diff --git a/modules/azure/sn-cloud-manager/main.tf b/modules/azure/sn-cloud-manager/main.tf index 7102f9a..54118a4 100644 --- a/modules/azure/sn-cloud-manager/main.tf +++ b/modules/azure/sn-cloud-manager/main.tf @@ -69,16 +69,16 @@ resource "azurerm_federated_identity_credential" "sn_support" { subject = each.value } -resource "azurerm_role_assignment" "subscription_rbac_admin" { - scope = data.azurerm_subscription.current.id - role_definition_name = "Role Based Access Control Administrator" - principal_id = azurerm_user_assigned_identity.sn_automation.principal_id +# resource "azurerm_role_assignment" "subscription_rbac_admin" { +# scope = data.azurerm_subscription.current.id +# role_definition_name = "Role Based Access Control Administrator" +# principal_id = azurerm_user_assigned_identity.sn_automation.principal_id - skip_service_principal_aad_check = true +# skip_service_principal_aad_check = true - condition_version = "2.0" - condition = templatefile("${path.module}/role-assignment-condition.tpl", {}) -} +# condition_version = "2.0" +# condition = templatefile("${path.module}/role-assignment-condition.tpl", {}) +# } # resource "azuread_application_registration" "sn_automation" { # display_name = format("sncloud-%s-automation", var.streamnative_org_id) diff --git a/modules/azure/sn-cloud-manager/role-assignment-condition.tpl b/modules/azure/sn-cloud-manager/role-assignment-condition.tpl deleted file mode 100644 index dfab873..0000000 --- a/modules/azure/sn-cloud-manager/role-assignment-condition.tpl +++ /dev/null @@ -1,23 +0,0 @@ -( - ( - !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) - ) - OR - ( - @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, befefa01-2a29-4197-83a8-272ff33ce314} - AND - @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'} - ) -) -AND -( - ( - !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) - ) - OR - ( - @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, befefa01-2a29-4197-83a8-272ff33ce314} - AND - @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'} - ) -) \ No newline at end of file diff --git a/modules/azure/vendor-access/role-assignment-condition.tpl b/modules/azure/vendor-access/role-assignment-condition.tpl index faff161..d39b34c 100644 --- a/modules/azure/vendor-access/role-assignment-condition.tpl +++ b/modules/azure/vendor-access/role-assignment-condition.tpl @@ -4,7 +4,8 @@ ) OR ( - @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}} + @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, acdd72a7-3385-48ef-bd42-f606fba81ae7, + ${role_definition_id}} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'} ) @@ -16,7 +17,8 @@ AND ) OR ( - @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, ${role_definition_id}} + @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1, 4d97b98b-1d4f-4787-a291-c67834d212e7, befefa01-2a29-4197-83a8-272ff33ce314, acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe, 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8, 4abbcc35-e782-43d8-92c5-2d3f1bd2253f, acdd72a7-3385-48ef-bd42-f606fba81ae7, + ${role_definition_id}} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Application', 'User'} )