From 212d960e1642aa040f1fbf344a4f72f09ec1f4fe Mon Sep 17 00:00:00 2001 From: Felix Zieger Date: Mon, 9 Sep 2024 17:41:06 +0200 Subject: [PATCH 1/2] feat: grant replicator access on EA --- README.md | 3 +- main.tf | 11 ++--- .../README.md | 7 +++- .../module.tf | 23 +++++++++- .../set-enrollment-account-permission.ps1 | 42 +++++++++++++++++++ .../variables.tf | 6 +++ variables.tf | 8 ++++ 7 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 modules/meshcloud-replicator-service-principal/set-enrollment-account-permission.ps1 diff --git a/README.md b/README.md index 96a8cba..840e46e 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Before opening a Pull Request, please do the following: | Name | Version | |------|---------| | [azuread](#provider\_azuread) | 2.53.1 | -| [azurerm](#provider\_azurerm) | 3.114.0 | +| [azurerm](#provider\_azurerm) | 3.111.0 | ## Modules @@ -208,6 +208,7 @@ Before opening a Pull Request, please do the following: | [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no | | [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the created service principals. | `list(string)` | `[]` | no | | [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups//`. | `list(string)` | `[]` | no | +| [can\_create\_subscriptions\_in\_enterprise\_enrollment\_account](#input\_can\_create\_subscriptions\_in\_enterprise\_enrollment\_account) | The billing account and enrollment account for which Service Principal will create subscriptions. | `object({ billing_account_id = string, enrollment_account_id = string })` | `null` | no | | [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/`. | `list(string)` | `[]` | no | | [create\_passwords](#input\_create\_passwords) | Create passwords for service principals. | `bool` | `true` | no | | [mca](#input\_mca) | n/a | 
object({
    service_principal_names = list(string)
    billing_account_name    = string
    billing_profile_name    = string
    invoice_section_name    = string
  })
| `null` | no | diff --git a/main.tf b/main.tf index b976251..0518774 100644 --- a/main.tf +++ b/main.tf @@ -55,11 +55,12 @@ module "replicator_service_principal" { replicator_rg_enabled = var.replicator_rg_enabled - service_principal_name = var.replicator_service_principal_name - custom_role_scope = data.azurerm_management_group.replicator_custom_role_scope.id - assignment_scopes = local.replicator_assignment_scopes - can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes - can_delete_rgs_in_scopes = var.can_delete_rgs_in_scopes + service_principal_name = var.replicator_service_principal_name + custom_role_scope = data.azurerm_management_group.replicator_custom_role_scope.id + assignment_scopes = local.replicator_assignment_scopes + can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes + can_delete_rgs_in_scopes = var.can_delete_rgs_in_scopes + can_create_subscriptions_in_enterprise_enrollment_account = var.can_create_subscriptions_in_enterprise_enrollment_account additional_required_resource_accesses = var.additional_required_resource_accesses additional_permissions = var.additional_permissions diff --git a/modules/meshcloud-replicator-service-principal/README.md b/modules/meshcloud-replicator-service-principal/README.md index 5aec9fa..90ff631 100644 --- a/modules/meshcloud-replicator-service-principal/README.md +++ b/modules/meshcloud-replicator-service-principal/README.md @@ -12,9 +12,9 @@ | Name | Version | |------|---------| | [azuread](#provider\_azuread) | 2.53.1 | -| [azurerm](#provider\_azurerm) | 3.114.0 | +| [azurerm](#provider\_azurerm) | 3.111.0 | | [terraform](#provider\_terraform) | n/a | -| [time](#provider\_time) | 0.12.0 | +| [time](#provider\_time) | 0.11.2 | ## Modules @@ -40,9 +40,11 @@ No modules. | [azurerm_role_definition.meshcloud_replicator_rg_deleter](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | | [azurerm_role_definition.meshcloud_replicator_subscription_canceler](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource | | [terraform_data.allowed_assignments](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | +| [terraform_data.set_enrollment_account_permission](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [time_rotating.replicator_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | | [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source | | [azuread_application_template.enterprise_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_template) | data source | +| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source | | [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | ## Inputs @@ -54,6 +56,7 @@ No modules. | [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the replicator service principal. | `list(string)` | `[]` | no | | [assignment\_scopes](#input\_assignment\_scopes) | The scopes to which Service Principal permissions is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups//`. | `list(string)` | n/a | yes | | [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups//`. | `list(string)` | `[]` | no | +| [can\_create\_subscriptions\_in\_enterprise\_enrollment\_account](#input\_can\_create\_subscriptions\_in\_enterprise\_enrollment\_account) | The billing account and enrollment account for which Service Principal will create subscriptions. | `object({ billing_account_id = string, enrollment_account_id = string })` | `null` | no | | [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/`. | `list(string)` | `[]` | no | | [create\_password](#input\_create\_password) | Create a password for the enterprise application. | `bool` | n/a | yes | | [custom\_role\_scope](#input\_custom\_role\_scope) | The scope to which Service Principal permissions can be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/` that sits atop the subscriptions. | `string` | n/a | yes | diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf index 76225b4..48e192f 100644 --- a/modules/meshcloud-replicator-service-principal/module.tf +++ b/modules/meshcloud-replicator-service-principal/module.tf @@ -20,8 +20,7 @@ locals { } //--------------------------------------------------------------------------- -// Role Definition for the Replicator on the specified Scope -//--------------------------------------------------------------------------- +// Role Definition for the Replicator on the specified Scope --------------------------------------------------------------------------- resource "azurerm_role_definition" "meshcloud_replicator" { name = "${var.service_principal_name}-base" scope = var.custom_role_scope @@ -238,6 +237,26 @@ resource "azuread_app_role_assignment" "meshcloud_replicator-user" { depends_on = [azuread_application.meshcloud_replicator] } +//--------------------------------------------------------------------------- +// Assign Enrollment Account Subscription Creator Role to the Enterprise application +//--------------------------------------------------------------------------- +data "azuread_client_config" "current" {} + +resource "terraform_data" "set_enrollment_account_permission" { + triggers_replace = [uuid()] # The script is idempotent so we run it every time + + provisioner "local-exec" { + command = < Date: Tue, 17 Sep 2024 17:40:46 +0200 Subject: [PATCH 2/2] chore: provider versions --- README.md | 2 +- modules/meshcloud-metering-service-principal/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 840e46e..3f504ac 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Before opening a Pull Request, please do the following: | Name | Version | |------|---------| | [azuread](#provider\_azuread) | 2.53.1 | -| [azurerm](#provider\_azurerm) | 3.111.0 | +| [azurerm](#provider\_azurerm) | 4.2.0 | ## Modules diff --git a/modules/meshcloud-metering-service-principal/README.md b/modules/meshcloud-metering-service-principal/README.md index 59e5bda..53437dd 100644 --- a/modules/meshcloud-metering-service-principal/README.md +++ b/modules/meshcloud-metering-service-principal/README.md @@ -12,8 +12,8 @@ | Name | Version | |------|---------| | [azuread](#provider\_azuread) | 2.53.1 | -| [azurerm](#provider\_azurerm) | 3.114.0 | -| [time](#provider\_time) | 0.12.0 | +| [azurerm](#provider\_azurerm) | 3.111.0 | +| [time](#provider\_time) | 0.11.2 | ## Modules