Add support for Azure Role assignments on Managed Identities (#98)

blinqas · Nov 16, 2023 · ceb9cb8 · ceb9cb8
1 parent c0e81e7
commit ceb9cb8
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 27 deletions.
diff --git a/test/user_assigned_identities_test.tf b/test/user_assigned_identities_test.tf
@@ -14,11 +14,17 @@ module "station-uai" {
     }
 
     maximum = {
-      name             = "uai-02"
-      location         = "germanywestcentral"
-      role_assignments = ["User.Read.All"]
+      name                 = "uai-02"
+      location             = "norwayeast"
+      app_role_assignments = ["User.Read.All"]
       group_memberships = {
-        "static" = module.station-groups.groups["static"].object_id
+        static = module.station-groups.groups.static.object_id
+      }
+      role_assignments = {
+        subscription_reader = {
+          role_definition_name = "Reader"
+          scope                = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
+        }
       }
     }
   }

diff --git a/user_assigned_identities.tf b/user_assigned_identities.tf
@@ -1,20 +1,22 @@
 module "user_assigned_identity" {
-  source              = "./user_assigned_identity"
-  name                = "mi-workload-identity"
-  resource_group_name = azurerm_resource_group.workload.name
-  location            = azurerm_resource_group.workload.location
-  tags                = local.tags
-  role_assignments    = []
-  group_memberships   = {}
+  source               = "./user_assigned_identity"
+  name                 = "mi-workload-identity"
+  resource_group_name  = azurerm_resource_group.workload.name
+  location             = azurerm_resource_group.workload.location
+  tags                 = local.tags
+  role_assignments     = {}
+  app_role_assignments = []
+  group_memberships    = {}
 }
 
 module "user_assigned_identities" {
-  for_each            = var.user_assigned_identities
-  source              = "./user_assigned_identity/"
-  name                = each.value.name
-  resource_group_name = each.value.resource_group_name == null ? azurerm_resource_group.workload.name : each.value.resource_group_name
-  location            = each.value.location == null ? azurerm_resource_group.workload.location : each.value.location
-  tags                = local.tags
-  role_assignments    = each.value.role_assignments == null ? [] : each.value.role_assignments
-  group_memberships   = each.value.group_memberships == null ? {} : each.value.group_memberships
+  for_each             = var.user_assigned_identities
+  source               = "./user_assigned_identity/"
+  name                 = each.value.name
+  resource_group_name  = each.value.resource_group_name == null ? azurerm_resource_group.workload.name : each.value.resource_group_name
+  location             = each.value.location == null ? azurerm_resource_group.workload.location : each.value.location
+  tags                 = local.tags
+  role_assignments     = each.value.role_assignments == null ? {} : each.value.role_assignments
+  app_role_assignments = each.value.app_role_assignments == null ? [] : each.value.app_role_assignments
+  group_memberships    = each.value.group_memberships == null ? {} : each.value.group_memberships
 }
diff --git a/user_assigned_identity/role_assignment.tf → ..._assigned_identity/app_role_assignment.tf b/user_assigned_identity/role_assignment.tf → ..._assigned_identity/app_role_assignment.tf
@@ -6,7 +6,7 @@ resource "azuread_service_principal" "msgraph" {
 }
 
 resource "azuread_app_role_assignment" "app_workload_roles" {
-  for_each            = var.role_assignments
+  for_each            = var.app_role_assignments
   app_role_id         = azuread_service_principal.msgraph.app_role_ids[each.value]
   principal_object_id = azurerm_user_assigned_identity.identity.principal_id
   resource_object_id  = azuread_service_principal.msgraph.object_id

diff --git a/user_assigned_identity/role_assignments.tf b/user_assigned_identity/role_assignments.tf
@@ -0,0 +1,14 @@
+resource "azurerm_role_assignment" "roles" {
+  for_each                               = var.role_assignments
+  name                                   = each.value.name
+  scope                                  = each.value.scope
+  role_definition_id                     = each.value.role_definition_id
+  role_definition_name                   = each.value.role_definition_name
+  principal_id                           = azurerm_user_assigned_identity.identity.principal_id
+  condition                              = each.value.condition
+  condition_version                      = each.value.condition_version
+  delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id
+  description                            = each.value.description
+  skip_service_principal_aad_check       = each.value.skip_service_principal_aad_check == null ? false : each.value.skip_service_principal_aad_check
+}
+
diff --git a/user_assigned_identity/variables.tf b/user_assigned_identity/variables.tf
@@ -19,7 +19,7 @@ variable "tags" {
   default     = {}
 }
 
-variable "role_assignments" {
+variable "app_role_assignments" {
   description = "Application Roles to assign the Managed Identity."
   type        = set(string)
   default     = []
@@ -30,3 +30,9 @@ variable "group_memberships" {
   type        = map(string)
   default     = {}
 }
+
+variable "role_assignments" {
+  description = "Azure Roles to assign the Managed Identity."
+  type        = map(any)
+  default     = {}
+}
diff --git a/variables.tf b/variables.tf
@@ -169,7 +169,7 @@ variable "user_assigned_identities" {
       name                = "uai-my-identity"
       resource_group_name = "rg-name"
       location            = "norwayeast"
-      role_assignments    = ["IdentityRiskEvent.ReadWrite.All"]
+      app_role_assignments    = ["IdentityRiskEvent.ReadWrite.All"]
       group_memberships = {
         "Kubernetes Administrators" = azuread_group.k8s_admins.object_id
       }
@@ -178,11 +178,24 @@ variable "user_assigned_identities" {
   EOF
   default     = {}
   type = map(object({
-    name                = string
-    resource_group_name = optional(string)
-    location            = optional(string)
-    role_assignments    = optional(set(string))
-    group_memberships   = optional(map(string))
+    name                 = string
+    resource_group_name  = optional(string)
+    location             = optional(string)
+    app_role_assignments = optional(set(string))
+    role_assignments = optional(map(object({
+      name                                   = optional(string)
+      scope                                  = string
+      role_definition_id                     = optional(string)
+      role_definition_name                   = optional(string)
+      assign_to_workload_principal           = optional(bool)
+      condition                              = optional(string)
+      condition_version                      = optional(string)
+      delegated_managed_identity_resource_id = optional(string)
+      description                            = optional(string)
+      skip_service_principal_aad_check       = optional(bool)
+      //principal_id                           = optional(string)
+    })))
+    group_memberships = optional(map(string))
   }))
 }