From f3485105e35ce8c801209dcbb4ef72f3d944f0e5 Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Thu, 5 Dec 2024 15:30:20 +0100 Subject: [PATCH] fix: gh identity permission (#386) --- .../README.md | 8 +----- .../locals.tf | 11 +++++--- .../variables.tf | 25 ++++--------------- 3 files changed, 13 insertions(+), 31 deletions(-) diff --git a/gh_runner_container_app_job_domain_setup/README.md b/gh_runner_container_app_job_domain_setup/README.md index 29578073..e590fec2 100644 --- a/gh_runner_container_app_job_domain_setup/README.md +++ b/gh_runner_container_app_job_domain_setup/README.md @@ -47,12 +47,6 @@ module "gh_runner_job" { rg = "${local.product}-${var.location_short}-${var.instance}-aks-rg" } - # optional - function_deploy = { - enabled = true - function_rg = ["", ""] - } - #optional custom_rg_permissions = [ { @@ -112,10 +106,10 @@ This module provides the appropriate permissions to the GH runner identity to de | [container](#input\_container) | Job Container configuration |
object({
cpu = number
memory = string
image = string
})
|
{
"cpu": 0.5,
"image": "ghcr.io/pagopa/github-self-hosted-runner-azure:latest",
"memory": "1Gi"
}
| no | | [custom\_rg\_permissions](#input\_custom\_rg\_permissions) | (Optional) List of resource group permission assigned to the job identity |
list(object({
# name of the resource group on which the permissions are given
rg_name = string
# list of permission assigned on with rg_name scope
permissions = list(string)
}))
| `[]` | no | | [domain\_name](#input\_domain\_name) | (Required) Domain name for the configured repositories | `string` | n/a | yes | +| [domain\_security\_rg\_name](#input\_domain\_security\_rg\_name) | (Optional) Security rg name for the domain | `string` | n/a | yes | | [env\_short](#input\_env\_short) | Short environment prefix | `string` | n/a | yes | | [environment\_name](#input\_environment\_name) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes | | [environment\_rg](#input\_environment\_rg) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes | -| [function\_deploy](#input\_function\_deploy) | (Optional) Enables and specifies the function app deploy permissions |
object({
# enables the permission handdling for azure function deploy
enabled = optional(bool, false)
# list of function resource group names
function_rg = optional(list(string), [])
})
|
{
"enabled": false,
"function_rg": []
}
| no | | [gh\_env](#input\_gh\_env) | Github environment name | `string` | n/a | yes | | [gh\_identity\_suffix](#input\_gh\_identity\_suffix) | (Optional) Suffix used in the gh identity name. Necessary to distinguish the identities when more than 20 repos are used | `string` | `"01"` | no | | [gh\_repositories](#input\_gh\_repositories) | (Required) List of gh repository names and short names on which the managed identity will have permission. Max 20 repos. All repos must belong to the same organization, check `job_meta` variable |
list(object({
name = string
short_name = string
}))
| n/a | yes | diff --git a/gh_runner_container_app_job_domain_setup/locals.tf b/gh_runner_container_app_job_domain_setup/locals.tf index 5114fa78..5b161082 100644 --- a/gh_runner_container_app_job_domain_setup/locals.tf +++ b/gh_runner_container_app_job_domain_setup/locals.tf @@ -17,13 +17,16 @@ locals { } : {} custom_permissions = { for perm in var.custom_rg_permissions : perm.rg_name => perm.permissions } + domain_sec_rg_permission = var.domain_security_rg_name != null ? { + "${var.domain_security_rg_name}" = [ + "Key Vault Reader" + ] + } : {} - function_deploy_permission = var.function_deploy.enabled ? { for rg in var.function_deploy.function_rg : rg => ["Contributor"] } : {} - # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35 environment_cd_roles = { subscription = [ - "Reader" + "Contributor" ] resource_groups = merge( { @@ -36,7 +39,7 @@ locals { }, local.aks_rg_permission, local.custom_permissions, - local.function_deploy_permission + local.domain_sec_rg_permission ) } } diff --git a/gh_runner_container_app_job_domain_setup/variables.tf b/gh_runner_container_app_job_domain_setup/variables.tf index 53830c69..39e6abf8 100644 --- a/gh_runner_container_app_job_domain_setup/variables.tf +++ b/gh_runner_container_app_job_domain_setup/variables.tf @@ -209,26 +209,6 @@ variable "kubernetes_deploy" { } } - -variable "function_deploy" { - type = object({ - # enables the permission handdling for azure function deploy - enabled = optional(bool, false) - # list of function resource group names - function_rg = optional(list(string), []) - }) - description = "(Optional) Enables and specifies the function app deploy permissions" - default = { - enabled = false - function_rg = [] - } - - validation { - condition = var.function_deploy.enabled ? length(var.function_deploy.function_rg) > 0 : true - error_message = "Function rg not defined" - } -} - variable "custom_rg_permissions" { type = list(object({ # name of the resource group on which the permissions are given @@ -260,3 +240,8 @@ variable "domain_name" { type = string description = "(Required) Domain name for the configured repositories" } + +variable "domain_security_rg_name" { + type = string + description = "(Optional) Security rg name for the domain" +}