Simplify role assignments

geekzter · geekzter · commit 9b5e07354e2e · 2024-04-28T10:28:26.000+02:00
diff --git a/terraform/azure-devops/create-service-connection/main.tf b/terraform/azure-devops/create-service-connection/main.tf
@@ -1,4 +1,8 @@
 data azurerm_client_config current {}
+data azurerm_subscription current {}
+data azurerm_subscription target {
+  subscription_id              = split("/",tolist(local.azure_role_assignments)[0].scope)[2]
+}
 
 # Random resource suffix, this will prevent name collisions when creating resources in parallel
 resource random_string suffix {
@@ -15,8 +19,15 @@ locals {
   azdo_organization_name       = split("/",var.azdo_organization_url)[3]
   azdo_organization_url        = replace(var.azdo_organization_url,"/\\/$/","")
   azdo_project_url             = "${local.azdo_organization_url}/${urlencode(var.azdo_project_name)}"
-  azdo_service_connection_name = "${replace(module.azure_access.subscription_name,"/ +/","-")}-${var.azdo_creates_identity ? "aut" : "man"}-${var.create_managed_identity ? "msi" : "sp"}-${var.create_federation ? "oidc" : "secret"}${terraform.workspace == "default" ? "" : format("-%s",terraform.workspace)}-${local.resource_suffix}"
-  azure_scope                  = var.azure_scope != null && var.azure_scope != "" ? var.azure_scope : "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
+  azdo_service_connection_name = "${replace(data.azurerm_subscription.target.display_name,"/ +/","-")}-${var.azdo_creates_identity ? "aut" : "man"}-${var.create_managed_identity ? "msi" : "sp"}-${var.create_federation ? "oidc" : "secret"}${terraform.workspace == "default" ? "" : format("-%s",terraform.workspace)}-${local.resource_suffix}"
+  azure_role_assignments       = length(var.azure_role_assignments) > 0 ? var.azure_role_assignments : [
+    {
+      # Default role assignment
+      role                     = "Contributor"
+      scope                    = data.azurerm_subscription.current.id
+    }
+  ]
+  managed_identity_subscription_id = var.create_managed_identity ? split("/", var.managed_identity_resource_group_id)[2] : null
   principal_id                 = var.azdo_creates_identity ? null : (var.create_managed_identity ? module.managed_identity.0.principal_id : module.entra_app.0.principal_id)
   principal_name               = var.azdo_creates_identity ? null : (var.create_managed_identity ? module.managed_identity.0.principal_name : module.entra_app.0.principal_name)
   resource_suffix              = var.resource_suffix != null && var.resource_suffix != "" ? lower(var.resource_suffix) : random_string.suffix.result
@@ -30,8 +41,6 @@ locals {
     runId                      = var.run_id
     workspace                  = terraform.workspace
   }
-  managed_identity_subscription_id = var.create_managed_identity ? split("/", var.managed_identity_resource_group_id)[2] : null
-  target_subscription_id       = split("/", local.azure_scope)[2]
 }
 
 resource terraform_data managed_identity_validator {
@@ -80,18 +89,6 @@ module entra_app {
   count                        = var.create_managed_identity || var.azdo_creates_identity ? 0 : 1
 }
 
-module azure_access {
-  providers                    = {
-    azurerm                    = azurerm.target
-  }
-  source                       = "./modules/azure-access"
-  # create_role_assignment       = !var.azdo_creates_identity
-  create_role_assignment       = true
-  identity_object_id           = local.principal_id
-  resource_id                  = local.azure_scope
-  role                         = var.azure_role
-}
-
 module azure_role_assignments {
   providers                    = {
     azurerm                    = azurerm.target
@@ -114,6 +111,6 @@ module service_connection {
   project_name                 = var.azdo_project_name
   tenant_id                    = data.azurerm_client_config.current.tenant_id
   service_connection_name      = local.azdo_service_connection_name
-  subscription_id              = local.target_subscription_id
-  subscription_name            = module.azure_access.subscription_name
+  subscription_id              = data.azurerm_subscription.target.subscription_id
+  subscription_name            = data.azurerm_subscription.target.display_name
 }
diff --git a/terraform/azure-devops/create-service-connection/outputs.tf b/terraform/azure-devops/create-service-connection/outputs.tf
@@ -14,25 +14,17 @@ output azdo_service_connection_url {
   description = "The Azure DevOps service connection portal URL"
   value       = module.service_connection.service_connection_url
 }
-output azure_resource_group_name {
-  description = "The name of the resource group the service connection was granted access to"
-  value       = try(split("/", local.azure_scope)[4],null)
-}
-output azure_scope {
-  description = "The Azure scope the service connection was granted access to"
-  value       = local.azure_scope
-}
-output azure_scope_url {
-  description = "The Azure scope portal URL the service connection was granted access to"
-  value       = module.azure_access.resource_url
+output azure_role_assignments {
+  description = "Role assignments created for the service connection's identity"
+  value       = local.azure_role_assignments
 }
 output azure_subscription_id {
   description = "The Azure subscription id the service connection was granted access to"
-  value       = local.target_subscription_id
+  value       = data.azurerm_subscription.target.subscription_id
 }
 output azure_subscription_name {
   description = "The Azure subscription name the service connection was granted access to"
-  value       = module.azure_access.subscription_name
+  value       = data.azurerm_subscription.target.display_name
 }
 
 output identity_application_id {
diff --git a/terraform/azure-devops/create-service-connection/terraform.tf b/terraform/azure-devops/create-service-connection/terraform.tf
@@ -53,5 +53,5 @@ provider azurerm {
       prevent_deletion_if_contains_resources = false
     }
   }
-  subscription_id              = local.target_subscription_id
+  subscription_id              = data.azurerm_subscription.target.subscription_id
 }
diff --git a/terraform/azure-devops/create-service-connection/variables.tf b/terraform/azure-devops/create-service-connection/variables.tf
@@ -15,23 +15,10 @@ variable azdo_project_name {
   type                         = string
 }
 
-variable azure_scope {
-  default                      = null
-  description                  = "The Azure scope to assign access to"
-  type                         = string
-}
-
-variable azure_role {
-  default                      = "Contributor"
-  description                  = "The Azure RBAC role to assign to the service connection's identity"
-  nullable                     = false
-  type                         = string
-}
-
 variable azure_role_assignments {
   default                      = []
-  description                  = "Additional role assignments to create for the service connection's identity"
-  nullable                     = true
+  description                  = "Role assignments to create for the service connection's identity. If this is empty, the Contributor role will be assigned on the azurerm provider subscription."
+  nullable                     = false
   type                         = set(object({scope=string, role=string}))
 }
 

Original file line number	Diff line number	Diff line change
`@@ -53,5 +53,5 @@ provider azurerm {`
`53`	`53`	`prevent_deletion_if_contains_resources = false`
`54`	`54`	`}`
`55`	`55`	`}`
`56`		`- subscription_id = local.target_subscription_id`
	`56`	`+ subscription_id = data.azurerm_subscription.target.subscription_id`
`57`	`57`	`}`