Fix bundle server changes
All Submissions:
- [YES/NO] Have you added an explanation of what your changes do and why you'd like us to include them?
- [YES/NO] I have updated the documentation accordingly.
- [YES/NO/NA] My code follows the code style of this project. Yes
Current Behavior or Linked Issues
Work Item : https://dev.azure.com/OpenEnergyPlatform/Open%20Energy%20Platform/_workitems/edit/240/ The changes are for provisioning the bundle server which OPA will use to evaluate the policies. The MR contains changes to use the common resource service principal which is part of pre-requisite create infra for role assignments. The aad application principal which creates as part of infra apply or come as byoa is removed for role assignment. A new api permission is provided to application.
Does this introduce a breaking change?
Yes
Minor Impact
Other information
SR Principal terraform plan
# azurerm_role_assignment.storage_blob_contributor[0] must be replaced
-/+ resource "azurerm_role_assignment" "storage_blob_contributor" {
~ id = "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Storage/storageAccounts/osdumvpsrdevz98ydata/providers/Microsoft.Authorization/roleAssignments/46768bb7-2dec-7a78-4e7c-c9f683e51364" -> (known after apply)
~ name = "46768bb7-2dec-7a78-4e7c-c9f683e51364" -> (known after apply)
~ principal_id = "ce6676e9-75a8-439b-b438-6973919be2b3" -> "7559d102-c270-4b9e-907c-da34e6134243" # forces replacement
~ principal_type = "ServicePrincipal" -> (known after apply)
~ role_definition_id = "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe" -> (known after apply)
~ scope = "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Storage/storageAccounts/osdumvpsrdevz98ydata" -> "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Storage/storageAccounts/osdumvpsrdevz98yconfig" # forces replacement
+ skip_service_principal_aad_check = (known after apply)
# (1 unchanged attribute hidden)
}
# azurerm_role_assignment.storage_blob_contributor[1] will be created
+ resource "azurerm_role_assignment" "storage_blob_contributor" {
+ id = (known after apply)
+ name = (known after apply)
+ principal_id = "e5f4c7bd-9982-4f9e-abfe-0636b33bbf8f"
+ principal_type = (known after apply)
+ role_definition_id = (known after apply)
+ role_definition_name = "Storage Blob Data Contributor"
+ scope = "/subscriptions/7c052588-ead2-45c9-9346-5b156a157bd1/resourceGroups/osdu-mvp-srdev-z98y-rg/providers/Microsoft.Storage/storageAccounts/osdumvpsrdevz98yconfig"
+ skip_service_principal_aad_check = (known after apply)
}
Common Resource Terraform Plan
~ resource "azuread_application" "main" {
id = "177a585c-e08a-4cec-a6ee-f1831024e8c8"
name = "osdu-mvp-crdev-vq1b-app"
# (14 unchanged attributes hidden)
- required_resource_access {
- resource_app_id = "e406a681-f3d4-42a8-90b6-c2b029497af1" -> null
- resource_access {
- id = "03e0da56-190b-40ad-a80c-ea378c433f7f" -> null
- type = "Scope" -> null
}
}
# (1 unchanged block hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
Changes to Outputs:
- storage_app_principal_id = "ce6676e9-75a8-439b-b438-6973919be2b3" -> nullEdited by Aayushi Jain