give products admins user access administrator

Altinn · Jul 16, 2024 · 3d71d65 · 3d71d65
1 parent 92cd2c5
commit 3d71d65
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/infrastructure/products/azure_arm.tf b/infrastructure/products/azure_arm.tf
@@ -203,12 +203,20 @@ resource "azurerm_role_assignment" "admins" {
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "product_admins_storage_blob_owner" {
-  scope                = azurerm_storage_account.backend.id
+  scope                = azurerm_storage_container.container.resource_manager_id
   principal_id         = azuread_group.product_admins.object_id
   role_definition_name = data.azurerm_role_definition.storage_blob_data_owner.name
   #  skip_service_principal_aad_check = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "product_admins_user_access_administrator" {
+  scope                = azurerm_storage_container.container.resource_manager_id
+  principal_id         = azuread_group.product_admins.object_id
+  role_definition_name = data.azurerm_role_definition.user_access_administrator.name
+  #  skip_service_principal_aad_check = true
+}
+
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "product_admins_contributor" {
   scope                = data.azurerm_resource_group.tfstate.id
@@ -217,14 +225,13 @@ resource "azurerm_role_assignment" "product_admins_contributor" {
   #  skip_service_principal_aad_check = true
 }
 
-
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "products" {
   scope                = azurerm_storage_container.container.resource_manager_id
   principal_id         = azuread_group.admins[each.value.slug].object_id
   role_definition_name = data.azurerm_role_definition.storage_blob_data_owner.name
 
-  depends_on = [azurerm_role_assignment.product_admins_contributor]
+  depends_on = [azurerm_role_assignment.product_admins_user_access_administrator]
 
   condition_version = "2.0"
   condition         = <<-EOT
@@ -251,7 +258,7 @@ resource "azurerm_role_assignment" "appregg" {
   role_definition_name             = data.azurerm_role_definition.storage_blob_data_owner.name
   skip_service_principal_aad_check = true
 
-  depends_on = [azurerm_role_assignment.product_admins_contributor]
+  depends_on = [azurerm_role_assignment.product_admins_user_access_administrator]
 
   condition_version = "2.0"
   condition         = <<-EOT