forked from aztfmod/terraform-azurerm-caf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
roles.tf
executable file
·217 lines (204 loc) · 9.38 KB
/
roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
module "custom_roles" {
source = "./modules/roles/custom_roles"
for_each = var.custom_role_definitions
global_settings = local.global_settings
subscription_primary = data.azurerm_subscription.primary.id
custom_role = each.value
}
#
# Roles assignments
#
# Require the modules output an rbac_id that is set to the principal_id
#
resource "azurerm_role_assignment" "for" {
for_each = try(local.roles_to_process, {})
scope = local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id
role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
role_definition_id = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
principal_id = each.value.object_id_resource_type == "object_ids" ? each.value.object_id_key_resource : try(local.services_roles[each.value.object_id_resource_type][each.value.lz_key][each.value.object_id_key_resource].rbac_id, local.services_roles[each.value.object_id_resource_type][var.current_landingzone_key][each.value.object_id_key_resource].rbac_id)
lifecycle {
ignore_changes = [
principal_id
]
}
}
locals {
services_roles = {
aks_clusters = local.combined_objects_aks_clusters
app_config = local.combined_objects_app_config
app_services = local.combined_objects_app_services
app_service_plans = local.combined_objects_app_service_plans
app_service_environments = local.combined_objects_app_service_environments
availability_sets = local.combined_objects_availability_sets
azure_container_registries = local.combined_objects_azure_container_registries
azuread_groups = local.combined_objects_azuread_groups
azuread_apps = local.combined_objects_azuread_applications
azuread_users = local.combined_objects_azuread_users
azurerm_firewalls = local.combined_objects_azurerm_firewalls
dns_zones = local.combined_objects_dns_zones
event_hub_namespaces = local.combined_objects_event_hub_namespaces
keyvaults = local.combined_objects_keyvaults
logged_in = local.logged_in
machine_learning_workspaces = local.combined_objects_machine_learning
managed_identities = local.combined_objects_managed_identities
mssql_databases = local.combined_objects_mssql_databases
mssql_elastic_pools = local.combined_objects_mssql_elastic_pools
mssql_managed_databases = local.combined_objects_mssql_managed_databases
mssql_managed_instances = local.combined_objects_mssql_managed_instances
mssql_servers = local.combined_objects_mssql_servers
mysql_servers = local.combined_objects_mysql_servers
networking = local.combined_objects_networking
network_watchers = local.combined_objects_network_watchers
postgresql_servers = local.combined_objects_postgresql_servers
private_dns = local.combined_objects_private_dns
proximity_placement_groups = local.combined_objects_proximity_placement_groups
public_ip_addresses = local.combined_objects_public_ip_addresses
recovery_vaults = local.combined_objects_recovery_vaults
resource_groups = local.combined_objects_resource_groups
storage_accounts = local.combined_objects_storage_accounts
synapse_workspaces = local.combined_objects_synapse_workspaces
subscriptions = tomap({ (var.current_landingzone_key) = merge(try(var.subscriptions, {}), { "logged_in_subscription" = { id = data.azurerm_subscription.primary.id } }) })
}
logged_in = tomap({
(var.current_landingzone_key) = {
user = {
rbac_id = local.client_config.logged_user_objectId
}
app = {
rbac_id = local.client_config.logged_aad_app_objectId
}
}
})
roles_to_process = {
for mapping in
flatten(
[ # Variable
for key_mode, all_role_mapping in var.role_mapping : [ # built_in_role_mapping = {
for key, role_mappings in all_role_mapping : [ # aks_clusters = {
for scope_key_resource, role_mapping in role_mappings : [ # seacluster = {
for role_definition_name, resources in role_mapping : [ # "Azure Kubernetes Service Cluster Admin Role" = {
for object_id_key, object_resources in resources : [ # azuread_group_keys = {
for object_id_key_resource in object_resources.keys : # keys = [ "aks_admins" ] ----End of variable
{ # "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
mode = key_mode # "mode" = "built_in_role_mapping"
scope_resource_key = key
scope_key_resource = scope_key_resource
role_definition_name = role_definition_name
object_id_resource_type = object_id_key
object_id_key_resource = object_id_key_resource # "object_id_key_resource" = "aks_admins"
lz_key = try(object_resources.lz_key, null)
}
]
]
]
]
]
]
) : format("%s_%s_%s", mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), mapping.object_id_key_resource) => mapping
}
}
# The code transform this input format to
# custom_role_mapping = {
# subscription_keys = {
# logged_in_subscription = {
# "caf-launchpad-contributor" = {
# azuread_group_keys = [
# "keyvault_level0_rw", "keyvault_level1_rw", "keyvault_level2_rw", "keyvault_level3_rw", "keyvault_level4_rw",
# ]
# managed_identity_keys = [
# "level0", "level1", "level2", "level3", "level4"
# ]
# }
# }
# }
# }
# built_in_role_mapping = {
# aks_clusters = {
# seacluster = {
# "Azure Kubernetes Service Cluster Admin Role" = {
# azuread_group_keys = {
# keys = [ "aks_admins" ]
# }
# managed_identity_keys = {
# keys = [ "jumpbox" ]
# }
# }
# }
# }
# azure_container_registries = {
# acr1 = {
# "AcrPull" = {
# aks_cluster_keys = {
# keys = [ "seacluster" ]
# }
# }
# }
# }
# storage_accounts = {
# scripts_region1 = {
# "Storage Blob Data Contributor" = {
# logged_in = {
# keys = [ "user" ]
# }
# managed_identities = {
# lz_key = "launchpad"
# keys = [ "level0", "level1" ]
# }
# }
# }
# }
# }
# ......
## Generates a transformed structure for azurerm_role_assignment to process
# built_in_roles = {
# "acr1_AcrPull_seacluster" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "seacluster"
# "object_id_resource_type" = "aks_cluster_keys"
# "role_definition_name" = "AcrPull"
# "scope_key_resource" = "acr1"
# "scope_resource_key" = "azure_container_registries"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_level0" = {
# "lz_key" = "launchpad"
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "level0"
# "object_id_resource_type" = "managed_identities"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_level1" = {
# "lz_key" = "launchpad"
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "level1"
# "object_id_resource_type" = "managed_identities"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "scripts_region1_Storage_Blob_Data_Contributor_user" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "user"
# "object_id_resource_type" = "logged_in"
# "role_definition_name" = "Storage Blob Data Contributor"
# "scope_key_resource" = "scripts_region1"
# "scope_resource_key" = "storage_accounts"
# }
# "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_aks_admins" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "aks_admins"
# "object_id_resource_type" = "azuread_group_keys"
# "role_definition_name" = "Azure Kubernetes Service Cluster Admin Role"
# "scope_key_resource" = "seacluster"
# "scope_resource_key" = "aks_clusters"
# }
# "seacluster_Azure_Kubernetes_Service_Cluster_Admin_Role_jumpbox" = {
# "mode" = "built_in_role_mapping"
# "object_id_key_resource" = "jumpbox"
# "object_id_resource_type" = "managed_identity_keys"
# "role_definition_name" = "Azure Kubernetes Service Cluster Admin Role"
# "scope_key_resource" = "seacluster"
# "scope_resource_key" = "aks_clusters"
# }
# .......