Merge pull request #101 from PerfectThymeTech/marvinbuss/update_storage

Update Permission Details in Terraform

Author: marvinbuss

code/infra/function.tf

@@ -207,7 +207,7 @@ resource "azapi_resource" "function" {
   })
 
   schema_validation_enabled = false
-  # ignore_body_changes = [
+  # ignore_body_changes = [ # Required when app settings are managed in a separate process
   #   "properties.siteConfig.appSettings"
   # ]
   depends_on = [

code/infra/roleassignments.tf

@@ -4,19 +4,34 @@ resource "azurerm_role_assignment" "current_role_assignment_key_vault" {
   principal_id         = data.azurerm_client_config.current.object_id
 }
 
-resource "azurerm_role_assignment" "function_role_assignment_storage" {
+resource "azurerm_role_assignment" "function_role_assignment_storage_blob_data_owner" {
   scope                = azurerm_storage_account.storage.id
   role_definition_name = "Storage Blob Data Owner"
   principal_id         = azapi_resource.function.identity[0].principal_id
 }
 
+# resource "azurerm_role_assignment" "function_role_assignment_storage_account_contributor" { # Enable when using blob triggers
+#   scope                = azurerm_storage_account.storage.id
+#   role_definition_name = "Storage Account Contributor"
+#   principal_id         = azapi_resource.function.identity[0].principal_id
+# }
+
+# resource "azurerm_role_assignment" "function_role_assignment_storage_queue_data_contributor" { # Enable when using blob triggers
+#   scope                = azurerm_storage_account.storage.id
+#   role_definition_name = "Storage Queue Data Contributor"
+#   principal_id         = azapi_resource.function.identity[0].principal_id
+# }
+
+# Additional permissions may be required based on the trigger that is being used.
+# For more details, refer to: https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-python#grant-permission-to-the-identity
+
 resource "azurerm_role_assignment" "function_role_assignment_key_vault" {
   scope                = azurerm_key_vault.key_vault.id
   role_definition_name = "Key Vault Secrets Officer"
   principal_id         = azapi_resource.function.identity[0].principal_id
 }
 
-# resource "azurerm_role_assignment" "function_role_assignment_application_insights" {
+# resource "azurerm_role_assignment" "function_role_assignment_application_insights" { # Enable to rely on Entra ID-based authentication to Application Insights
 #   scope                = azurerm_application_insights.application_insights.id
 #   role_definition_name = "Monitoring Metrics Publisher"
 #   principal_id         = azapi_resource.function.identity[0].principal_id

code/infra/storage.tf

@@ -45,57 +45,34 @@ resource "azurerm_storage_account" "storage" {
     publish_microsoft_endpoints = false
   }
   sftp_enabled              = false
-  shared_access_key_enabled = false
+  shared_access_key_enabled = false # Required to be set to 'true' when creating a Windows host
 }
 
-resource "azurerm_storage_management_policy" "storage_management_policy" {
-  storage_account_id = azurerm_storage_account.storage.id
-
-  rule {
-    name    = "default"
-    enabled = true
-    actions {
-      base_blob {
-        tier_to_cool_after_days_since_modification_greater_than = 360
-        # delete_after_days_since_modification_greater_than = 720
-      }
-      snapshot {
-        change_tier_to_cool_after_days_since_creation = 180
-        delete_after_days_since_creation_greater_than = 360
-      }
-      version {
-        change_tier_to_cool_after_days_since_creation = 180
-        delete_after_days_since_creation              = 360
-      }
-    }
-    filters {
-      blob_types   = ["blockBlob"]
-      prefix_match = []
-    }
-  }
-}
-
-resource "azapi_resource" "storage_file_share" {
-  type      = "Microsoft.Storage/storageAccounts/fileServices/shares@2022-09-01"
-  name      = "logicapp"
-  parent_id = "${azurerm_storage_account.storage.id}/fileServices/default"
-
-  body = jsonencode({
-    properties = {
-      accessTier       = "TransactionOptimized"
-      enabledProtocols = "SMB"
-      shareQuota       = 5120
-    }
-  })
-}
-
-# resource "azurerm_storage_share" "storage_file_share" {
-#   name = "logicapp"
-#   storage_account_name = azurerm_storage_account.storage.name
-
-#   access_tier = "TransactionOptimized"
-#   enabled_protocol = "SMB"
-#   quota = 5120
+# resource "azurerm_storage_management_policy" "storage_management_policy" {
+#   storage_account_id = azurerm_storage_account.storage.id
+
+#   rule {
+#     name    = "default"
+#     enabled = true
+#     actions {
+#       base_blob {
+#         tier_to_cool_after_days_since_modification_greater_than = 360
+#         # delete_after_days_since_modification_greater_than = 720
+#       }
+#       snapshot {
+#         change_tier_to_cool_after_days_since_creation = 180
+#         delete_after_days_since_creation_greater_than = 360
+#       }
+#       version {
+#         change_tier_to_cool_after_days_since_creation = 180
+#         delete_after_days_since_creation              = 360
+#       }
+#     }
+#     filters {
+#       blob_types   = ["blockBlob"]
+#       prefix_match = []
+#     }
+#   }
 # }
 
 data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_storage" {