-
Notifications
You must be signed in to change notification settings - Fork 1
/
role_assignment_storage.tf
23 lines (21 loc) · 1.09 KB
/
role_assignment_storage.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// Storage account permission to allow current user to manage blobs
// Used to create the initial container for backend - should then be removed
resource "azurerm_role_assignment" "tfbackendstorage_adminuser" {
scope = azurerm_storage_account.backend.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azurerm_client_config.current.object_id
}
// Storage account permission to allow the SPN to manage blobs
// Required for proper Terraform operation
resource "azurerm_role_assignment" "tfbackendstorage_aci" {
scope = azurerm_storage_account.backend.id
role_definition_name = "Storage Blob Data Owner"
principal_id = azuread_service_principal.estf.object_id
}
// We need this until we get full support for AAD auth
// https://github.com/hashicorp/terraform/issues/20831
resource "azurerm_role_assignment" "tfbackendstorage_aci_key" {
scope = azurerm_storage_account.backend.id
role_definition_name = "Storage Account Key Operator Service Role"
principal_id = azuread_service_principal.estf.object_id
}