In a previous post I showed a simple way I can setup role assignments via terraform so I could configure the service principal I am using for Serverless360 to have permissions applied to it. This post is on this page = https://www.mikestephenson.me/2022/07/04/simple-azure-role-assignments-with-terraform/

In the real world you might have a lot of resource groups you want to apply permissions to and I wanted to show how you could use the setproduct function in terraform to help you do this.

To start with I have a slightly different locals this time. I have got a list of resource groups which I want to apply permissions to, I also have a list of all of the permissions I want to apply and then I will use the setproduct function to be able to create a combined list of all of the possible combinations of joining the two lists.


locals {
    resource_group_list = [
        "SL360_APIM",
        "SL360_AppInsights"
        ]

    default_roles = [
        "Reader",
        "Azure Event Hubs Data Sender"
    ]

    resource_group_role_assignments = {for val in setproduct(local.resource_group_list, local.default_roles):
                "${val[0]}-${val[1]}" => val}  

}

The outcome of setproduct is I will have 4 items in my new list which will have the combo of each resource group and each permission.

Next I have a data element which will reference my service principal



data "azuread_service_principal" "sl360_businessapps" {
  application_id = var.serviceprincipal_clientid_sl360_businessapps
}

This time for my resource group I will use the for_each function so I create a data reference to each resource group listed in my locals.

data "azurerm_resource_group" "resource_group" {
    for_each = toset(local.resource_group_list)
	name     = each.value
}

Finally my resource for the role assignment is slightly different to the previous example where this time the for_each is using the combined list which was created by the setproduct function and I will reference the resource group in the scope by using the name from the list the resource is using.

resource "azurerm_role_assignment" "sl360_businessapp_resourcegroup_role_assignment" {
    for_each              = local.resource_group_role_assignments

	scope                = data.azurerm_resource_group.resource_group[each.value[0]].id
	role_definition_name = each.value[1]
	principal_id         = data.azuread_service_principal.sl360_businessapps.object_id
}

Hopefully you can see that the script isnt really that much more complicated than before but I can still just add a role to the roles list or add a resource group to the resource group list and just apply the terraform and it will setup any new permissions. I can also remove permissions easily too.

The Full Script is here


locals {
    resource_group_list = [
        "SL360_APIM",
        "SL360_AppInsights"
        ]

    default_roles = [
        "Reader",
        "Azure Event Hubs Data Sender"
    ]

    resource_group_role_assignments = {for val in setproduct(local.resource_group_list, local.default_roles):
                "${val[0]}-${val[1]}" => val}  

}


data "azuread_service_principal" "sl360_businessapps" {
  application_id = var.serviceprincipal_clientid_sl360_businessapps
}

data "azurerm_resource_group" "resource_group" {
    for_each = toset(local.resource_group_list)

	name     = each.value
}

resource "azurerm_role_assignment" "sl360_businessapp_resourcegroup_role_assignment" {
    for_each              = local.resource_group_role_assignments

	scope                = data.azurerm_resource_group.resource_group[each.value[0]].id
	role_definition_name = each.value[1]
	principal_id         = data.azuread_service_principal.sl360_businessapps.object_id
}

 

Buy Me A Coffee