Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor: remove role assignment from Terraform #359

Merged
merged 4 commits into from
Oct 31, 2023
Merged

Refactor: remove role assignment from Terraform #359

merged 4 commits into from
Oct 31, 2023

Conversation

angela-tran
Copy link
Member

@angela-tran angela-tran commented Oct 30, 2023
edited
Loading

Part of #296

We found that because the pipeline service principal defaults to having Contributor role, it is not able to create the role assignment for the ETL principal on the Storage Container.

After some discussion, we decided we should remove the role assignment from being managed by Terraform / the pipeline, and it'll be a part of the manual creation steps to set up the role assignment.

This PR deletes the role configuration from Terraform and adds documentation for the manual steps.

Pre-merge / post-merge actions

For MST, we need to

  • run terraform state rm azurerm_role_assignment.velocity_etl[0] so that Terraform "forgets" about the role and doesn't try to destroy it (see docs on rm).
  • After merging, the prod pipeline should succeed, and there's nothing left to do.

For SBMTD,

  • there's no pre-merge action to do.
  • After merging, the prod pipeline should succeed since now there is no permissions error to run into. The last thing to do is to manually create the role assignment for the ETL service principal. Doing so requires the Owner role on your Azure account in the SBMTD subscription. (This has been added as a task on SBMTD Agency card server setup #297)

@angela-tran angela-tran added this to the SBMTD Mobility Pass milestone Oct 30, 2023
@angela-tran angela-tran self-assigned this Oct 30, 2023
@angela-tran angela-tran requested a review from a team as a code owner October 30, 2023 23:50
@angela-tran angela-tran added infrastructure Terraform, Azure, etc. documentation Improvements or additions to documentation labels Oct 30, 2023
@angela-tran angela-tran marked this pull request as draft October 30, 2023 23:57
@angela-tran
Copy link
Member Author

There's a little more code cleanup to do

@angela-tran angela-tran marked this pull request as ready for review October 30, 2023 23:59
thekaveman
thekaveman requested changes Oct 31, 2023
View reviewed changes
terraform/variables.tf Outdated Show resolved Hide resolved
thekaveman
thekaveman requested changes Oct 31, 2023
View reviewed changes
Copy link
Member

@thekaveman thekaveman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And let's also delete the unused variables from the agency-specific azure-vars.yml files.

@angela-tran
Copy link
Member Author

Successfully ran the terraform state rm... command for MST prod workspace:

C:\dev\eligibility-server\terraform>terraform state rm azurerm_role_assignment.velocity_etl[0]
Removed azurerm_role_assignment.velocity_etl[0]
Successfully removed 1 resource instance(s).

@angela-tran angela-tran merged commit c173c7a into dev Oct 31, 2023
6 checks passed
@angela-tran angela-tran deleted the refactor/remove-role-from-terraform branch October 31, 2023 17:29
This was referenced Oct 31, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thekaveman thekaveman thekaveman approved these changes

Assignees

@angela-tran angela-tran

Labels
documentation Improvements or additions to documentation infrastructure Terraform, Azure, etc.
Projects
None yet
Milestone
SBMTD Mobility Pass
Development

Successfully merging this pull request may close these issues.
2 participants
@angela-tran @thekaveman