Skip to content

Commit 58b9d37

Browse files
committed
Add references for additional role assignments
1 parent d96dd83 commit 58b9d37

File tree

1 file changed

+17
-2
lines changed

1 file changed

+17
-2
lines changed

code/infra/roleassignments.tf

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,19 +4,34 @@ resource "azurerm_role_assignment" "current_role_assignment_key_vault" {
44
principal_id = data.azurerm_client_config.current.object_id
55
}
66

7-
resource "azurerm_role_assignment" "function_role_assignment_storage" {
7+
resource "azurerm_role_assignment" "function_role_assignment_storage_blob_data_owner" {
88
scope = azurerm_storage_account.storage.id
99
role_definition_name = "Storage Blob Data Owner"
1010
principal_id = azapi_resource.function.identity[0].principal_id
1111
}
1212

13+
# resource "azurerm_role_assignment" "function_role_assignment_storage_account_contributor" { # Enable when using blob triggers
14+
# scope = azurerm_storage_account.storage.id
15+
# role_definition_name = "Storage Account Contributor"
16+
# principal_id = azapi_resource.function.identity[0].principal_id
17+
# }
18+
19+
# resource "azurerm_role_assignment" "function_role_assignment_storage_queue_data_contributor" { # Enable when using blob triggers
20+
# scope = azurerm_storage_account.storage.id
21+
# role_definition_name = "Storage Queue Data Contributor"
22+
# principal_id = azapi_resource.function.identity[0].principal_id
23+
# }
24+
25+
# Additional permissions may be required based on the trigger that is being used.
26+
# For more details, refer to: https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-python#grant-permission-to-the-identity
27+
1328
resource "azurerm_role_assignment" "function_role_assignment_key_vault" {
1429
scope = azurerm_key_vault.key_vault.id
1530
role_definition_name = "Key Vault Secrets Officer"
1631
principal_id = azapi_resource.function.identity[0].principal_id
1732
}
1833

19-
# resource "azurerm_role_assignment" "function_role_assignment_application_insights" {
34+
# resource "azurerm_role_assignment" "function_role_assignment_application_insights" { # Enable to rely on Entra ID-based authentication to Application Insights
2035
# scope = azurerm_application_insights.application_insights.id
2136
# role_definition_name = "Monitoring Metrics Publisher"
2237
# principal_id = azapi_resource.function.identity[0].principal_id

0 commit comments

Comments
 (0)