feat: add support to enable deletion of Resource Groups

This enables meshStack to delete tenants in an Azure RG platform.
Implemented it similar to cancelling subscriptions, i.e. require
explicitly listing the scopes where deletion is allowed.

Author: JohannesRudolph

README.md

@@ -136,6 +136,8 @@ Check [examples](./examples/) for different use cases. As a quick start we recom
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the Service Principal needs. | `list(string)` | `[]` | no |
 | <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
+| <a name="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | `[]` | no |
+| <a name="input_can_delete_rgs_in_scopes"></a> [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`. | `list(string)` | `[]` | no |
 | <a name="input_create_passwords"></a> [create\_passwords](#input\_create\_passwords) | Create passwords for service principals. | `bool` | `true` | no |
 | <a name="input_metering_assignment_scopes"></a> [metering\_assignment\_scopes](#input\_metering\_assignment\_scopes) | Names or UUIDs of the Management Groups that kraken should collect costs for. | `list(string)` | n/a | yes |
 | <a name="input_metering_enabled"></a> [metering\_enabled](#input\_metering\_enabled) | Whether to create Metering Service Principal or not. | `bool` | `true` | no |

main.tf

@@ -55,6 +55,7 @@ module "replicator_service_principal" {
   custom_role_scope                  = data.azurerm_management_group.replicator_custom_role_scope.id
   assignment_scopes                  = local.replicator_assignment_scopes
   can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes
+  can_delete_rgs_in_scopes           = var.can_delete_rgs_in_scopes
 
   additional_required_resource_accesses = var.additional_required_resource_accesses
   additional_permissions                = var.additional_permissions

modules/meshcloud-replicator-service-principal/module.tf

@@ -82,9 +82,24 @@ resource "azurerm_role_definition" "meshcloud_replicator_subscription_canceler"
   ]
 }
 
+resource "azurerm_role_definition" "meshcloud_replicator_rg_deleter" {
+  count       = length(var.can_delete_rgs_in_scopes) > 0 ? 1 : 0
+  name        = "${var.service_principal_name}-delete-resourceGroups"
+  scope       = var.custom_role_scope
+  description = "Additional permissions required by meshStack replicator in order to delete Resource Groups"
+
+  permissions {
+    actions = ["Microsoft.Resources/subscriptions/resourceGroups/delete"]
+  }
+
+  assignable_scopes = [
+    var.custom_role_scope
+  ]
+}
+
 //---------------------------------------------------------------------------
 // Queries Entra ID for information about well-known application IDs.
-// Retrieve details about the service principal 
+// Retrieve details about the service principal
 //---------------------------------------------------------------------------
 
 data "azuread_application_published_app_ids" "well_known" {}
@@ -184,6 +199,14 @@ resource "azurerm_role_assignment" "meshcloud_replicator_subscription_canceler"
   depends_on         = [azuread_service_principal.meshcloud_replicator]
 }
 
+resource "azurerm_role_assignment" "meshcloud_replicator_rg_deleter" {
+  for_each           = toset(var.can_delete_rgs_in_scopes)
+  scope              = each.key
+  role_definition_id = azurerm_role_definition.meshcloud_replicator_rg_deleter[0].role_definition_resource_id
+  principal_id       = azuread_service_principal.meshcloud_replicator.id
+  depends_on         = [azuread_service_principal.meshcloud_replicator]
+}
+
 //---------------------------------------------------------------------------
 // Assign Entra ID Roles to the Enterprise application
 //---------------------------------------------------------------------------

modules/meshcloud-replicator-service-principal/variables.tf

@@ -19,6 +19,12 @@ variable "can_cancel_subscriptions_in_scopes" {
   default     = []
 }
 
+variable "can_delete_rgs_in_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`."
+  default     = []
+}
+
 variable "additional_required_resource_accesses" {
   type        = list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))
   default     = []

variables.tf

@@ -20,6 +20,12 @@ variable "can_cancel_subscriptions_in_scopes" {
   default     = []
 }
 
+variable "can_delete_rgs_in_scopes" {
+  type        = list(string)
+  description = "The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`."
+  default     = []
+}
+
 variable "metering_service_principal_name" {
   type        = string
   default     = "kraken"