fix: temporarily disable the privilege escalation policy for deployments

JohannesRudolph · JohannesRudolph · commit 77f6bbda09c8 · 2024-05-02T16:55:13.000Z
this is the "stricter" version of the change introduced in the previous
commit. We still have a strict enforcement that no additional assignments
can be done to the replicator, but temporarily disable that policy
while deploying the meshPlatform terraform module
diff --git a/modules/meshcloud-replicator-service-principal/README.md b/modules/meshcloud-replicator-service-principal/README.md
@@ -13,6 +13,7 @@
 |------|---------|
 | <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.46.0 |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.81.0 |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 | <a name="provider_time"></a> [time](#provider\_time) | 0.11.1 |
 
 ## Modules
@@ -38,6 +39,7 @@ No modules.
 | [azurerm_role_definition.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azurerm/3.81.0/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.meshcloud_replicator_rg_deleter](https://registry.terraform.io/providers/hashicorp/azurerm/3.81.0/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.meshcloud_replicator_subscription_canceler](https://registry.terraform.io/providers/hashicorp/azurerm/3.81.0/docs/resources/role_definition) | resource |
+| [terraform_data.allowed_assignments](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [time_rotating.replicator_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
 | [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_published_app_ids) | data source |
 | [azuread_application_template.enterprise_app](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_template) | data source |
diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf
@@ -186,23 +186,20 @@ resource "azurerm_role_assignment" "meshcloud_replicator" {
   scope              = each.key
   role_definition_id = azurerm_role_definition.meshcloud_replicator.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id
-  depends_on         = [azuread_service_principal.meshcloud_replicator]
 }
 
 resource "azurerm_role_assignment" "meshcloud_replicator_subscription_canceler" {
   for_each           = toset(var.can_cancel_subscriptions_in_scopes)
   scope              = each.key
   role_definition_id = azurerm_role_definition.meshcloud_replicator_subscription_canceler.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id
-  depends_on         = [azuread_service_principal.meshcloud_replicator]
 }
 
 resource "azurerm_role_assignment" "meshcloud_replicator_rg_deleter" {
   for_each           = toset(var.can_delete_rgs_in_scopes)
   scope              = each.key
   role_definition_id = azurerm_role_definition.meshcloud_replicator_rg_deleter.role_definition_resource_id
   principal_id       = azuread_service_principal.meshcloud_replicator.id
-  depends_on         = [azuread_service_principal.meshcloud_replicator]
 }
 
 //---------------------------------------------------------------------------
@@ -229,14 +226,6 @@ resource "azuread_app_role_assignment" "meshcloud_replicator-user" {
   depends_on          = [azuread_application.meshcloud_replicator]
 }
 
-locals {
-  assignable_role_definition_ids = compact([
-    azurerm_role_definition.meshcloud_replicator.role_definition_id,
-    azurerm_role_definition.meshcloud_replicator_subscription_canceler.role_definition_id,
-    azurerm_role_definition.meshcloud_replicator_rg_deleter.role_definition_id
-  ])
-}
-
 //---------------------------------------------------------------------------
 // Policy Definition for preventing the Application from assigning other privileges to itself
 // Assign it to the specified scope
@@ -260,10 +249,6 @@ resource "azurerm_policy_definition" "privilege_escalation_prevention" {
           {
             "field": "Microsoft.Authorization/roleAssignments/principalId",
             "equals": "${azuread_service_principal.meshcloud_replicator.object_id}"
-          },
-          {
-            "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
-            "notIn": ${jsonencode(local.assignable_role_definition_ids)}
           }
         ]
       },
@@ -274,9 +259,38 @@ resource "azurerm_policy_definition" "privilege_escalation_prevention" {
 RULE
 }
 
+resource "terraform_data" "allowed_assignments" {
+  input = compact(
+    concat(
+      var.assignment_scopes,
+      var.can_cancel_subscriptions_in_scopes,
+      var.can_delete_rgs_in_scopes
+  ))
+}
 
 resource "azurerm_management_group_policy_assignment" "privilege-escalation-prevention" {
-  name                 = "msh-escal-prev-${local.spp_hash}"
+  name                 = "meshStack-PEP-${local.spp_hash}"
+  description          = azurerm_policy_definition.privilege_escalation_prevention.description
   policy_definition_id = azurerm_policy_definition.privilege_escalation_prevention.id
   management_group_id  = var.custom_role_scope
+
+  lifecycle {
+    # ensure we unassign the policy whenver we make intentional changes to the replicators role assignments and then reassign it after
+    # note that we can't directly depend on the azurerm_role_assignment resources here because terraform fails with
+    # >  Error: no change found for azurerm_role_assignment.meshcloud_replicator_rg_deleter
+    # whenever no role_assignment exists because the for_each condition is empty (so no instances exist).
+    # We therefore trigger the replacement directly using the for_each keys
+    replace_triggered_by = [
+      terraform_data.allowed_assignments
+    ]
+  }
+
+  # only deploy this after the replicator roles have been assigned, here it's fine for terraform to directly reference
+  # resources that use for_each, even if there are no instances of that resources
+  depends_on = [
+    azurerm_role_assignment.meshcloud_replicator,
+    azurerm_role_assignment.meshcloud_replicator_rg_deleter,
+    azurerm_role_assignment.meshcloud_replicator_subscription_canceler
+  ]
 }
+
