diff --git a/README.md b/README.md
index 7a0db12..33b012a 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ resources that lack official modules.
| [cert\_manager](#module\_cert\_manager) | ./modules/cert_manager | n/a |
| [database](#module\_database) | ./modules/database | n/a |
| [identity](#module\_identity) | ./modules/identity | n/a |
+| [multi\_tenant\_service\_principal](#module\_multi\_tenant\_service\_principal) | ./modules/multi_tenant_service_principal | n/a |
| [networking](#module\_networking) | ./modules/networking | n/a |
| [redis](#module\_redis) | ./modules/redis | n/a |
| [storage](#module\_storage) | ./modules/storage | n/a |
diff --git a/main.tf b/main.tf
index 7595df0..fa48133 100644
--- a/main.tf
+++ b/main.tf
@@ -113,6 +113,13 @@ module "app_aks" {
tags = var.tags
}
+module "multi_tenant_service_principal" {
+ source = "./modules/multi_tenant_service_principal"
+
+ namespace = var.namespace
+ # resource_group_name = azurerm_resource_group.default.name
+}
+
locals {
container_name = try(module.storage[0].container.name, "")
account_name = try(module.storage[0].account.name, "")
diff --git a/modules/multi_tenant_service_principal/main.tf b/modules/multi_tenant_service_principal/main.tf
new file mode 100644
index 0000000..c41d92a
--- /dev/null
+++ b/modules/multi_tenant_service_principal/main.tf
@@ -0,0 +1,13 @@
+data "azuread_client_config" "current" {}
+
+resource "azuread_application" "example" {
+ display_name = "${var.namespace} Application"
+ owners = [data.azuread_client_config.current.object_id]
+ sign_in_audience = "AzureADMultipleOrgs"
+}
+
+resource "azuread_service_principal" "example" {
+ client_id = azuread_application.example.client_id
+ app_role_assignment_required = false
+ owners = [data.azuread_client_config.current.object_id]
+}
\ No newline at end of file
diff --git a/modules/multi_tenant_service_principal/outputs.tf b/modules/multi_tenant_service_principal/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/multi_tenant_service_principal/variables.tf b/modules/multi_tenant_service_principal/variables.tf
new file mode 100644
index 0000000..52e43b8
--- /dev/null
+++ b/modules/multi_tenant_service_principal/variables.tf
@@ -0,0 +1,9 @@
+variable "namespace" {
+ type = string
+ description = "Friendly name prefix used for tagging and naming Azure resources."
+}
+
+#variable "resource_group_name" {
+# description = "Resource Group name"
+# type = string
+#}
\ No newline at end of file
diff --git a/modules/secure_storage_connector/main.tf b/modules/secure_storage_connector/main.tf
new file mode 100644
index 0000000..98e40ed
--- /dev/null
+++ b/modules/secure_storage_connector/main.tf
@@ -0,0 +1,45 @@
+provider "azurerm" {
+ features {}
+}
+
+resource "azurerm_resource_group" "group" {
+ name = "${var.namespace}-resources"
+ location = var.location
+}
+
+resource "azurerm_storage_account" "account" {
+ name = "${var.namespace}storageaccount"
+ resource_group_name = azurerm_resource_group.group.name
+ location = azurerm_resource_group.group.location
+ account_tier = "Standard"
+ account_replication_type = "LRS"
+ is_hns_enabled = "true"
+
+ blob_properties {
+ cors_rule {
+ allowed_headers = ["*"]
+ allowed_methods = ["GET", "HEAD", "PUT"]
+ allowed_origins = ["*"]
+ exposed_headers = ["*"]
+ max_age_in_seconds = 3600
+ }
+ }
+}
+
+resource "azurerm_storage_container" "container" {
+ name = "${var.namespace}-container"
+ storage_account_name = azurerm_storage_account.account.name
+ container_access_type = "private"
+}
+
+resource "azurerm_role_assignment" "principal" {
+ scope = azurerm_storage_account.account.id
+ role_definition_name = "Storage Blob Data Owner"
+ principal_id = var.azure_principal_id
+}
+
+resource "azurerm_role_assignment" "principal2" {
+ scope = azurerm_storage_account.account.id
+ role_definition_name = "Storage Account Contributor"
+ principal_id = var.azure_principal_id
+}
\ No newline at end of file
diff --git a/modules/secure_storage_connector/outputs.tf b/modules/secure_storage_connector/outputs.tf
new file mode 100644
index 0000000..1b0a598
--- /dev/null
+++ b/modules/secure_storage_connector/outputs.tf
@@ -0,0 +1,7 @@
+output "storage_account_name" {
+ value = azurerm_storage_account.account.name
+}
+
+output "container_name" {
+ value = azurerm_storage_container.container.name
+}
\ No newline at end of file
diff --git a/modules/secure_storage_connector/variables.tf b/modules/secure_storage_connector/variables.tf
new file mode 100644
index 0000000..136ce79
--- /dev/null
+++ b/modules/secure_storage_connector/variables.tf
@@ -0,0 +1,14 @@
+variable "namespace" {
+ type = string
+ description = "Prefix to use when creating resources"
+}
+
+variable "location" {
+ type = string
+ description = "The Azure Region where resources will be created"
+}
+
+variable "azure_principal_id" {
+ description = "Azure principal ID that can access the blob storage"
+ type = string
+}
\ No newline at end of file
diff --git a/modules/storage/main.tf b/modules/storage/main.tf
index a318b34..36dc4ca 100644
--- a/modules/storage/main.tf
+++ b/modules/storage/main.tf
@@ -33,6 +33,7 @@ resource "azurerm_storage_container" "default" {
name = "wandb"
storage_account_name = azurerm_storage_account.default.name
container_access_type = "private"
+# TODO give RBAC to the newly created service principal
}
resource "azurerm_management_lock" "default" {