Make it possible to run plan with self review from PR (#957)

* Make it possible to run plan with self review from PR * run plan step with old client * try to define reader permissions for admin-prod user * fix error in terraform script * terraform fmt * fix copy past error --------- Co-authored-by: tjololo <[email protected]>
Altinn · Sep 25, 2024 · 20eef4a · 20eef4a
1 parent 92d2da1
commit 20eef4a
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 3 deletions.
diff --git a/.github/workflows/products-deploy.yml b/.github/workflows/products-deploy.yml
@@ -10,6 +10,15 @@ on:
       - actions/terraform/plan/**
       - infrastructure/products/**
       - products.yaml
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/products-deploy.yml
+      - actions/terraform/apply/**
+      - actions/terraform/plan/**
+      - infrastructure/products/**
+      - products.yaml
   workflow_dispatch:
     inputs:
       log_level:
@@ -28,7 +37,7 @@ env:
   ENVIRONMENT: prod
   TF_STATE_NAME: products.tfstate
   TF_PROJECT: ./infrastructure/products
-  ARM_CLIENT_ID: c217a3ea-402f-4886-ace5-478db72ab4c9
+  ARM_CLIENT_ID: ${{ secrets.TF_AZURE_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: d43d5057-8389-40d5-88c4-04db9275cbf2
 
 permissions:
@@ -39,7 +48,7 @@ permissions:
 jobs:
   plan:
     name: Plan
-    environment: prod
+    environment: staging
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
@@ -51,7 +60,7 @@ jobs:
           working_directory: ${{ env.TF_PROJECT }}
           oidc_type: environment
           oidc_value: ${{ env.ENVIRONMENT }}
-          arm_client_id: ${{ env.ARM_CLIENT_ID }}
+          arm_client_id: c217a3ea-402f-4886-ace5-478db72ab4c9
           arm_subscription_id: ${{ env.ARM_SUBSCRIPTION_ID }}
           tf_state_name: ${{ env.TF_STATE_NAME }}
           gh_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/infrastructure/products/azure_arm.tf b/infrastructure/products/azure_arm.tf
@@ -154,6 +154,14 @@ resource "azurerm_role_assignment" "administrator_contributor" {
   skip_service_principal_aad_check = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "reader_reader" {
+  scope                            = azurerm_management_group.parent.id
+  principal_id                     = azuread_service_principal.reader.object_id
+  role_definition_name             = data.azurerm_role_definition.reader.name
+  skip_service_principal_aad_check = true
+}
+
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "apps_user_access_administrator" {
   scope                            = azurerm_management_group.management_groups[each.value.product_slug].id
@@ -225,6 +233,31 @@ resource "azurerm_role_assignment" "product_admins_contributor" {
   #  skip_service_principal_aad_check = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "product_readers_storage_blob_owner" {
+  scope                = azurerm_storage_container.container.resource_manager_id
+  principal_id         = azuread_group.product_readers.object_id
+  role_definition_name = data.azurerm_role_definition.storage_blob_data_owner.name
+  condition_version    = "2.0"
+  condition            = <<-EOT
+  (
+   ${local.write_operations}
+   OR 
+   (
+    @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'github.com/${local.configuration.admin.github.owner}/${lower(local.configuration.admin.github.repository)}/'
+   )
+  )
+  EOT
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "product_readers_reader" {
+  scope                = data.azurerm_resource_group.tfstate.id
+  principal_id         = azuread_group.product_readers.object_id
+  role_definition_name = data.azurerm_role_definition.reader.name
+  #  skip_service_principal_aad_check = true
+}
+
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "products" {
   scope                = azurerm_storage_container.container.resource_manager_id

diff --git a/infrastructure/products/entra.tf b/infrastructure/products/entra.tf
@@ -14,11 +14,22 @@ resource "azuread_application" "administrator" {
   #  prevent_duplicate_names = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
+resource "azuread_application" "reader" {
+  display_name = "GitHub: ${lower(local.configuration.admin.github.owner)}/${lower(local.configuration.admin.github.repository)} - Reader"
+  #  prevent_duplicate_names = true
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
 resource "azuread_service_principal" "administrator" {
   client_id = azuread_application.administrator.client_id
 }
 
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
+resource "azuread_service_principal" "reader" {
+  client_id = azuread_application.reader.client_id
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
 resource "azuread_application" "product" {
   display_name = "GitHub: ${lower(each.value.repository.owner)}/${each.value.repository.name} - ${title(each.value.workspace.name)}"
@@ -64,6 +75,12 @@ resource "azuread_group" "product_admins" {
   security_enabled = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group
+resource "azuread_group" "product_readers" {
+  display_name     = "Altinn Products: Readers"
+  security_enabled = true
+}
+
 resource "azuread_application_api_access" "example_msgraph" {
   application_id = azuread_application.administrator.id
   api_client_id  = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"]
@@ -74,12 +91,28 @@ resource "azuread_application_api_access" "example_msgraph" {
   ]
 }
 
+resource "azuread_application_api_access" "reader_msgraph" {
+  application_id = azuread_application.reader.id
+  api_client_id  = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"]
+
+  role_ids = [
+    data.azuread_service_principal.msgraph.app_role_ids["Group.Read.All"],
+    data.azuread_service_principal.msgraph.app_role_ids["Application.Read.All"],
+  ]
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member
 resource "azuread_group_member" "product_admins" {
   group_object_id  = azuread_group.product_admins.object_id
   member_object_id = azuread_service_principal.administrator.object_id
 }
 
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member
+resource "azuread_group_member" "product_readers" {
+  group_object_id  = azuread_group.product_readers.object_id
+  member_object_id = azuread_service_principal.reader.object_id
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member
 resource "azuread_group_member" "admin_contributor" {
   group_object_id  = azuread_group.developers[each.key].id
@@ -108,6 +141,16 @@ resource "azuread_application_federated_identity_credential" "oidc_environments_
   for_each = local.environments
 }
 
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential
+resource "azuread_application_federated_identity_credential" "oidc_environments_reader" {
+  application_id = azuread_application.reader.id
+  display_name   = "github.${local.configuration.admin.github.owner}.${local.configuration.admin.github.repository}.environment.reader"
+  subject        = "repo:${local.configuration.admin.github.owner}/${lower(local.configuration.admin.github.repository)}:environment:reader"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = "https://token.actions.githubusercontent.com"
+  description    = "Allow GitHub actions run within the context of environment reader from the repository https://github.com/${local.configuration.admin.github.owner}/${lower(local.configuration.admin.github.repository)} to have access to the app registration"
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential
 resource "azuread_application_federated_identity_credential" "oidc_environments" {
   application_id = azuread_application.product[each.value.app_reggs_slug].id