@@ -4,19 +4,34 @@ resource "azurerm_role_assignment" "current_role_assignment_key_vault" {
4
4
principal_id = data. azurerm_client_config . current . object_id
5
5
}
6
6
7
- resource "azurerm_role_assignment" "function_role_assignment_storage " {
7
+ resource "azurerm_role_assignment" "function_role_assignment_storage_blob_data_owner " {
8
8
scope = azurerm_storage_account. storage . id
9
9
role_definition_name = " Storage Blob Data Owner"
10
10
principal_id = azapi_resource. function . identity [0 ]. principal_id
11
11
}
12
12
13
+ # resource "azurerm_role_assignment" "function_role_assignment_storage_account_contributor" { # Enable when using blob triggers
14
+ # scope = azurerm_storage_account.storage.id
15
+ # role_definition_name = "Storage Account Contributor"
16
+ # principal_id = azapi_resource.function.identity[0].principal_id
17
+ # }
18
+
19
+ # resource "azurerm_role_assignment" "function_role_assignment_storage_queue_data_contributor" { # Enable when using blob triggers
20
+ # scope = azurerm_storage_account.storage.id
21
+ # role_definition_name = "Storage Queue Data Contributor"
22
+ # principal_id = azapi_resource.function.identity[0].principal_id
23
+ # }
24
+
25
+ # Additional permissions may be required based on the trigger that is being used.
26
+ # For more details, refer to: https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-python#grant-permission-to-the-identity
27
+
13
28
resource "azurerm_role_assignment" "function_role_assignment_key_vault" {
14
29
scope = azurerm_key_vault. key_vault . id
15
30
role_definition_name = " Key Vault Secrets Officer"
16
31
principal_id = azapi_resource. function . identity [0 ]. principal_id
17
32
}
18
33
19
- # resource "azurerm_role_assignment" "function_role_assignment_application_insights" {
34
+ # resource "azurerm_role_assignment" "function_role_assignment_application_insights" { # Enable to rely on Entra ID-based authentication to Application Insights
20
35
# scope = azurerm_application_insights.application_insights.id
21
36
# role_definition_name = "Monitoring Metrics Publisher"
22
37
# principal_id = azapi_resource.function.identity[0].principal_id
0 commit comments