1
1
resource "azurerm_resource_group" "current" {
2
- count = var. eventdriven ? 1 : 0
2
+ count = var. eventdriven_enabled ? 1 : 0
3
3
location = var. location
4
4
name = " ${ var . prefix } firefly${ var . suffix } "
5
5
tags = local. tags
6
6
}
7
7
8
8
resource "azurerm_storage_account" "current" {
9
- count = var. eventdriven ? 1 : 0
9
+ count = var. eventdriven_enabled ? 1 : 0
10
10
account_replication_type = " LRS"
11
11
cross_tenant_replication_enabled = false
12
12
account_tier = " Standard"
@@ -16,23 +16,8 @@ resource "azurerm_storage_account" "current" {
16
16
tags = local. tags
17
17
}
18
18
19
- resource "azurerm_resource_provider_registration" "current" {
20
- count = var. create_resource_provider_registration && var. eventdriven ? 1 : 0
21
- name = " microsoft.insights"
22
- }
23
-
24
- resource "azurerm_monitor_diagnostic_setting" "current" {
25
- count = var. eventdriven ? 1 : 0
26
- name = " ${ var . prefix } firefly${ var . suffix } "
27
- target_resource_id = " /subscriptions/${ var . subscription_id } "
28
- storage_account_id = azurerm_storage_account. current [0 ]. id
29
- enabled_log {
30
- category = " Administrative"
31
- }
32
- }
33
-
34
19
resource "azurerm_eventgrid_system_topic" "current" {
35
- count = var. eventdriven ? 1 : 0
20
+ count = var. eventdriven_enabled ? 1 : 0
36
21
name = " ${ var . prefix } firefly${ var . suffix } "
37
22
location = var. location
38
23
resource_group_name = azurerm_resource_group. current [0 ]. name
@@ -42,7 +27,7 @@ resource "azurerm_eventgrid_system_topic" "current" {
42
27
}
43
28
44
29
resource "azurerm_eventgrid_system_topic_event_subscription" "current" {
45
- count = var. eventdriven ? 1 : 0
30
+ count = var. eventdriven_enabled ? 1 : 0
46
31
name = " ${ var . prefix } firefly${ var . suffix } "
47
32
resource_group_name = azurerm_resource_group. current [0 ]. name
48
33
system_topic = azurerm_eventgrid_system_topic. current [0 ]. name
@@ -58,3 +43,52 @@ resource "azurerm_eventgrid_system_topic_event_subscription" "current" {
58
43
max_delivery_attempts = 30
59
44
}
60
45
}
46
+
47
+ resource "azurerm_role_definition" "FireflyStorageAccountBlobReader" {
48
+ name = " ${ var . prefix } FireflyStorageAccountBlobReader-${ var . subscription_id } ${ var . suffix } "
49
+ scope = " /subscriptions/${ var . subscription_id } "
50
+ description = " Firefly's requested permissions"
51
+
52
+ permissions {
53
+ data_actions = [
54
+ " Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
55
+ ]
56
+ }
57
+ assignable_scopes = [
58
+ " /subscriptions/${ var . subscription_id } "
59
+ ]
60
+ }
61
+
62
+ resource "azurerm_role_assignment" "FireflyStorageAccountBlobReader" {
63
+ principal_id = azuread_service_principal. current . id
64
+ role_definition_name = azurerm_role_definition. FireflyStorageAccountBlobReader . name
65
+ scope = " /subscriptions/${ var . subscription_id } "
66
+ condition_version = " 2.0"
67
+ condition = <<- EOT
68
+ (
69
+ (
70
+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT
71
+ SubOperationMatches{'Blob.List'})
72
+ )
73
+ OR
74
+ (
75
+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*state'
76
+ )
77
+ OR
78
+ (
79
+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '*.tfstateenv:*'
80
+ )
81
+ )
82
+ EOT
83
+ }
84
+
85
+ resource "azurerm_monitor_diagnostic_setting" "current" {
86
+ for_each = local. kv_filtered_subscriptions
87
+ name = " ${ var . prefix } firefly${ each . key } ${ var . suffix } "
88
+ target_resource_id = " /subscriptions/${ each . key } "
89
+ storage_account_id = azurerm_storage_account. current [0 ]. id
90
+ enabled_log {
91
+ category = " Administrative"
92
+ }
93
+ depends_on = [azurerm_storage_account . current [0 ]]
94
+ }
0 commit comments