feat: remove sub level permission for azure cloud manager (#55)

remove sub level permission
streamnative · Dec 21, 2023 · 4631fb4 · 4631fb4
1 parent e118bf5
commit 4631fb4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 33 deletions.
diff --git a/modules/azure/sn-cloud-manager/main.tf b/modules/azure/sn-cloud-manager/main.tf
@@ -69,16 +69,16 @@ resource "azurerm_federated_identity_credential" "sn_support" {
   subject             = each.value
 }
 
-resource "azurerm_role_assignment" "subscription_rbac_admin" {
-  scope                = data.azurerm_subscription.current.id
-  role_definition_name = "Role Based Access Control Administrator"
-  principal_id         = azurerm_user_assigned_identity.sn_automation.principal_id
+# resource "azurerm_role_assignment" "subscription_rbac_admin" {
+#   scope                = data.azurerm_subscription.current.id
+#   role_definition_name = "Role Based Access Control Administrator"
+#   principal_id         = azurerm_user_assigned_identity.sn_automation.principal_id
 
-  skip_service_principal_aad_check = true
+#   skip_service_principal_aad_check = true
 
-  condition_version = "2.0"
-  condition         = templatefile("${path.module}/role-assignment-condition.tpl", {})
-}
+#   condition_version = "2.0"
+#   condition         = templatefile("${path.module}/role-assignment-condition.tpl", {})
+# }
 
 # resource "azuread_application_registration" "sn_automation" {
 #   display_name = format("sncloud-%s-automation", var.streamnative_org_id)

diff --git a/modules/azure/sn-cloud-manager/role-assignment-condition.tpl b/modules/azure/sn-cloud-manager/role-assignment-condition.tpl
diff --git a/modules/azure/vendor-access/role-assignment-condition.tpl b/modules/azure/vendor-access/role-assignment-condition.tpl
@@ -4,7 +4,8 @@
  )
  OR 
  (
-  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}}
+  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, acdd72a7-3385-48ef-bd42-f606fba81ae7,
+  ${role_definition_id}}
   AND
   @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
  )
@@ -16,7 +17,8 @@ AND
  )
  OR 
  (
-  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}}
+  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, acdd72a7-3385-48ef-bd42-f606fba81ae7,
+  ${role_definition_id}}
   AND
   @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'}
  )