I am setting up my instance of Serverless360 to monitor my Azure environment and provide operations for my support team and this involves configuring Serverless360 with a Service Principal which has access to certain resources in Azure. A good way to configure things is to setup the service principal with just the roles that are needed. I would like to script this to be able to make it easy to add new roles and permissions.
I chose to use terraform and I started by creating a list of the roles I want to assign to a resource group.
locals {
sl360_eventgrid_roles = [
"Reader",
"Azure Event Hubs Data Sender"
]
}Next up I need a reference to the service principal in Azure AD. I can use the azure ad provider for terraform and provide the application id as a variable to reference the object.
data "azuread_service_principal" "sl360_businessapps_demo" {
application_id = var.serviceprincipal_clientid_sl360_businessapps
}Next up I need a data reference to my resource group. Note this is just a scope id so I could point to an individual resource or a subscription but in my case I am choosing to use the resource group as the level I will set permissions.
data "azurerm_resource_group" "sl360_eventgrid" {
name = "SL360_EventGrid"
}Now I can use the for_each function in terraform and point to my locals list of roles and it will iterate over the list of roles and add a role assignment for each one for that service principal to the resource group.
resource "azurerm_role_assignment" "sl360_eventgrid_role_assignment" {
for_each = toset(local.sl360_eventgrid_roles)
scope = data.azurerm_resource_group.sl360_eventgrid.id
role_definition_name = each.value
principal_id = data.azuread_service_principal.sl360_businessapps_demo.object_id
}If I run my terraform I can see my roles are assigned
I can now just add another role name to the list and run it again and it will add another role to my resource group which would grant permissions to my service principal if I want to let my service principal now access a queue.
I can also just copy and paste and modify the resources if I want to manage other resource groups with different roles and I can also remove a role from the list if I want it to be removed from the permissions that I have applied.
Hopefully this makes it easy to see how to manage roles with terraform and if your configuring permissions for your Serverless360 setup this will give you an easy way to apply them.
The full script is below
locals {
sl360_eventgrid_roles = [
"Reader",
"Azure Event Hubs Data Sender"
]
}
data "azuread_service_principal" "sl360_businessapps_demo" {
application_id = var.serviceprincipal_clientid_sl360_businessapps
}
data "azurerm_resource_group" "sl360_eventgrid" {
name = "SL360_EventGrid"
}
resource "azurerm_role_assignment" "sl360_eventgrid_role_assignment" {
for_each = toset(local.sl360_eventgrid_roles)
scope = data.azurerm_resource_group.sl360_eventgrid.id
role_definition_name = each.value
principal_id = data.azuread_service_principal.sl360_businessapps_demo.object_id
}
