-
Notifications
You must be signed in to change notification settings - Fork 10
/
iam.tf
101 lines (89 loc) · 4.3 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
locals {
role_name = "CastAKSRole-${var.aks_cluster_name}-tf"
app_name = substr("CAST AI ${var.aks_cluster_name}-${var.resource_group}", 0, 64)
}
// Azure RM
resource "azurerm_role_definition" "castai" {
name = local.role_name
description = "Role used by CAST AI"
scope = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group}"
permissions {
actions = [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/galleries/write",
"Microsoft.Compute/galleries/delete",
"Microsoft.Compute/galleries/images/write",
"Microsoft.Compute/galleries/images/delete",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/galleries/images/versions/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/applicationGateways/backendhealth/action",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action",
"Microsoft.Network/loadBalancers/backendAddressPools/write",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.ContainerService/*/read",
"Microsoft.ContainerService/managedClusters/start/action",
"Microsoft.ContainerService/managedClusters/stop/action",
"Microsoft.ContainerService/managedClusters/runCommand/action",
"Microsoft.ContainerService/managedClusters/agentPools/*",
"Microsoft.Resources/*/read",
"Microsoft.Resources/tags/write",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
]
not_actions = []
}
assignable_scopes = distinct(compact(flatten([
"/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group}",
"/subscriptions/${var.subscription_id}/resourceGroups/${var.node_resource_group}",
var.additional_resource_groups
])))
}
resource "azurerm_role_assignment" "castai_resource_group" {
principal_id = azuread_service_principal.castai.object_id
role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
description = "castai role assignment for resource group ${var.resource_group}"
scope = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group}"
}
resource "azurerm_role_assignment" "castai_node_resource_group" {
principal_id = azuread_service_principal.castai.object_id
role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
description = "castai role assignment for resource group ${var.aks_cluster_name}"
scope = "/subscriptions/${var.subscription_id}/resourceGroups/${var.node_resource_group}"
}
resource "azurerm_role_assignment" "castai_additional_resource_groups" {
for_each = toset(var.additional_resource_groups)
principal_id = azuread_service_principal.castai.object_id
description = "castai role assignment for resource group ${each.key}"
role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
scope = each.key
}
// Azure AD
data "azuread_client_config" "current" {}
resource "azuread_application" "castai" {
display_name = local.app_name
owners = [data.azuread_client_config.current.object_id]
}
resource "azuread_application_password" "castai" {
application_id = azuread_application.castai.id
}
resource "azuread_service_principal" "castai" {
client_id = azuread_application.castai.client_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}