fix(roles): introduce 3rd AAD group for total devs, admins, and all, #12

main.tf

@@ -13,7 +13,7 @@ resource "azuread_group" "groups" {
 
 resource "azuredevops_project" "team_projects" {
   for_each        = var.projects
-  project_name    = each.value.name
+  name            = each.value.name
   description     = each.value.description
   visibility      = "private"
   version_control = "Git"
@@ -31,14 +31,14 @@ module "ado_standard_permissions" {
   for_each       = var.projects
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.team_projects["proj_${each.value.team}"].id
-  team_aad_id    = azuread_group.groups[each.value.team].id
+  team_aad_id    = azuread_group.groups["${each.value.team}_devs"].id
   admin_aad_id   = azuread_group.groups["${each.value.team}_admins"].id
 }
 
 # Supermarket Project
 
 resource "azuredevops_project" "supermarket" {
-  project_name    = "supermarket"
+  name            = "supermarket"
   description     = "Example: 1 project, many teams, many repos"
   visibility      = "private"
   version_control = "Git"
@@ -52,24 +52,25 @@ resource "azuredevops_project" "supermarket" {
   }
 }
 
+# TODO: supermarket collab model with devs, admins and all
 module "supermarket_permissions_fruits" {
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.supermarket.id
-  team_aad_id    = azuread_group.groups["fruits"].id
+  team_aad_id    = azuread_group.groups["fruits_devs"].id
   admin_aad_id   = azuread_group.groups["fruits_admins"].id
 }
 
 module "supermarket_permissions_veggies" {
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.supermarket.id
-  team_aad_id    = azuread_group.groups["veggies"].id
+  team_aad_id    = azuread_group.groups["veggies_devs"].id
   admin_aad_id   = azuread_group.groups["veggies_admins"].id
 }
 
 # Shared Collaboration
 
 resource "azuredevops_project" "collaboration" {
-  project_name    = "shared-collaboration"
+  name            = "shared-collaboration"
   description     = "Example: what if separate teams should talk to each other? (Disadvantage: cannot link external project commits to work items in this project)"
   visibility      = "private"
   version_control = "Git"
@@ -86,14 +87,14 @@ resource "azuredevops_project" "collaboration" {
 module "collaboration_permissions_fruits" {
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.collaboration.id
-  team_aad_id    = azuread_group.groups["fruits"].id
+  team_aad_id    = azuread_group.groups["fruits_devs"].id
   admin_aad_id   = azuread_group.groups["fruits_admins"].id
 }
 
 module "collaboration_permissions_veggies" {
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.collaboration.id
-  team_aad_id    = azuread_group.groups["veggies"].id
+  team_aad_id    = azuread_group.groups["veggies_devs"].id
   admin_aad_id   = azuread_group.groups["veggies_admins"].id
 }
 
@@ -105,7 +106,7 @@ module "workspace" {
   for_each             = var.environments
   source               = "./modules/azure-resources"
   name                 = "${each.value.team}-${each.value.env}-${local.suffix}"
-  team_group_id        = azuread_group.groups[each.value.team].id
+  team_group_id        = azuread_group.groups["${each.value.team}_devs"].id
   admin_group_id       = azuread_group.groups["${each.value.team}_admins"].id
   superadmins_group_id = var.superadmins_aad_object_id
 }

modules/azure-devops-permissions/variables.tf

@@ -3,6 +3,7 @@ variable "ado_project_id" {
   type        = string
 }
 
+# TODO: rename to devs_aad_id
 variable "team_aad_id" {
   description = "AAD Group ID to receive 'Contributor' permissions"
   type        = string
@@ -11,4 +12,4 @@ variable "team_aad_id" {
 variable "admin_aad_id" {
   description = "AAD Group ID to receive 'Owner' permissions"
   type        = string
-}
+}

modules/azure-devops-service-connection/main.tf

@@ -13,7 +13,7 @@ data "azurerm_key_vault_secret" "sp_secret" {
 # 2 - get reference to ADO Project
 
 data "azuredevops_project" "team" {
-  project_name = local.project_name
+  name = local.project_name
 }
 
 # 3 -get Subscription Info

modules/azure-resources/_azure-resources.tf

@@ -80,9 +80,9 @@ data "azuread_service_principal" "workspace_sp" {
 }
 
 resource "azurerm_key_vault_access_policy" "workspace_sp" {
-  key_vault_id   = azurerm_key_vault.kv.id
-  object_id      = data.azuread_service_principal.workspace_sp.id
-  tenant_id      = local.client_tenant_id
+  key_vault_id = azurerm_key_vault.kv.id
+  object_id    = data.azuread_service_principal.workspace_sp.id
+  tenant_id    = local.client_tenant_id
 
   secret_permissions = [
     "backup",
@@ -103,9 +103,9 @@ data "azuread_service_principal" "kv_reader_sp" {
 }
 
 resource "azurerm_key_vault_access_policy" "kv_reader" {
-  key_vault_id   = azurerm_key_vault.kv.id
-  object_id      = data.azuread_service_principal.kv_reader_sp.id
-  tenant_id      = local.client_tenant_id
+  key_vault_id = azurerm_key_vault.kv.id
+  object_id    = data.azuread_service_principal.kv_reader_sp.id
+  tenant_id    = local.client_tenant_id
 
   key_permissions = [
     "get",
@@ -116,7 +116,6 @@ resource "azurerm_key_vault_access_policy" "kv_reader" {
   ]
 }
 
-
 # KEY VAULT SECRETS
 # -----------------
 # Examples and our service principal credentials

variables.tf

@@ -32,11 +32,14 @@ locals {
 variable "groups" {
   type = map(string)
   default = {
-    fruits         = "fruits"
+    fruits         = "fruits-all"
+    fruits_devs    = "fruits-devs"
     fruits_admins  = "fruits-admins"
+    veggies        = "veggies-all"
+    veggies_devs   = "veggies-devs"
     veggies_admins = "veggies-admins"
-    veggies        = "veggies"
     infra          = "infra"
+    infra_devs     = "infra-dev"
     infra_admins   = "infra-admins"
   }
 }