Support duplicate Role Definition deployments

Azure · Oct 5, 2020 · b4c7ce2 · b4c7ce2
1 parent 3186eb3
commit b4c7ce2
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 11 deletions.
diff --git a/data.subscription.tf b/data.subscription.tf
diff --git a/.../terraform-azurerm-enterprise-scale-archetypes/lib/archetype_definition_es_root.tmpl.json b/.../terraform-azurerm-enterprise-scale-archetypes/lib/archetype_definition_es_root.tmpl.json
@@ -110,7 +110,7 @@
         ],
         "role_assignments": [],
         "role_definitions": [
-            "ES Network Subnet Contributor"
+            "ES-Network-Subnet-Contributor"
         ]
     }
 }
diff --git a/...aform-azurerm-enterprise-scale-archetypes/lib/role_definition_es_network_contributor.json b/...aform-azurerm-enterprise-scale-archetypes/lib/role_definition_es_network_contributor.json
@@ -3,7 +3,7 @@
     "type": "Microsoft.Authorization/roleDefinitions",
     "apiVersion": "2018-01-01-preview",
     "properties": {
-        "roleName": "ES Network Subnet Contributor",
+        "roleName": "ES-Network-Subnet-Contributor",
         "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.",
         "type": "customRole",
         "permissions": [

diff --git a/modules/terraform-azurerm-enterprise-scale-archetypes/locals.role_definitions.tf b/modules/terraform-azurerm-enterprise-scale-archetypes/locals.role_definitions.tf
@@ -39,22 +39,22 @@ locals {
 locals {
   builtin_role_definitions_map_from_json = try(length(local.builtin_role_definitions_dataset_from_json) > 0, false) ? {
     for key, value in local.builtin_role_definitions_dataset_from_json :
-    value.name => value.properties
+    uuidv5(value.name, local.scope_id) => value.properties
     if value.type == local.resource_types.role_definition
   } : null
   builtin_role_definitions_map_from_yaml = try(length(local.builtin_role_definitions_dataset_from_yaml) > 0, false) ? {
     for key, value in local.builtin_role_definitions_dataset_from_yaml :
-    value.name => value.properties
+    uuidv5(value.name, local.scope_id) => value.properties
     if value.type == local.resource_types.role_definition
   } : null
   custom_role_definitions_map_from_json = try(length(local.custom_role_definitions_dataset_from_json) > 0, false) ? {
     for key, value in local.custom_role_definitions_dataset_from_json :
-    value.name => value.properties
+    uuidv5(value.name, local.scope_id) => value.properties
     if value.type == local.resource_types.role_definition
   } : null
   custom_role_definitions_map_from_yaml = try(length(local.custom_role_definitions_dataset_from_yaml) > 0, false) ? {
     for key, value in local.custom_role_definitions_dataset_from_yaml :
-    value.name => value.properties
+    uuidv5(value.name, local.scope_id) => value.properties
     if value.type == local.resource_types.role_definition
   } : null
 }

diff --git a/modules/terraform-azurerm-enterprise-scale-archetypes/locals.tf b/modules/terraform-azurerm-enterprise-scale-archetypes/locals.tf
@@ -44,6 +44,6 @@ locals {
     policy_definition     = "${local.scope_id}/providers/Microsoft.Authorization/policyDefinitions/"
     policy_set_definition = "${local.scope_id}/providers/Microsoft.Authorization/policySetDefinitions/"
     role_assignment       = "${local.scope_id}/providers/Microsoft.Authorization/roleAssignments/"
-    role_definition       = "${local.scope_id}/providers/Microsoft.Authorization/roleDefinitions/"
+    role_definition       = "/providers/Microsoft.Authorization/roleDefinitions/"
   }
 }
diff --git a/resources.role_definitions.tf b/resources.role_definitions.tf
@@ -9,7 +9,7 @@ resource "azurerm_role_definition" "enterprise_scale" {
   role_definition_id = basename(each.key)
 
   # Mandatory resource attributes
-  name  = each.value.template.roleName
+  name  = "[${upper(local.es_root_id)}] ${each.value.template.roleName}"
   scope = each.value.scope_id
 
   permissions {