
resource "azurerm_role_assignment" "ama_reader" {
for_each = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
role_definition_name = "Reader"
scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
principal_id = each.value.identity[0].principal_id
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}
resource "azurerm_role_assignment" "ama_managed_identity_operator" {
for_each = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
role_definition_name = "Managed Identity Operator"
scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
principal_id = each.value.identity[0].principal_id
depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}