Skip to content

ID-1282 Finalize Azure Private Resource Types #1440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 22, 2024
Merged

ID-1282 Finalize Azure Private Resource Types #1440

merged 3 commits into from
May 22, 2024

Conversation

tlangs
Copy link
Contributor

@tlangs tlangs commented May 22, 2024
edited
Loading

Ticket:

<Don't forget to include the ticket number in the PR title!>

What:

We've done a lot of technical feasibility work, and settled on what resource types need to exist for Private Azure Container Registries and Storage Accounts. This gets rid of previous resource types and actions, which will need to be manually removed from production.

Since resource types are upserted on boot, current resources should continue to work. We should migrate away from them and delete the resource types that are no longer in use.

Why:

Representing resources types as their logical Terra functional pieces gives us a lot of flexibility around access control and the evolution of features. A raw azure_managed_identity doesn't let Sam do what it does best: manage users' access to things. By representing an azure_private_storage_account as it's own resource, we can use Sam to manage which users can read and which user's can write. The Action Managed Identities are just an implementation detail of how the underlying cloud resource is accessed.

How:

Update reference.conf

PR checklist

  • I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
  • I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

Ghost-in-a-Jar
Ghost-in-a-Jar reviewed May 22, 2024
View reviewed changes
src/main/resources/reference.conf
admin = {
roleActions = ["delete", "read_policies", "use", "share_policy::admin", "share_policy::user", "identify"]
owner = {
roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::reader", "share_policy::writer", "read", "write"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do they need pull_image?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense that an owner has all the permissions of other roles.

@tlangs tlangs merged commit 63bec37 into develop May 22, 2024
24 checks passed
@tlangs tlangs deleted the tl_ID-1282_azure_private_resources_final branch May 22, 2024 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ghost-in-a-Jar Ghost-in-a-Jar Ghost-in-a-Jar approved these changes

@jgainerdewar jgainerdewar jgainerdewar approved these changes

@rtitle rtitle rtitle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tlangs @jgainerdewar @rtitle @Ghost-in-a-Jar