removed a few more roles

sbaidachni · sbaidachni · commit 062590924aae · 2025-07-19T14:34:09.000-07:00
diff --git a/infra/main.search_configuration.tf b/infra/main.search_configuration.tf
@@ -241,14 +241,14 @@ resource "time_sleep" "wait_for_rbac" {
     # Main storage permissions (write access needed for upload_data.py to upload data files)
     # azurerm_role_assignment.script_main_storage_queue_contributor,
     azurerm_role_assignment.script_main_storage_blob_owner,
-    azurerm_role_assignment.script_main_storage_file_contributor,
+    # azurerm_role_assignment.script_main_storage_file_contributor,
     # AI Search permissions
     azurerm_role_assignment.script_search_service_contributor,
     # azurerm_role_assignment.script_search_index_data_contributor,
     # Azure OpenAI permissions
     azurerm_role_assignment.script_cognitive_services_openai_user,
     # Other permissions
-    azurerm_role_assignment.script_container_apps_contributor
+    # azurerm_role_assignment.script_container_apps_contributor
   ]
   create_duration = "30s"
 }
@@ -457,7 +457,7 @@ resource "null_resource" "verify_rbac_propagation" {
     # Storage permissions
     # azurerm_role_assignment.script_main_storage_queue_contributor,
     azurerm_role_assignment.script_main_storage_blob_owner,
-    azurerm_role_assignment.script_main_storage_file_contributor,
+    # azurerm_role_assignment.script_main_storage_file_contributor,
     # azurerm_role_assignment.script_deployment_container_storage_contributor,
     azurerm_role_assignment.script_deployment_container_blob_contributor,
     azurerm_role_assignment.script_deployment_container_file_owner,
diff --git a/infra/main.security.tf b/infra/main.security.tf
@@ -52,25 +52,7 @@ resource "azurerm_role_assignment" "script_search_service_contributor" {
 resource "azurerm_role_assignment" "script_main_storage_blob_owner" {
   principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
   scope                = module.storage_account_and_container.resource_id
-  role_definition_name = "Storage Blob Data Owner"
-}
-
-resource "azurerm_role_assignment" "script_main_storage_file_contributor" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = module.storage_account_and_container.resource_id
-  role_definition_name = "Storage File Data Privileged Contributor"
-}
-
-resource "azurerm_role_assignment" "script_main_storage_reader" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = module.storage_account_and_container.resource_id
-  role_definition_name = "Reader"
-}
-
-resource "azurerm_role_assignment" "script_main_storage_account_contributor" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = module.storage_account_and_container.resource_id
-  role_definition_name = "Storage Account Contributor"
+  role_definition_name = "Storage Blob Data Contributor"
 }
 
 # --- Deployment Container Storage Account ---
@@ -86,13 +68,6 @@ resource "azurerm_role_assignment" "script_deployment_container_file_owner" {
   role_definition_name = "Storage File Data Privileged Contributor"
 }
 
-# --- Other Permissions ---
-resource "azurerm_role_assignment" "script_container_apps_contributor" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = azurerm_resource_group.this.id
-  role_definition_name = "Container Apps Contributor"
-}
-
 # ============================================================================
 # TERRAFORM PRINCIPAL PERMISSIONS (for deployment-time operations)
 # ============================================================================
