cloudera-labs · jimright · Feb 2, 2024
diff --git a/modules/terraform-cdp-azure-pre-reqs/README.md b/modules/terraform-cdp-azure-pre-reqs/README.md
@@ -91,38 +91,39 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | <a name="input_create_vm_mounting_nfs"></a> [create\_vm\_mounting\_nfs](#input\_create\_vm\_mounting\_nfs) | Whether to create a VM which mounts this NFS | `bool` | `true` | no |
 | <a name="input_create_vnet"></a> [create\_vnet](#input\_create\_vnet) | Flag to specify if the VNet should be created | `bool` | `true` | no |
 | <a name="input_data_storage"></a> [data\_storage](#input\_data\_storage) | Data storage locations for CDP environment | <pre>object({<br>    data_storage_bucket = string<br>    data_storage_object = string<br>  })</pre> | `null` | no |
-| <a name="input_datalake_admin_backup_container_role_assignments"></a> [datalake\_admin\_backup\_container\_role\_assignments](#input\_datalake\_admin\_backup\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Backup Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
-| <a name="input_datalake_admin_data_container_role_assignments"></a> [datalake\_admin\_data\_container\_role\_assignments](#input\_datalake\_admin\_data\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Data Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
-| <a name="input_datalake_admin_log_container_role_assignments"></a> [datalake\_admin\_log\_container\_role\_assignments](#input\_datalake\_admin\_log\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Logs Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Logs Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
+| <a name="input_datalake_admin_backup_container_role_assignments"></a> [datalake\_admin\_backup\_container\_role\_assignments](#input\_datalake\_admin\_backup\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Backup Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
+| <a name="input_datalake_admin_data_container_role_assignments"></a> [datalake\_admin\_data\_container\_role\_assignments](#input\_datalake\_admin\_data\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Data Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
+| <a name="input_datalake_admin_log_container_role_assignments"></a> [datalake\_admin\_log\_container\_role\_assignments](#input\_datalake\_admin\_log\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Logs Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to Data Lake Admin Identity at Logs Container Level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
 | <a name="input_datalake_admin_managed_identity_name"></a> [datalake\_admin\_managed\_identity\_name](#input\_datalake\_admin\_managed\_identity\_name) | Datalake Admin Managed Identity name | `string` | `null` | no |
 | <a name="input_enable_raz"></a> [enable\_raz](#input\_enable\_raz) | Flag to enable Ranger Authorization Service (RAZ) | `bool` | `true` | no |
 | <a name="input_env_tags"></a> [env\_tags](#input\_env\_tags) | Tags applied to provisioned resources | `map(any)` | `null` | no |
 | <a name="input_gateway_subnet_range"></a> [gateway\_subnet\_range](#input\_gateway\_subnet\_range) | Size of each gateway subnet. Required if create\_vpc is true. | `number` | `24` | no |
 | <a name="input_gateway_subnets_private_endpoint_network_policies_enabled"></a> [gateway\_subnets\_private\_endpoint\_network\_policies\_enabled](#input\_gateway\_subnets\_private\_endpoint\_network\_policies\_enabled) | Enable or Disable network policies for the private endpoint on the Gateway subnets | `bool` | `true` | no |
 | <a name="input_idbroker_managed_identity_name"></a> [idbroker\_managed\_identity\_name](#input\_idbroker\_managed\_identity\_name) | IDBroker Managed Identity name | `string` | `null` | no |
-| <a name="input_idbroker_role_assignments"></a> [idbroker\_role\_assignments](#input\_idbroker\_role\_assignments) | List of Role Assignments for the IDBroker Managed Identity | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign VM Contributor Role to IDBroker Identity at Subscription Level",<br>    "role": "Virtual Machine Contributor"<br>  },<br>  {<br>    "description": "Assign Managed Identity Operator Role to IDBroker Identity at Subscription Level",<br>    "role": "Managed Identity Operator"<br>  }<br>]</pre> | no |
+| <a name="input_idbroker_role_assignments"></a> [idbroker\_role\_assignments](#input\_idbroker\_role\_assignments) | List of Role Assignments for the IDBroker Managed Identity | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign VM Contributor Role to IDBroker Identity at Subscription Level",<br>    "role": "Virtual Machine Contributor"<br>  },<br>  {<br>    "description": "Assign Managed Identity Operator Role to IDBroker Identity at Subscription Level",<br>    "role": "Managed Identity Operator"<br>  }<br>]</pre> | no |
 | <a name="input_ingress_extra_cidrs_and_ports"></a> [ingress\_extra\_cidrs\_and\_ports](#input\_ingress\_extra\_cidrs\_and\_ports) | List of extra CIDR blocks and ports to include in Security Group Ingress rules | <pre>object({<br>    cidrs = list(string)<br>    ports = list(number)<br>  })</pre> | <pre>{<br>  "cidrs": [],<br>  "ports": []<br>}</pre> | no |
 | <a name="input_log_data_access_managed_identity_name"></a> [log\_data\_access\_managed\_identity\_name](#input\_log\_data\_access\_managed\_identity\_name) | Log Data Access Managed Identity name | `string` | `null` | no |
-| <a name="input_log_data_access_role_assignments"></a> [log\_data\_access\_role\_assignments](#input\_log\_data\_access\_role\_assignments) | List of Role Assignments for the Log Data Access Managed Identity. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Log Role at Logs and Backup Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
+| <a name="input_log_data_access_role_assignments"></a> [log\_data\_access\_role\_assignments](#input\_log\_data\_access\_role\_assignments) | List of Role Assignments for the Log Data Access Managed Identity. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Log Role at Logs and Backup Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
 | <a name="input_log_storage"></a> [log\_storage](#input\_log\_storage) | Optional log locations for CDP environment. If not provided follow the data\_storage variable | <pre>object({<br>    log_storage_bucket = string<br>    log_storage_object = string<br>  })</pre> | `null` | no |
 | <a name="input_nfs_file_share_name"></a> [nfs\_file\_share\_name](#input\_nfs\_file\_share\_name) | nfs file share name | `string` | `null` | no |
 | <a name="input_nfs_file_share_size"></a> [nfs\_file\_share\_size](#input\_nfs\_file\_share\_size) | NFS File Share size | `number` | `100` | no |
 | <a name="input_nfs_storage_account_name"></a> [nfs\_storage\_account\_name](#input\_nfs\_storage\_account\_name) | NFS Storage account name | `string` | `null` | no |
 | <a name="input_public_key_text"></a> [public\_key\_text](#input\_public\_key\_text) | SSH Public key string for the nodes of the CDP environment | `string` | `null` | no |
 | <a name="input_random_id_for_bucket"></a> [random\_id\_for\_bucket](#input\_random\_id\_for\_bucket) | Create a random suffix for the Storage Account names | `bool` | `true` | no |
-| <a name="input_ranger_audit_backup_container_role_assignments"></a> [ranger\_audit\_backup\_container\_role\_assignments](#input\_ranger\_audit\_backup\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Backup Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
+| <a name="input_ranger_audit_backup_container_role_assignments"></a> [ranger\_audit\_backup\_container\_role\_assignments](#input\_ranger\_audit\_backup\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Backup Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
 | <a name="input_ranger_audit_data_access_managed_identity_name"></a> [ranger\_audit\_data\_access\_managed\_identity\_name](#input\_ranger\_audit\_data\_access\_managed\_identity\_name) | Ranger Audit Managed Identity name | `string` | `null` | no |
-| <a name="input_ranger_audit_data_container_role_assignments"></a> [ranger\_audit\_data\_container\_role\_assignments](#input\_ranger\_audit\_data\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Data Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
-| <a name="input_ranger_audit_log_container_role_assignments"></a> [ranger\_audit\_log\_container\_role\_assignments](#input\_ranger\_audit\_log\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Logs Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
+| <a name="input_ranger_audit_data_container_role_assignments"></a> [ranger\_audit\_data\_container\_role\_assignments](#input\_ranger\_audit\_data\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Data Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
+| <a name="input_ranger_audit_log_container_role_assignments"></a> [ranger\_audit\_log\_container\_role\_assignments](#input\_ranger\_audit\_log\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Data Contributor Role to Ranger Audit Role at Logs Container level",<br>    "role": "Storage Blob Data Contributor"<br>  }<br>]</pre> | no |
 | <a name="input_raz_managed_identity_name"></a> [raz\_managed\_identity\_name](#input\_raz\_managed\_identity\_name) | RAZ Managed Identity name | `string` | `null` | no |
-| <a name="input_raz_storage_role_assignments"></a> [raz\_storage\_role\_assignments](#input\_raz\_storage\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br>    role        = string<br>    description = string<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Delegator Role to RAZ Identity at Storage Account level",<br>    "role": "Storage Blob Delegator"<br>  },<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to RAZ Identity at Storage Account level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
+| <a name="input_raz_storage_role_assignments"></a> [raz\_storage\_role\_assignments](#input\_raz\_storage\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Storage Blob Delegator Role to RAZ Identity at Storage Account level",<br>    "role": "Storage Blob Delegator"<br>  },<br>  {<br>    "description": "Assign Storage Blob Data Owner Role to RAZ Identity at Storage Account level",<br>    "role": "Storage Blob Data Owner"<br>  }<br>]</pre> | no |
 | <a name="input_resourcegroup_name"></a> [resourcegroup\_name](#input\_resourcegroup\_name) | Resource Group name | `string` | `null` | no |
 | <a name="input_security_group_default_name"></a> [security\_group\_default\_name](#input\_security\_group\_default\_name) | Default Security Group for CDP environment | `string` | `null` | no |
 | <a name="input_security_group_knox_name"></a> [security\_group\_knox\_name](#input\_security\_group\_knox\_name) | Knox Security Group for CDP environment | `string` | `null` | no |
 | <a name="input_subnet_count"></a> [subnet\_count](#input\_subnet\_count) | Number of Subnets Required | `string` | `"3"` | no |
 | <a name="input_vnet_cidr"></a> [vnet\_cidr](#input\_vnet\_cidr) | VNet CIDR Block. Required if create\_vpc is true. | `string` | `"10.10.0.0/16"` | no |
 | <a name="input_vnet_name"></a> [vnet\_name](#input\_vnet\_name) | VNet name | `string` | `null` | no |
 | <a name="input_xaccount_app_name"></a> [xaccount\_app\_name](#input\_xaccount\_app\_name) | Cross account application name within Azure Active Directory | `string` | `null` | no |
+| <a name="input_xaccount_role_assignments"></a> [xaccount\_role\_assignments](#input\_xaccount\_role\_assignments) | List of Role Assignments for the Cross account Service Principal | <pre>list(object({<br>    role        = string<br>    description = optional(string)<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "description": "Assign Contributor Role to Cross Account SP",<br>    "role": "Contributor"<br>  }<br>]</pre> | no |
 
 ## Outputs
 

diff --git a/modules/terraform-cdp-azure-pre-reqs/main.tf b/modules/terraform-cdp-azure-pre-reqs/main.tf
@@ -184,9 +184,14 @@ resource "azuread_service_principal" "cdp_xaccount_app_sp" {
 
 # Create role assignment for Service Principal
 resource "azurerm_role_assignment" "cdp_xaccount_role" {
+
+  for_each = { for idx, role in var.xaccount_role_assignments : idx => role }
+
   scope                = data.azurerm_subscription.current.id
-  role_definition_name = "Contributor"
+  role_definition_name = each.value.role
   principal_id         = azuread_service_principal.cdp_xaccount_app_sp.id
+
+  description = each.value.description
 }
 
 # Create Application password (client secret)

diff --git a/modules/terraform-cdp-azure-pre-reqs/variables.tf b/modules/terraform-cdp-azure-pre-reqs/variables.tf
@@ -231,11 +231,29 @@ variable "backup_storage" {
 variable "xaccount_app_name" {
   type = string
 
-  description = "	Cross account application name within Azure Active Directory"
+  description = "Cross account application name within Azure Active Directory"
 
   default = null
 }
 
+variable "xaccount_role_assignments" {
+  type = list(object({
+    role        = string
+    description = optional(string)
+    })
+  )
+
+  description = "List of Role Assignments for the Cross account Service Principal"
+
+  default = [
+    {
+      "description" : "Assign Contributor Role to Cross Account SP",
+      "role" : "Contributor"
+    }
+  ]
+
+}
+
 # Managed Identities
 variable "datalake_admin_managed_identity_name" {
   type = string
@@ -282,15 +300,15 @@ variable "raz_managed_identity_name" {
 
 }
 
-# Role Assignments to Manage Identifies
+# Role Assignments to Manage Identities
 variable "idbroker_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
-  description = "	List of Role Assignments for the IDBroker Managed Identity"
+  description = "List of Role Assignments for the IDBroker Managed Identity"
 
   default = [
     {
@@ -308,7 +326,7 @@ variable "idbroker_role_assignments" {
 variable "datalake_admin_data_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -326,7 +344,7 @@ variable "datalake_admin_data_container_role_assignments" {
 variable "datalake_admin_log_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -344,7 +362,7 @@ variable "datalake_admin_log_container_role_assignments" {
 variable "datalake_admin_backup_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -362,7 +380,7 @@ variable "datalake_admin_backup_container_role_assignments" {
 variable "log_data_access_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -380,7 +398,7 @@ variable "log_data_access_role_assignments" {
 variable "ranger_audit_data_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -398,7 +416,7 @@ variable "ranger_audit_data_container_role_assignments" {
 variable "ranger_audit_log_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -416,7 +434,7 @@ variable "ranger_audit_log_container_role_assignments" {
 variable "ranger_audit_backup_container_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )
 
@@ -433,7 +451,7 @@ variable "ranger_audit_backup_container_role_assignments" {
 variable "raz_storage_role_assignments" {
   type = list(object({
     role        = string
-    description = string
+    description = optional(string)
     })
   )