diff --git a/locals.role_assignments.tf b/locals.role_assignments.tf index 5576d0171..86bfe1fa5 100644 --- a/locals.role_assignments.tf +++ b/locals.role_assignments.tf @@ -37,3 +37,11 @@ locals { (role.role_assignment_id) => role.role_assignment_config } } + +# The following locals is required to resolve bug as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/794 +# This locals is used by resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" +# in resources.role_assignments.tf to determine if the connectivity management group exists + +locals { + connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0 +} \ No newline at end of file diff --git a/resources.role_assignments.tf b/resources.role_assignments.tf index 8d72e1746..e25e4944b 100644 --- a/resources.role_assignments.tf +++ b/resources.role_assignments.tf @@ -97,3 +97,21 @@ resource "time_sleep" "after_azurerm_role_assignment" { create_duration = local.create_duration_delay["after_azurerm_role_assignment"] destroy_duration = local.destroy_duration_delay["after_azurerm_role_assignment"] } + +# Role Assignment required to resolve bug as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/794 +# Role assignment will add "Private DNS Zone Contributor" role def for the policy assignment's Managed Identity +# on the connectivity management group +resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" { + for_each = local.connectivity_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-Private-DNS-Zones") } : {} + role_definition_name = "Private DNS Zone Contributor" + scope = "/providers/Microsoft.Management/managementGroups/${var.root_id}-connectivity" + principal_id = each.value.identity[0].principal_id + + depends_on = [ + time_sleep.after_azurerm_management_group, + time_sleep.after_azurerm_policy_definition, + time_sleep.after_azurerm_policy_set_definition, + time_sleep.after_azurerm_policy_assignment, + azurerm_role_assignment.policy_assignment, + ] +} \ No newline at end of file diff --git a/tests/modules/test_002_add_custom_core/baseline_values.json b/tests/modules/test_002_add_custom_core/baseline_values.json index 68c58bf2a..6231be947 100644 --- a/tests/modules/test_002_add_custom_core/baseline_values.json +++ b/tests/modules/test_002_add_custom_core/baseline_values.json @@ -7645,6 +7645,44 @@ ] } }, + { + "address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "private_dns_zone_contributor_connectivity", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "role_definition_name": "Private DNS Zone Contributor", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "private_dns_zone_contributor_connectivity", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "role_definition_name": "Private DNS Zone Contributor", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, { "address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/07824e45-af54-586f-a5f0-4bb8676cb3a2\"]", "mode": "managed", diff --git a/tests/modules/test_003_add_mgmt_conn/baseline_values.json b/tests/modules/test_003_add_mgmt_conn/baseline_values.json index f9ec94704..e67f1c531 100644 --- a/tests/modules/test_003_add_mgmt_conn/baseline_values.json +++ b/tests/modules/test_003_add_mgmt_conn/baseline_values.json @@ -13330,6 +13330,25 @@ ] } }, + { + "address": "module.test_core.azurerm_role_assignment.private_dns_zone_contributor_connectivity[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "private_dns_zone_contributor_connectivity", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "role_definition_name": "Private DNS Zone Contributor", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, { "address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/07824e45-af54-586f-a5f0-4bb8676cb3a2\"]", "mode": "managed",