Skip to content

Commit c58b9e3

Browse files
feat: add support to enable deletion of Resource Groups
This enables meshStack to delete tenants in an Azure RG platform. Implemented it similar to cancelling subscriptions, i.e. require explicitly listing the scopes where deletion is allowed.
1 parent 1368ba2 commit c58b9e3

File tree

5 files changed

+39
-1
lines changed

5 files changed

+39
-1
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,8 @@ Check [examples](./examples/) for different use cases. As a quick start we recom
136136
|------|-------------|------|---------|:--------:|
137137
| <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the Service Principal needs. | `list(string)` | `[]` | no |
138138
| <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
139+
| <a name="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | `[]` | no |
140+
| <a name="input_can_delete_rgs_in_scopes"></a> [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes) | The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`. | `list(string)` | `[]` | no |
139141
| <a name="input_create_passwords"></a> [create\_passwords](#input\_create\_passwords) | Create passwords for service principals. | `bool` | `true` | no |
140142
| <a name="input_metering_assignment_scopes"></a> [metering\_assignment\_scopes](#input\_metering\_assignment\_scopes) | Names or UUIDs of the Management Groups that kraken should collect costs for. | `list(string)` | n/a | yes |
141143
| <a name="input_metering_enabled"></a> [metering\_enabled](#input\_metering\_enabled) | Whether to create Metering Service Principal or not. | `bool` | `true` | no |

main.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ module "replicator_service_principal" {
5555
custom_role_scope = data.azurerm_management_group.replicator_custom_role_scope.id
5656
assignment_scopes = local.replicator_assignment_scopes
5757
can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes
58+
can_delete_rgs_in_scopes = var.can_delete_rgs_in_scopes
5859

5960
additional_required_resource_accesses = var.additional_required_resource_accesses
6061
additional_permissions = var.additional_permissions

modules/meshcloud-replicator-service-principal/module.tf

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,9 +82,24 @@ resource "azurerm_role_definition" "meshcloud_replicator_subscription_canceler"
8282
]
8383
}
8484

85+
resource "azurerm_role_definition" "meshcloud_replicator_rg_deleter" {
86+
count = length(var.can_delete_rgs_in_scopes) > 0 ? 1 : 0
87+
name = "${var.service_principal_name}-delete-resourceGroups"
88+
scope = var.custom_role_scope
89+
description = "Additional permissions required by meshStack replicator in order to delete Resource Groups"
90+
91+
permissions {
92+
actions = ["Microsoft.Resources/subscriptions/resourceGroups/delete"]
93+
}
94+
95+
assignable_scopes = [
96+
var.custom_role_scope
97+
]
98+
}
99+
85100
//---------------------------------------------------------------------------
86101
// Queries Entra ID for information about well-known application IDs.
87-
// Retrieve details about the service principal
102+
// Retrieve details about the service principal
88103
//---------------------------------------------------------------------------
89104

90105
data "azuread_application_published_app_ids" "well_known" {}
@@ -184,6 +199,14 @@ resource "azurerm_role_assignment" "meshcloud_replicator_subscription_canceler"
184199
depends_on = [azuread_service_principal.meshcloud_replicator]
185200
}
186201

202+
resource "azurerm_role_assignment" "meshcloud_replicator_rg_deleter" {
203+
for_each = toset(var.can_delete_rgs_in_scopes)
204+
scope = each.key
205+
role_definition_id = azurerm_role_definition.meshcloud_replicator_rg_deleter[0].role_definition_resource_id
206+
principal_id = azuread_service_principal.meshcloud_replicator.id
207+
depends_on = [azuread_service_principal.meshcloud_replicator]
208+
}
209+
187210
//---------------------------------------------------------------------------
188211
// Assign Entra ID Roles to the Enterprise application
189212
//---------------------------------------------------------------------------

modules/meshcloud-replicator-service-principal/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,12 @@ variable "can_cancel_subscriptions_in_scopes" {
1919
default = []
2020
}
2121

22+
variable "can_delete_rgs_in_scopes" {
23+
type = list(string)
24+
description = "The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`."
25+
default = []
26+
}
27+
2228
variable "additional_required_resource_accesses" {
2329
type = list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))
2430
default = []

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@ variable "can_cancel_subscriptions_in_scopes" {
2020
default = []
2121
}
2222

23+
variable "can_delete_rgs_in_scopes" {
24+
type = list(string)
25+
description = "The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`."
26+
default = []
27+
}
28+
2329
variable "metering_service_principal_name" {
2430
type = string
2531
default = "kraken"

0 commit comments

Comments
 (0)