feat: cancel subscription permissions for replicator

malhussan · JohannesRudolph · commit 94f66766af23 · 2024-04-22T16:33:16.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Option to provide replicator service principal permission to cancel subscriptions on specified scopes (i.e. landing zones)
+
 ## [v0.5.0]
 
 ### Changed
diff --git a/main.tf b/main.tf
@@ -51,9 +51,10 @@ module "replicator_service_principal" {
 
   replicator_rg_enabled = var.replicator_rg_enabled
 
-  service_principal_name = var.replicator_service_principal_name
-  custom_role_scope      = data.azurerm_management_group.replicator_custom_role_scope.id
-  assignment_scopes      = local.replicator_assignment_scopes
+  service_principal_name             = var.replicator_service_principal_name
+  custom_role_scope                  = data.azurerm_management_group.replicator_custom_role_scope.id
+  assignment_scopes                  = local.replicator_assignment_scopes
+  can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes
 
   additional_required_resource_accesses = var.additional_required_resource_accesses
   additional_permissions                = var.additional_permissions
diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf
@@ -67,6 +67,21 @@ resource "azurerm_role_definition" "meshcloud_replicator" {
   ]
 }
 
+resource "azurerm_role_definition" "meshcloud_replicator_subscription_canceler" {
+  count       = length(var.can_cancel_subscriptions_in_scopes) > 0 ? 1 : 0
+  name        = var.service_principal_name
+  scope       = var.custom_role_scope
+  description = "Permissions required by meshcloud in order to cancel subscriptions"
+
+  permissions {
+    actions = ["Microsoft.Subscription/cancel/action"]
+  }
+
+  assignable_scopes = [
+    var.custom_role_scope
+  ]
+}
+
 //---------------------------------------------------------------------------
 // Queries Entra ID for information about well-known application IDs.
 // Retrieve details about the service principal 
@@ -161,6 +176,14 @@ resource "azurerm_role_assignment" "meshcloud_replicator" {
   depends_on         = [azuread_service_principal.meshcloud_replicator]
 }
 
+resource "azurerm_role_assignment" "meshcloud_replicator_subscription_canceler" {
+  for_each           = toset(var.can_cancel_subscriptions_in_scopes)
+  scope              = each.key
+  role_definition_id = azurerm_role_definition.meshcloud_replicator_subscription_canceler[0].role_definition_resource_id
+  principal_id       = azuread_service_principal.meshcloud_replicator.id
+  depends_on         = [azuread_service_principal.meshcloud_replicator]
+}
+
 //---------------------------------------------------------------------------
 // Assign Entra ID Roles to the Enterprise application
 //---------------------------------------------------------------------------
diff --git a/modules/meshcloud-replicator-service-principal/variables.tf b/modules/meshcloud-replicator-service-principal/variables.tf
@@ -13,6 +13,12 @@ variable "assignment_scopes" {
   description = "The scopes to which Service Principal permissions is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`."
 }
 
+variable "can_cancel_subscriptions_in_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`."
+  default     = []
+}
+
 variable "additional_required_resource_accesses" {
   type        = list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))
   default     = []
diff --git a/variables.tf b/variables.tf
@@ -14,6 +14,12 @@ variable "replicator_assignment_scopes" {
   description = "Names or UUIDs of the Management Groups which replicator should manage."
 }
 
+variable "can_cancel_subscriptions_in_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`."
+  default     = []
+}
+
 variable "metering_service_principal_name" {
   type        = string
   default     = "kraken"
