trying to reduce permissions for deployment storage

sbaidachni · sbaidachni · commit 488aa772e61f · 2025-07-19T14:20:56.000-07:00
diff --git a/infra/main.search_configuration.tf b/infra/main.search_configuration.tf
@@ -235,11 +235,11 @@ resource "time_sleep" "wait_for_rbac" {
     azurerm_role_assignment.terraform_deployment_container_storage_access,
     azurerm_role_assignment.terraform_deployment_container_file_access,
     # Script identity storage permissions
-    azurerm_role_assignment.script_deployment_container_storage_contributor,
-    azurerm_role_assignment.script_deployment_container_blob_owner,
+    # azurerm_role_assignment.script_deployment_container_storage_contributor,
+    azurerm_role_assignment.script_deployment_container_blob_contributor,
     azurerm_role_assignment.script_deployment_container_file_owner,
     # Main storage permissions (write access needed for upload_data.py to upload data files)
-    azurerm_role_assignment.script_main_storage_queue_contributor,
+    # azurerm_role_assignment.script_main_storage_queue_contributor,
     azurerm_role_assignment.script_main_storage_blob_owner,
     azurerm_role_assignment.script_main_storage_file_contributor,
     # AI Search permissions
@@ -455,11 +455,11 @@ resource "null_resource" "verify_rbac_propagation" {
   depends_on = [
     time_sleep.wait_for_rbac,
     # Storage permissions
-    azurerm_role_assignment.script_main_storage_queue_contributor,
+    # azurerm_role_assignment.script_main_storage_queue_contributor,
     azurerm_role_assignment.script_main_storage_blob_owner,
     azurerm_role_assignment.script_main_storage_file_contributor,
-    azurerm_role_assignment.script_deployment_container_storage_contributor,
-    azurerm_role_assignment.script_deployment_container_blob_owner,
+    # azurerm_role_assignment.script_deployment_container_storage_contributor,
+    azurerm_role_assignment.script_deployment_container_blob_contributor,
     azurerm_role_assignment.script_deployment_container_file_owner,
     # AI Search permissions
     azurerm_role_assignment.script_search_service_contributor,
diff --git a/infra/main.security.tf b/infra/main.security.tf
@@ -49,13 +49,6 @@ resource "azurerm_role_assignment" "script_search_service_contributor" {
 }
 
 # --- Main Storage Account Permissions ---
-
-resource "azurerm_role_assignment" "script_main_storage_queue_contributor" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = module.storage_account_and_container.resource_id
-  role_definition_name = "Storage Queue Data Contributor"
-}
-
 resource "azurerm_role_assignment" "script_main_storage_blob_owner" {
   principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
   scope                = module.storage_account_and_container.resource_id
@@ -81,16 +74,10 @@ resource "azurerm_role_assignment" "script_main_storage_account_contributor" {
 }
 
 # --- Deployment Container Storage Account ---
-resource "azurerm_role_assignment" "script_deployment_container_storage_contributor" {
+resource "azurerm_role_assignment" "script_deployment_container_blob_contributor" {
   principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
   scope                = azurerm_storage_account.deployment_container.id
-  role_definition_name = "Storage Account Contributor"
-}
-
-resource "azurerm_role_assignment" "script_deployment_container_blob_owner" {
-  principal_id         = azurerm_user_assigned_identity.script_identity.principal_id
-  scope                = azurerm_storage_account.deployment_container.id
-  role_definition_name = "Storage Blob Data Owner"
+  role_definition_name = "Storage Blob Data Contributor"
 }
 
 resource "azurerm_role_assignment" "script_deployment_container_file_owner" {
