Building Blocks Automation Infrastructure
Source code & Installation
The source code of this kit module can be found here
Run the following command to install the kit module:
collie kit import azure/buildingblocks/automation
1
This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module.
The biggest problem is resource group deletion. We need to be able to CRUD exclusively owned RGs in customer subscriptions. That means we need delete RG permission. But that allows deleting every resource.
Approaches that don't work to limit them
- restrict deletion with
denyActionunfortunately a dead end since Policy Definitions can't filter on principal ids, so the policy would deny deletion of all RGs - assigning only create RG permission on MG, then assign Owner role on created RG to allow deletion. Problem is that
terraform destroywill first destroy the role assignment, then attempt to delete the RG (which is now missing permission). terraformprevent_destroyon the role assignment does not work because this fails terraform plans invoked withterraform destroy.
The only alternatives I see
- customers must supply the RGs, so that the SPN does not have to own their lifecycle and does not need the delete RG permission
- Azure Policy/ABAC becomes powerful enough one day to restrict this (especially: denyAction)
Requirements
No requirements.
Modules
No modules.
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_vault | Key Vault configuration | object({ | n/a | yes |
| location | Azure location for deploying the storage account | string | n/a | yes |
| scope | n/a | string | n/a | yes |
| service_principal_name | n/a | string | n/a | yes |
Outputs
| Name | Description |
|---|---|
| client_id | n/a |
| client_secret | n/a |
| container_name | n/a |
| documentation_md | n/a |
| principal_id | n/a |
| resource_group_name | n/a |
| storage_account_name | n/a |
| subscription_id | n/a |
| tenant_id | n/a |