Skip to content

Commit

Permalink
add subs level permission for role assignment
Browse files Browse the repository at this point in the history
  • Loading branch information
@freeznet
freeznet committed Dec 6, 2023
1 parent e03d174 commit afec2d5
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 4 deletions.
12 changes: 12 additions & 0 deletions modules/azure/sn-cloud-manager/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# Manage Azure Entra Applications and Service Principals

data "azuread_client_config" "current" {}
data "azurerm_subscription" "current" {}

resource "azuread_application_registration" "sn_automation" {
display_name = format("sncloud-%s-automation", var.streamnative_org_id)
Expand Down Expand Up @@ -68,4 +69,15 @@ resource "azuread_application_federated_identity_credential" "sn_support" {
audiences = [format("api://AzureADTokenExchange/%s", var.streamnative_org_id)]
issuer = "https://accounts.google.com"
subject = each.value
}

resource "azurerm_role_assignment" "subscription_rbac_admin" {
scope = data.azurerm_subscription.current.subscription_id
role_definition_name = "Role Based Access Control Administrator"
principal_id = each.value.name

skip_service_principal_aad_check = true

condition_version = "2.0"
condition = templatefile("${path.module}/role-assignment-condition.tpl")
}
23 changes: 23 additions & 0 deletions modules/azure/sn-cloud-manager/role-assignment-condition.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, befefa01-2a29-4197-83a8-272ff33ce314}
AND
@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, befefa01-2a29-4197-83a8-272ff33ce314}
AND
@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
)
)
4 changes: 2 additions & 2 deletions modules/azure/vendor-access/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,10 @@ resource "azurerm_role_assignment" "sn_support" {
principal_id = data.azuread_service_principal.sn_support.id
}

# Grand the sn automation service principal as the Constrain roles by User Access Administrator to the AKS resource group
# Grand the sn automation service principal as the Constrain roles by Role Based Access Control Administrator to the AKS resource group
resource "azurerm_role_assignment" "user_access_administrator" {
scope = azurerm_resource_group.aks.id
role_definition_name = "User Access Administrator"
role_definition_name = "Role Based Access Control Administrator"
principal_id = data.azuread_service_principal.sn_automation.id
condition_version = "2.0"
condition = templatefile("${path.module}/role-assignment-condition.tpl", { role_definition_id = azurerm_role_definition.velero_backup_role.role_definition_id })
Expand Down
4 changes: 2 additions & 2 deletions modules/azure/vendor-access/role-assignment-condition.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}}
AND
@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
)
)
AND
Expand All @@ -18,6 +18,6 @@ AND
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}}
AND
@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
)
)

0 comments on commit afec2d5

Please sign in to comment.