From d7e769636c4ebab8dbe4844c295014aa01272f24 Mon Sep 17 00:00:00 2001 From: yairra Date: Sun, 1 Oct 2023 13:56:46 +0300 Subject: [PATCH] Azure HA TF template | Updated managed identity permissions --- .../high-availability-existing-vnet/main.tf | 22 +++++++++++++++---- .../azure/high-availability-new-vnet/main.tf | 22 +++++++++++++++---- 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf index d145e84f..7f1f4ab4 100755 --- a/terraform/azure/high-availability-existing-vnet/main.tf +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -493,12 +493,26 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { } } //********************** Role Assigments **************************// -data "azurerm_role_definition" "role_definition" { - name = module.common.role_definition +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Reader" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Virtual Machine Contributor" } data "azurerm_client_config" "client_config" { } -resource "azurerm_role_assignment" "cluster_assigment" { +resource "azurerm_role_assignment" "virtual_machine_contributor_role_definition" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { count = 2 lifecycle { ignore_changes = [ @@ -506,6 +520,6 @@ resource "azurerm_role_assignment" "cluster_assigment" { ] } scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.role_definition.id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") } \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf index a24c1a9e..be218a02 100755 --- a/terraform/azure/high-availability-new-vnet/main.tf +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -514,12 +514,26 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { } } //********************** Role Assigments **************************// -data "azurerm_role_definition" "role_definition" { - name = module.common.role_definition +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Reader" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Virtual Machine Contributor" } data "azurerm_client_config" "client_config" { } -resource "azurerm_role_assignment" "cluster_assigment" { +resource "azurerm_role_assignment" "virtual_machine_contributor_role_definition" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { count = 2 lifecycle { ignore_changes = [ @@ -527,6 +541,6 @@ resource "azurerm_role_assignment" "cluster_assigment" { ] } scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.role_definition.id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") }