From b8054af13ac326a828186b7702623d5cb09d5eb6 Mon Sep 17 00:00:00 2001 From: Roman Schwarz Date: Wed, 13 Nov 2024 13:51:08 +0100 Subject: [PATCH] Add owner permissions on current subscription (#3) * Add owner permissions on current subscription Signed-off-by: Roman Schwarz * Disable Blob public access on Storage Account Signed-off-by: Roman Schwarz * Disable overprovisioning on virtual machine scale set Signed-off-by: Roman Schwarz * Add mocked value for subscriptions Signed-off-by: Roman Schwarz --------- Signed-off-by: Roman Schwarz --- main.tf | 2 +- r-identity.tf | 4 ++-- r-storage-account.tf | 1 + r-virtual-machine-scale-set.tf | 2 +- tests/examples/mocks/main.tfmock.hcl | 11 +++++++++-- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index ab3432c..00d95a9 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,7 @@ data "azurerm_client_config" "current" {} data "azurerm_subscription" "managed_by_launchpad" { - for_each = toset(var.subscription_ids) + for_each = toset(concat(var.subscription_ids, [data.azurerm_client_config.current.subscription_id])) subscription_id = each.key } diff --git a/r-identity.tf b/r-identity.tf index 85812c3..b915c8a 100644 --- a/r-identity.tf +++ b/r-identity.tf @@ -27,11 +27,11 @@ resource "azurerm_role_assignment" "management_group_owner" { } resource "azurerm_role_assignment" "subscription_owner" { - for_each = toset(var.subscription_ids) + for_each = data.azurerm_subscription.managed_by_launchpad principal_id = azurerm_user_assigned_identity.this.principal_id role_definition_name = "Owner" - scope = data.azurerm_subscription.managed_by_launchpad[each.key].id + scope = each.value.id } resource "azurerm_role_assignment" "resource_specific" { diff --git a/r-storage-account.tf b/r-storage-account.tf index 07da37d..0b69a99 100644 --- a/r-storage-account.tf +++ b/r-storage-account.tf @@ -22,6 +22,7 @@ resource "azurerm_storage_account" "this" { account_tier = "Standard" account_replication_type = "RAGRS" + allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false default_to_oauth_authentication = true https_traffic_only_enabled = true diff --git a/r-virtual-machine-scale-set.tf b/r-virtual-machine-scale-set.tf index b93431a..ea2b8dd 100644 --- a/r-virtual-machine-scale-set.tf +++ b/r-virtual-machine-scale-set.tf @@ -56,7 +56,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "this" { upgrade_mode = "Automatic" secure_boot_enabled = false vtpm_enabled = false - overprovision = true + overprovision = false # trigger instance update custom_data = base64encode("#cloud-config\n#${sha256(local.github_runner_script)}") diff --git a/tests/examples/mocks/main.tfmock.hcl b/tests/examples/mocks/main.tfmock.hcl index 0324f9b..c01e5d6 100644 --- a/tests/examples/mocks/main.tfmock.hcl +++ b/tests/examples/mocks/main.tfmock.hcl @@ -1,7 +1,8 @@ mock_data "azurerm_client_config" { defaults = { - tenant_id = "00000000-0000-0000-0000-000000000000" - object_id = "00000000-0000-0000-0000-000000000000" + object_id = "00000000-0000-0000-0000-000000000000" + subscription_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" } } @@ -12,6 +13,12 @@ mock_data "azurerm_management_group" { } } +mock_data "azurerm_subscription" { + defaults = { + id = "/subscriptions/00000000-0000-0000-0000-000000000000" + } +} + mock_resource "azurerm_user_assigned_identity" { defaults = { id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RG-MOCK/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID-MOCK"