update apps permission (#831)

Altinn · Jul 16, 2024 · 67922fb · 67922fb
1 parent f0e367b
commit 67922fb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/.github/workflows/products-deploy.yml b/.github/workflows/products-deploy.yml
@@ -2,6 +2,8 @@ name: Altinn Products
 
 on:
   push:
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       log_level:

diff --git a/infrastructure/products/azure_arm.tf b/infrastructure/products/azure_arm.tf
@@ -209,6 +209,14 @@ resource "azurerm_role_assignment" "product_admins_storage_blob_owner" {
   #  skip_service_principal_aad_check = true
 }
 
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
+resource "azurerm_role_assignment" "product_admins_user_access_administrator" {
+  scope                = azurerm_storage_container.container.resource_manager_id
+  principal_id         = azuread_group.product_admins.object_id
+  role_definition_name = data.azurerm_role_definition.user_access_administrator.name
+  #  skip_service_principal_aad_check = true
+}
+
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "product_admins_contributor" {
   scope                = data.azurerm_resource_group.tfstate.id
@@ -217,13 +225,14 @@ resource "azurerm_role_assignment" "product_admins_contributor" {
   #  skip_service_principal_aad_check = true
 }
 
-
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
 resource "azurerm_role_assignment" "products" {
   scope                = azurerm_storage_container.container.resource_manager_id
   principal_id         = azuread_group.admins[each.value.slug].object_id
   role_definition_name = data.azurerm_role_definition.storage_blob_data_owner.name
 
+  depends_on = [azurerm_role_assignment.product_admins_user_access_administrator]
+
   condition_version = "2.0"
   condition         = <<-EOT
   (
@@ -249,6 +258,8 @@ resource "azurerm_role_assignment" "appregg" {
   role_definition_name             = data.azurerm_role_definition.storage_blob_data_owner.name
   skip_service_principal_aad_check = true
 
+  depends_on = [azurerm_role_assignment.product_admins_user_access_administrator]
+
   condition_version = "2.0"
   condition         = <<-EOT
   (
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,8 @@ name: Altinn Products @@
     on:
       push:
+        branches:
+          - main
       workflow_dispatch:
         inputs:
           log_level:
@@ Expand Down @@