Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

d/azurerm_builtin_role_definition - loading available role definitions from Azure #770

Merged
merged 7 commits into from
Mar 12, 2018
Merged

d/azurerm_builtin_role_definition - loading available role definitions from Azure #770

merged 7 commits into from
Mar 12, 2018

Conversation

jansepke
Copy link
Contributor

and fix a small typo.

should we remove the validation list so we do not need to add new roles?

@paultyng
Copy link
Contributor

Are the API names the same as the ones already listed? In all cases? We may need some mapping for legacy names if not. I'll have to run some acceptance testing.

@paultyng paultyng self-assigned this Jan 30, 2018
@jansepke
Copy link
Contributor Author

I made a diff check with this result:

new in the API:

  • Lab Creator
  • Resource Policy Contributor (Preview)
  • Storage Blob Data Contributor (Preview)
  • Storage Blob Data Reader (Preview)
  • Storage Queue Data Contributor (Preview)
  • Storage Queue Data Reader (Preview)
  • Virtual Machine Contributor

removed in the API:

  • Auditor
  • CloudAware Collector Storage Account Keys Access
  • DB Admin
  • Lab Accounts User
  • Network Security Operator
  • VirtualMachineContributor

for the VirtualMachineContributor role we could do a mapping to Virtual Machine Contributor.
for all other removed roles: could this depend on the subscription or something user or region specific?

@paultyng
Copy link
Contributor

I'll look in to this and reply back here when I track down an answer

@tombuildsstuff
Copy link
Contributor

@jansepke @paultyng

for all other removed roles: could this depend on the subscription or something user or region specific?

My guess would be that's more likely to be subscription specific (given resources are enabled by Resource Provider)

Storage Queue Data Contributor (Preview)

We need to proceed carefully here, since the (Preview) suffix will be renamed/removed during the Preview cycle - and users code will stop working since Terraform won't be able to find the value in the API. It may be able to work around this by placing a (yellow) info block in the documentation (see an example below) - but we may also want to see if it's possible to return roles which are stable?

~> **NOTE:** Azure roles with the suffix `(Preview)` are not necessarily stable and may change at any time.

@jansepke
Copy link
Contributor Author

@tombuildsstuff I added a validation that will error on preview roles

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @jansepke

Thanks for pushing those updates (and apologies for the delayed re-review!) - this mostly LGTM now, if we can add a migration path for users using the existing VirtualMachineContributor name this otherwise looks good to merge 👍

Thanks!

"VirtualMachineContributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
filter := fmt.Sprintf("roleName eq '%s'", name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in order to keep compatibility with folks using the VirtualMachineContributor key (e.g. so that we don't need to bump the major version number of the Provider) - can we add an if statement above this, which we can remove in a future version of Terraform? e.g.

if name == "VirtualMachineContributor" {
  name = "Virtual Machine Contributor"
}
filter := fmt.Sprintf("roleName eq '%s'", name)

@tombuildsstuff tombuildsstuff added this to the 1.3.0 milestone Mar 8, 2018
@jansepke
Copy link
Contributor Author

@tombuildsstuff I added the if statement and also removed the validation, because this will now happen on the azure API side

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @jansepke

Thanks for pushing the latest changes, I've taken a look through and this now LGTM :)

iI'll kick off the acceptance tests now..

Thanks!

@tombuildsstuff
Copy link
Contributor

Tests pass:

screen shot 2018-03-12 at 14 08 46

@tombuildsstuff tombuildsstuff changed the title pull role definitions from an api d/azurerm_builtin_role_definition - loading available role definitions from Azure Mar 12, 2018
@tombuildsstuff tombuildsstuff merged commit dba60b4 into hashicorp:master Mar 12, 2018
tombuildsstuff added a commit that referenced this pull request Mar 12, 2018
tombuildsstuff added a commit that referenced this pull request Mar 13, 2018
@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants