fix: gh identity permission (#386)

pagopa · Dec 5, 2024 · f348510 · f348510
1 parent f723048
commit f348510
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 31 deletions.
diff --git a/gh_runner_container_app_job_domain_setup/README.md b/gh_runner_container_app_job_domain_setup/README.md
@@ -47,12 +47,6 @@ module "gh_runner_job" {
     rg           = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
   }
   
-  # optional
-  function_deploy = {
-    enabled      = true
-    function_rg  = ["<rg name 1>", "<rg name 2>"]
-  }
-  
   #optional
   custom_rg_permissions = [
     {
@@ -112,10 +106,10 @@ This module provides the appropriate permissions to the GH runner identity to de
 | <a name="input_container"></a> [container](#input\_container) | Job Container configuration | <pre>object({<br/>    cpu    = number<br/>    memory = string<br/>    image  = string<br/>  })</pre> | <pre>{<br/>  "cpu": 0.5,<br/>  "image": "ghcr.io/pagopa/github-self-hosted-runner-azure:latest",<br/>  "memory": "1Gi"<br/>}</pre> | no |
 | <a name="input_custom_rg_permissions"></a> [custom\_rg\_permissions](#input\_custom\_rg\_permissions) | (Optional) List of resource group permission assigned to the job identity | <pre>list(object({<br/>    # name of the resource group on which the permissions are given<br/>    rg_name = string<br/>    # list of permission assigned on with rg_name scope<br/>    permissions = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | (Required) Domain name for the configured repositories | `string` | n/a | yes |
+| <a name="input_domain_security_rg_name"></a> [domain\_security\_rg\_name](#input\_domain\_security\_rg\_name) | (Optional) Security rg name for the domain | `string` | n/a | yes |
 | <a name="input_env_short"></a> [env\_short](#input\_env\_short) | Short environment prefix | `string` | n/a | yes |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes |
 | <a name="input_environment_rg"></a> [environment\_rg](#input\_environment\_rg) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes |
-| <a name="input_function_deploy"></a> [function\_deploy](#input\_function\_deploy) | (Optional) Enables and specifies the function app deploy permissions | <pre>object({<br/>    # enables the permission handdling for azure function deploy<br/>    enabled = optional(bool, false)<br/>    # list of function resource group names<br/>    function_rg = optional(list(string), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "function_rg": []<br/>}</pre> | no |
 | <a name="input_gh_env"></a> [gh\_env](#input\_gh\_env) | Github environment name | `string` | n/a | yes |
 | <a name="input_gh_identity_suffix"></a> [gh\_identity\_suffix](#input\_gh\_identity\_suffix) | (Optional) Suffix used in the gh identity name. Necessary to distinguish the identities when more than 20 repos are used | `string` | `"01"` | no |
 | <a name="input_gh_repositories"></a> [gh\_repositories](#input\_gh\_repositories) | (Required) List of gh repository names and short names on which the managed identity will have permission. Max 20 repos. All repos must belong to the same organization, check `job_meta` variable | <pre>list(object({<br/>    name       = string<br/>    short_name = string<br/>  }))</pre> | n/a | yes |

diff --git a/gh_runner_container_app_job_domain_setup/locals.tf b/gh_runner_container_app_job_domain_setup/locals.tf
@@ -17,13 +17,16 @@ locals {
   } : {}
 
   custom_permissions = { for perm in var.custom_rg_permissions : perm.rg_name => perm.permissions }
+  domain_sec_rg_permission = var.domain_security_rg_name != null ? {
+    "${var.domain_security_rg_name}" = [
+      "Key Vault Reader"
+    ]
+  } : {}
 
-  function_deploy_permission = var.function_deploy.enabled ? { for rg in var.function_deploy.function_rg : rg => ["Contributor"] } : {}
 
-  # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35
   environment_cd_roles = {
     subscription = [
-      "Reader"
+      "Contributor"
     ]
     resource_groups = merge(
       {
@@ -36,7 +39,7 @@ locals {
       },
       local.aks_rg_permission,
       local.custom_permissions,
-      local.function_deploy_permission
+      local.domain_sec_rg_permission
     )
   }
 }
diff --git a/gh_runner_container_app_job_domain_setup/variables.tf b/gh_runner_container_app_job_domain_setup/variables.tf
@@ -209,26 +209,6 @@ variable "kubernetes_deploy" {
   }
 }
 
-
-variable "function_deploy" {
-  type = object({
-    # enables the permission handdling for azure function deploy
-    enabled = optional(bool, false)
-    # list of function resource group names
-    function_rg = optional(list(string), [])
-  })
-  description = "(Optional) Enables and specifies the function app deploy permissions"
-  default = {
-    enabled     = false
-    function_rg = []
-  }
-
-  validation {
-    condition     = var.function_deploy.enabled ? length(var.function_deploy.function_rg) > 0 : true
-    error_message = "Function rg not defined"
-  }
-}
-
 variable "custom_rg_permissions" {
   type = list(object({
     # name of the resource group on which the permissions are given
@@ -260,3 +240,8 @@ variable "domain_name" {
   type        = string
   description = "(Required) Domain name for the configured repositories"
 }
+
+variable "domain_security_rg_name" {
+  type        = string
+  description = "(Optional) Security rg name for the domain"
+}