Skip to content

Commit

Permalink
Merge pull request #7 from krowlandson/main
Browse files Browse the repository at this point in the history
Role Definition Update
  • Loading branch information
Kevin Rowlandson authored Oct 5, 2020
2 parents 3f05ea4 + 5d8e043 commit 7cbade4
Show file tree
Hide file tree
Showing 9 changed files with 21 additions and 18 deletions.
3 changes: 0 additions & 3 deletions data.subscription.tf

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@
],
"role_assignments": [],
"role_definitions": [
"ES Network Subnet Contributor"
"ES-Network-Subnet-Contributor"
]
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "ES Network Subnet Contributor",
"roleName": "ES-Network-Subnet-Contributor",
"description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.",
"type": "customRole",
"permissions": [
Expand Down
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
# Load the built-in archetype definitions from the internal library path
locals {
builtin_library_path = "${path.module}/lib"
builtin_archetype_definitions_json = tolist(fileset(local.builtin_library_path, "**archetype_definition_*.json"))
builtin_archetype_definitions_yaml = tolist(fileset(local.builtin_library_path, "**archetype_definition_*.{yml,yaml}"))
}

# Load the custom archetype definitions from the custom library path if specified
locals {
custom_library_path_specified = try(length(local.archetype_library_path) > 0, false)
custom_library_path = local.custom_library_path_specified ? replace(local.archetype_library_path, "//$/", "") : null
custom_archetype_definitions_json = local.custom_library_path_specified ? tolist(fileset(local.custom_library_path, "**archetype_definition_*.json")) : []
custom_archetype_definitions_yaml = local.custom_library_path_specified ? tolist(fileset(local.custom_library_path, "**archetype_definition_*.{yml,yaml}")) : []
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,22 +39,22 @@ locals {
locals {
builtin_role_definitions_map_from_json = try(length(local.builtin_role_definitions_dataset_from_json) > 0, false) ? {
for key, value in local.builtin_role_definitions_dataset_from_json :
value.name => value.properties
uuidv5(value.name, local.scope_id) => value.properties
if value.type == local.resource_types.role_definition
} : null
builtin_role_definitions_map_from_yaml = try(length(local.builtin_role_definitions_dataset_from_yaml) > 0, false) ? {
for key, value in local.builtin_role_definitions_dataset_from_yaml :
value.name => value.properties
uuidv5(value.name, local.scope_id) => value.properties
if value.type == local.resource_types.role_definition
} : null
custom_role_definitions_map_from_json = try(length(local.custom_role_definitions_dataset_from_json) > 0, false) ? {
for key, value in local.custom_role_definitions_dataset_from_json :
value.name => value.properties
uuidv5(value.name, local.scope_id) => value.properties
if value.type == local.resource_types.role_definition
} : null
custom_role_definitions_map_from_yaml = try(length(local.custom_role_definitions_dataset_from_yaml) > 0, false) ? {
for key, value in local.custom_role_definitions_dataset_from_yaml :
value.name => value.properties
uuidv5(value.name, local.scope_id) => value.properties
if value.type == local.resource_types.role_definition
} : null
}
Expand Down
12 changes: 11 additions & 1 deletion modules/terraform-azurerm-enterprise-scale-archetypes/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,16 @@ locals {
default_location = var.default_location
}

# The following locals are used to define the built-in
# library path, and determine whether a custom library
# path has been provided to enable conditional logic on
# loading configuration files from the library path(s).
locals {
builtin_library_path = "${path.module}/lib"
custom_library_path_specified = try(length(local.archetype_library_path) > 0, false)
custom_library_path = local.custom_library_path_specified ? replace(local.archetype_library_path, "//$/", "") : null
}

# The following locals are used to define base Azure
# provider paths and resource types
locals {
Expand All @@ -34,6 +44,6 @@ locals {
policy_definition = "${local.scope_id}/providers/Microsoft.Authorization/policyDefinitions/"
policy_set_definition = "${local.scope_id}/providers/Microsoft.Authorization/policySetDefinitions/"
role_assignment = "${local.scope_id}/providers/Microsoft.Authorization/roleAssignments/"
role_definition = "${local.scope_id}/providers/Microsoft.Authorization/roleDefinitions/"
role_definition = "/providers/Microsoft.Authorization/roleDefinitions/"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,13 @@ variable "archetype_id" {
variable "archetype_parameters" {
type = map(any)
description = "OPTIONAL: If specified, will use the specified parameters to override archetype defaults."
default = null
default = {}
}

variable "archetype_library_path" {
type = string
description = "OPTIONAL: If specified, sets the path to a custom library folder for archetype artefacts."
default = null
default = ""

# validation {
# condition = fileexists(var.archetype_library_path) // does not work with a directory
Expand All @@ -54,7 +54,6 @@ variable "archetype_library_path" {
variable "default_location" {
type = string
description = "OPTIONAL: If specified, will use set the default location used for resource deployments where needed."
default = "eastus"

# Need to add validation covering all Azure locations
}
2 changes: 1 addition & 1 deletion resources.role_definitions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ resource "azurerm_role_definition" "enterprise_scale" {
role_definition_id = basename(each.key)

# Mandatory resource attributes
name = each.value.template.roleName
name = "[${upper(local.es_root_id)}] ${each.value.template.roleName}"
scope = each.value.scope_id

permissions {
Expand Down
2 changes: 1 addition & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ variable "es_custom_landing_zones" {
variable "es_archetype_library_path" {
type = string
description = "OPTIONAL: If specified, sets the path to a custom library folder for archetype artefacts."
default = null
default = ""

# validation {
# condition = fileexists(var.es_archetype_library_path) // does not work with a directory
Expand Down

0 comments on commit 7cbade4

Please sign in to comment.