DTOSS-10982: add storage data contributor roles to managed identity RBAC

josielsouzanordcloud · josielsouzanordcloud · commit 3ff165ac53e7 · 2025-09-16T16:36:05.000+01:00
diff --git a/infrastructure/terraform/resource_group_init/core.bicep b/infrastructure/terraform/resource_group_init/core.bicep
@@ -10,6 +10,8 @@ var roleID = {
   contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
   kvSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'
   rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+  storageQueueDataContributor: '974c5e8b-45b9-4653-ba55-5f855dd0fb88'
 }
 
 // Let the managed identity configure resources in the subscription
@@ -38,8 +40,8 @@ resource rbacAdminAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.rbacAdmin)
     principalId: miPrincipalId
-    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}}))'
+    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
     conditionVersion: '2.0'
-    description: '${miName} Role Based Access Control Administrator access to subscription. Only allows assigning the Key Vault Secrets User role.'
+    description: '${miName} Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets User, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ var roleID = {`
`10`	`10`	`contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'`
`11`	`11`	`kvSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'`
`12`	`12`	`rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'`
	`13`	`+ storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'`
	`14`	`+ storageQueueDataContributor: '974c5e8b-45b9-4653-ba55-5f855dd0fb88'`
`13`	`15`	`}`
`14`	`16`
`15`	`17`	`// Let the managed identity configure resources in the subscription`
`@@ -38,8 +40,8 @@ resource rbacAdminAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01`
`38`	`40`	`properties: {`
`39`	`41`	`roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.rbacAdmin)`
`40`	`42`	`principalId: miPrincipalId`
`41`		`- condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}}))'`
	`43`	+ condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
`42`	`44`	`conditionVersion: '2.0'`
`43`		`- description: '${miName} Role Based Access Control Administrator access to subscription. Only allows assigning the Key Vault Secrets User role.'`
	`45`	`+ description: '${miName} Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets User, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'`
`44`	`46`	`}`
`45`	`47`	`}`