Skip to content

Commit

Permalink
updates to resolve issue #794 (#919)
Browse files Browse the repository at this point in the history 
Co-authored-by: github-actions <[email protected]>
  • Loading branch information
@ATuckwell @actions-user
ATuckwell and actions-user committed Apr 11, 2024
1 parent fc666d1 commit 1ac8cb8
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 0 deletions.
8 changes: 8 additions & 0 deletions locals.role_assignments.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,11 @@ locals {
(role.role_assignment_id) => role.role_assignment_config
}
}

# The following locals is required to resolve bug as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/794
# This locals is used by resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity"
# in resources.role_assignments.tf to determine if the connectivity management group exists

locals {
connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0
}
18 changes: 18 additions & 0 deletions resources.role_assignments.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,21 @@ resource "time_sleep" "after_azurerm_role_assignment" {
create_duration = local.create_duration_delay["after_azurerm_role_assignment"]
destroy_duration = local.destroy_duration_delay["after_azurerm_role_assignment"]
}

# Role Assignment required to resolve bug as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/794
# Role assignment will add "Private DNS Zone Contributor" role def for the policy assignment's Managed Identity
# on the connectivity management group
resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" {
for_each = local.connectivity_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-Private-DNS-Zones") } : {}
role_definition_name = "Private DNS Zone Contributor"
scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-connectivity"
principal_id = each.value.identity[0].principal_id

depends_on = [
time_sleep.after_azurerm_management_group,
time_sleep.after_azurerm_policy_definition,
time_sleep.after_azurerm_policy_set_definition,
time_sleep.after_azurerm_policy_assignment,
azurerm_role_assignment.policy_assignment,
]
}
38 changes: 38 additions & 0 deletions tests/modules/test_002_add_custom_core/baseline_values.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7645,6 +7645,44 @@
]
}
},
{
"address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]",
"mode": "managed",
"type": "azurerm_role_assignment",
"name": "private_dns_zone_contributor_connectivity",
"index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"schema_version": 0,
"values": {
"condition": null,
"condition_version": null,
"delegated_managed_identity_resource_id": null,
"description": null,
"role_definition_name": "Private DNS Zone Contributor",
"scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity",
"timeouts": null
},
"sensitive_values": {}
},
{
"address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]",
"mode": "managed",
"type": "azurerm_role_assignment",
"name": "private_dns_zone_contributor_connectivity",
"index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"schema_version": 0,
"values": {
"condition": null,
"condition_version": null,
"delegated_managed_identity_resource_id": null,
"description": null,
"role_definition_name": "Private DNS Zone Contributor",
"scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity",
"timeouts": null
},
"sensitive_values": {}
},
{
"address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/07824e45-af54-586f-a5f0-4bb8676cb3a2\"]",
"mode": "managed",
Expand Down
19 changes: 19 additions & 0 deletions tests/modules/test_003_add_mgmt_conn/baseline_values.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13330,6 +13330,25 @@
]
}
},
{
"address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]",
"mode": "managed",
"type": "azurerm_role_assignment",
"name": "private_dns_zone_contributor_connectivity",
"index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"schema_version": 0,
"values": {
"condition": null,
"condition_version": null,
"delegated_managed_identity_resource_id": null,
"description": null,
"role_definition_name": "Private DNS Zone Contributor",
"scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity",
"timeouts": null
},
"sensitive_values": {}
},
{
"address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/07824e45-af54-586f-a5f0-4bb8676cb3a2\"]",
"mode": "managed",
Expand Down

0 comments on commit 1ac8cb8

Please sign in to comment.