terraform-azurerm-caf icon indicating copy to clipboard operation
terraform-azurerm-caf copied to clipboard

Published 20 hours ago verified publisher icon aztfmod

Feature/add support for vmss roles

Open yves-vogl opened this issue 2 years ago • 0 comments

1258

Description

To allow a more restrictive permission set on VMSS (e.g. for a Azure DevOps Service Connection) I want to assign the Contributor role to an identity.

Does this introduce a breaking change

  • [ ] YES
  • [ ] NO
  • [X] MAYBE

I had to remove the direct dependency on azurerm_role_assignment.for to avoid a cycle error. I believe this could possibly lead to a race condition where e.g. packer_build relies on existing RBAC assignments.

As this works for my use cases I decided to open a pull request and ask politely for support if removing the dependencies would be an issue.

Testing

Use a VMSS as scope for assigning an builtin-role:


role_mapping = {
  built_in_role_mapping = {
    virtual_machine_scale_sets = {
      vmss1 = {
        "Contributor" = {
          azuread_apps = {
            keys = ["example_app"]
          }
        }
      }
    }
  }
}

yves-vogl avatar Jul 18 '22 10:07 yves-vogl