v1.0.0 assigns Owner RBAC role to the managed identity for the function app

[mo-AndrewPage]

With v1.0.0 the Owner RBAC permission is assigned to this storage account on behalf of the managed identity behind the function app.

Is Owner actually required (or would Storage Blob Data Contributor suffice instead?)
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

We would need to get Owner agreed with our Sec Analyst.

[wozzer72]

Thank you for challenging the permissions; I like your attention to detail.

The functionapp is now responsible for creating the backfill Cost mgmt export tasks. Unfortunately, the permissions required to create the export tasks requires being able to the target storage account for the cost export data files to allow each of the Cost Mgmt Export tasks permissions to write to it.

To note, owner permission is required to for the principle deploying the terraform - in regards to creating the "daily export" Cost Mgmt export task.

We started with minimum (zero) permissions, and added permissions until we could get the functionapp to create a Cost mgmt Export task - and unfortunately, Owner permission is indeed required, but restricted to just the two conditions was the minimum (highlighted bold below) and the scope is required to the "cost_export" storage account within the subscription dedicated to this export function :

resource "azurerm_role_assignment" "grant_func_storage_account_contributor" {
  scope                = azurerm_storage_account.cost_export.id
  role_definition_name = "Owner"
  principal_id         = azurerm_function_app_flex_consumption.cost_export.identity[0].principal_id
  principal_type       = "ServicePrincipal"
  condition_version    = "2.0"
  condition            = <<-EOT
  (
    !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
  )
  OR
  (
    !(ActionMatches{'Microsoft.Authorization/permissions/read'})
  )
  EOT
}

[wozzer72]

The level of permissions being requested is that of Cost Mgmt: https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-improved-exports#prerequisites. We initially tried with "Storage Account Contributor" role but it does not have the "role assignment" permission required when the Cost Mgmt Export task is created with target to

The backfill tasks have to be created by the lambda, because we now automate the running of backfill with a timer - not requiring each department to have to run terraform every time to create an up to date backfill and then manually run each export task (could be up to seven years of export jobs - 7*12 = 84 jobs).

We control the backfill with carbon export and cost mgmt lock objects on the target S3 bucket; when the lock object is deleted, the backfill can run on the next timer event. For the cost backfill (up to 84 jobs) it runs six job concurrently every day.

The backfill function is key to getting the historical data necessary to cost analysis.