Feat/add abac (#34)

* Add ABAC support on role asssignment
visiativ-agora · Oct 1, 2024 · 9d09485 · 9d09485
1 parent 58d5c24
commit 9d09485
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 0 deletions.
diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -106,6 +106,7 @@
     "redis_cache/103-redis-private-endpoints",
     "role_mapping/100-simple-role-mapping",
     "role_mapping/101-function-app-managed-identity",
+    "role_mapping/103-abac",
     "search_service/100-search-service-both-apikeys-and-azuread",
     "search_service/101-search-service-only-api-keys",
     "search_service/102-search-service-only-azuread",

diff --git a/examples/role_mapping/103-abac/configuration.tfvars b/examples/role_mapping/103-abac/configuration.tfvars
@@ -0,0 +1,69 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "francecentral"
+  }
+}
+
+resource_groups = {
+  test = {
+    name = "test"
+  }
+}
+
+storage_accounts = {
+  sa1 = {
+    name                     = "ada9a3027eec"
+    resource_group_key       = "test"
+    account_kind             = "BlobStorage"
+    account_tier             = "Standard"
+    account_replication_type = "LRS"
+
+    tags = {
+      environment = "dev"
+      team        = "IT"
+    }
+
+    containers = {
+      dev = {
+        name = "random"
+      }
+    }
+  }
+}
+
+managed_identities = {
+  msi01 = {
+    name               = "example-msi-rolemap-msi"
+    resource_group_key = "test"
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    storage_accounts = {
+      sa1 = {
+        "Storage Blob Data Contributor" = {
+          managed_identities = {
+            keys = [
+              {
+                key       = "msi01",
+                condition = <<EOT
+                  (
+                    (
+                      !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
+                    )
+                    OR
+                    (
+                      @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Malware Scanning scan result<$key_case_sensitive$>] StringEqualsIgnoreCase 'no threats found'
+                    )
+                  )
+                EOT
+              }
+            ]
+          },
+        },
+      }
+    }
+  }
+}
diff --git a/roles.tf b/roles.tf
@@ -24,6 +24,8 @@ resource "azurerm_role_assignment" "for" {
   role_definition_id   = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
   role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
   scope                = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id
+  condition_version    = try(each.value.condition, null) == null ? null : "2.0"
+  condition            = try(each.value.condition, null)
 }
 
 resource "azurerm_role_assignment" "for_deferred" {
@@ -36,6 +38,8 @@ resource "azurerm_role_assignment" "for_deferred" {
   role_definition_id   = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
   role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
   scope                = each.value.scope_lz_key == null ? local.services_roles_deferred[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles_deferred[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id
+  condition_version    = try(each.value.condition, null) == null ? null : "2.0"
+  condition            = try(each.value.condition, null)
 }
 
 resource "time_sleep" "azurerm_role_assignment_for" {
@@ -232,6 +236,7 @@ locals {
                     object_id_resource_type = object_id_key
                     object_id_key_resource  = try(object_id_key_resource.key, object_id_key_resource) #   "object_id_key_resource" = "aks_admins"
                     object_id_lz_key        = try(object_id_key_resource.lz_key, object_resources.lz_key, null)
+                    condition               = try(object_id_key_resource.condition, null)
                   }
                 ]
               ] if role_definition_name != "lz_key"