Adding topic permissions to Event Grid.

Komal Makkar requested to merge eg_topic_contributor_role into master

Infrastructure Submissions:

  • [YES/NO] Have you added an explanation of what your changes do and why you'd like us to include them? Yes
  • [YES/NO] I have updated the documentation accordingly. NA
  • [YES/NO/NA] I have added tests to cover my changes. NA
  • [YES/NO/NA] All new and existing tests passed. Yes
  • [YES/NO/NA] I have formatted the terraform code. (terraform fmt -recursive && go fmt ./...) Yes

Current Behavior or Linked Issues

The register service is an R3 service that is coming up now. It entails Event Grid addition to the infrastructure. Register service interacts with Event Grid Topic by creating subscriptions, deleting them and modifying them. The application code is written to achieve the same.

The creation of roles requires the application service principal to have EventGrid EventSubscription Contributor.

The architecture design of how identity is handled in OSDU is to use Managed Identities with the Pod Identity access control. Managed Identity is not at this time supported for Event Grid so a different approach will be necessary.

These results in a Service Principal requiring the proper Role Assignments and the service leveraging Service Principal Roles to accomplish adding and removing subscriptions to a topic.

Does this introduce a breaking change?

  • [YES/NO] No

Other information (Design Footnote)

The output variable for topics is a map of topic name and topic id. Here the topic name will be looked up to retrieve the topic id while the roles to the topics are being given off.

This will make it easier for us to add topics and control the roles for each topic as per the needs. (extensibility)

Reviewer request

  • Please provide an ETA when you plan to review this MR. Write a comment to decline or provide an ETA.
  • Block the MR if you feel there is less testing or no details in the MR
Edited by Komal Makkar

Merge request reports