Skip to content

Commit

Permalink
fix(azure): add depends_on for azure vendor-access module (#109)
Browse files Browse the repository at this point in the history 
prevent destroy velero_backup_role before user_access_administrator
  • Loading branch information
@freeznet
freeznet authored Jan 14, 2025
1 parent 54cfb6f commit 64ee2b3
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion modules/azure/vendor-access/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,27 +62,31 @@ resource "azurerm_role_definition" "velero_backup_role" {
not_data_actions = []
not_actions = []
}
depends_on = [azurerm_resource_group.aks]
}

# Grand the sn automation service principal as the Contributor to the AKS resource group
resource "azurerm_role_assignment" "sn_automation" {
scope = azurerm_resource_group.aks.id
role_definition_name = "Contributor"
principal_id = var.sn_automation_principal_id
depends_on = [azurerm_resource_group.aks]
}

# Grand the sn automation service principal as the Azure Kubernetes Service Cluster Admin Role to the AKS resource group
resource "azurerm_role_assignment" "sn_automation_cluster_admin" {
scope = azurerm_resource_group.aks.id
role_definition_name = "Azure Kubernetes Service Cluster Admin Role"
principal_id = var.sn_automation_principal_id
depends_on = [azurerm_resource_group.aks]
}

# Grand the sn support service principal as the Azure Kubernetes Service Cluster User Role to the AKS resource group
resource "azurerm_role_assignment" "sn_support" {
scope = azurerm_resource_group.aks.id
role_definition_name = "Azure Kubernetes Service Cluster User Role"
principal_id = var.sn_support_principal_id
depends_on = [azurerm_resource_group.aks]
}

# Grand the sn automation service principal as the Constrain roles by Role Based Access Control Administrator to the AKS resource group
Expand All @@ -92,4 +96,5 @@ resource "azurerm_role_assignment" "user_access_administrator" {
principal_id = var.sn_automation_principal_id
condition_version = "2.0"
condition = templatefile("${path.module}/role-assignment-condition.tpl", { role_definition_id = azurerm_role_definition.velero_backup_role.role_definition_id })
}
depends_on = [azurerm_role_definition.velero_backup_role]
}

0 comments on commit 64ee2b3

Please sign in to comment.