Merge pull request #61 from bnubald/60_blob_access_fix

Resolves #60: Allows specifying an SAS token for Blob read access
icenet-ai · Nov 3, 2024 · 6bab05b · 6bab05b
2 parents 5069017 + 27957ca
commit 6bab05b
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 23 deletions.
diff --git a/terraform/forecast_processor/functions.tf b/terraform/forecast_processor/functions.tf
@@ -121,6 +121,13 @@ resource "azurerm_linux_function_app" "this" {
     # enabled which mounts over the contents of the container.
     # https://github.com/Azure/azure-functions-docker/issues/642
     "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
+    # Use an SAS Token with Blob read/list access
+    "AZURE_STORAGE_SAS_TOKEN" = var.storage_sas_token
+    # Use a service principal with blob read/list access (use either SAS token or service principal)
+    #"AZURE_CLIENT_ID" = var.service_principal_client_id
+    #"AZURE_CLIENT_SECRET" = var.service_principal_secret_val
+    #"AZURE_TENANT_ID" = var.tenant_id
+    #"AZURE_SUBSCRIPTION_ID" = var.subscription_id
   }
   identity {
     type          = "SystemAssigned"
@@ -140,29 +147,11 @@ resource "azurerm_linux_function_app" "this" {
   }
 }
 
-resource "azurerm_role_definition" "app_data_read" {
-  description        = "Allows for read access to Azure Storage blob containers and data"
-  name               = "${local.app_name}-role-read-forecast-data"
-  scope              = var.data_storage_account.id
-
-  permissions {
-      actions          = [
-          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-          "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
-      ]
-      data_actions     = [
-          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      ]
-      not_actions      = []
-      not_data_actions = []
-  }
-}
-
-resource "azurerm_role_assignment" "app_data_read_assoc" {
-  scope              = var.data_storage_account.id
-  role_definition_id = azurerm_role_definition.app_data_read.role_definition_resource_id
-  principal_id       = azurerm_linux_function_app.this.identity.0.principal_id
-}
+#resource "azurerm_role_assignment" "storage_blob_data_reader_assoc" {
+#  scope              = var.data_storage_account.id
+#  role_definition_name = "Storage Blob Data Reader"
+#  principal_id       = azurerm_linux_function_app.this.identity.0.principal_id
+#}
 
 #resource "azurerm_private_endpoint" "event_proc_endpoint" {
 #  name                = "pvt-${var.project_name}-event-processing"

diff --git a/terraform/forecast_processor/variables.tf b/terraform/forecast_processor/variables.tf
@@ -53,6 +53,32 @@ variable "default_tags" {
     default = {}
 }
 
+variable "subscription_id" {
+  description = "Which Azure subscription to build in"
+  type        = string
+}
+variable "tenant_id" {
+  description = "Which Azure tenant to build in"
+  type        = string
+}
+variable "storage_sas_token" {
+  description = "Blob storage SAS token"
+  type        = string
+  sensitive   = true
+}
+variable "service_principal_client_id" {
+  description = "The special client/app ID, generated service principal for read/list blob storage access"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+variable "service_principal_secret_val" {
+  description = "Secret value of above service principal"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
 # Local variables
 locals {
   tags = merge(

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -101,6 +101,11 @@ module "forecast_processor" {
   notification_email           = var.notification_email
   sendfrom_email               = var.sendfrom_email
   dns_zone                     = module.network.dns_zone
+  storage_sas_token            = var.storage_sas_token
+  service_principal_client_id  = var.service_principal_client_id
+  service_principal_secret_val = var.service_principal_secret_val
+  tenant_id                    = var.tenant_id
+  subscription_id              = var.subscription_id
 }
 
 module "web" {

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -15,6 +15,23 @@ variable "tenant_id" {
   description = "Which Azure tenant to build in"
   type        = string
 }
+variable "storage_sas_token" {
+  description = "Blob storage SAS token"
+  type        = string
+  sensitive   = true
+}
+variable "service_principal_client_id" {
+  description = "The special client/app ID, generated service principal for read/list blob storage access"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+variable "service_principal_secret_val" {
+  description = "Secret ID of above service principal"
+  type        = string
+  default     = null
+  sensitive   = true
+}
 
 # These have sensible defaults
 variable "domain_name" {