Refactor role assignment check to validate both "Storage Blob Data Co…

…ntributor" and "Storage Account Contributor" roles
microsoft · Feb 26, 2025 · 3c407d7 · 3c407d7
1 parent 0ec539a
commit 3c407d7
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
@@ -43,18 +43,36 @@ az role assignment create --assignee "$USER_OBJECT_ID" \
   --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"
 
 # Function to check if the role assignment exists
-check_role_assignment() {
-  az role assignment list --assignee "$USER_OBJECT_ID" --role "Storage Blob Data Contributor" --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" --query "[].id" --output tsv
+check_role_assignments() {
+  local sbdc=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Blob Data Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  local sac=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Account Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  # Return a non-empty value only if both roles are assigned
+  if [[ -n "$sbdc" && -n "$sac" ]]; then
+    echo "both"
+  fi
 }
 
 # Wait for the role assignment to be applied
 echo -e "\n\e[34m»»» ⏳ \e[96mWaiting for role assignment to be applied\e[0m..."
-while [ -z "$(check_role_assignment)" ]; do
+while [ -z "$(check_role_assignments)" ]; do
   echo "Waiting for role assignment..."
   sleep 10
 done
 echo "Role assignment applied."
 
+# shellcheck disable=SC1091
+source ../scripts/mgmtstorage_enable_public_access.sh
+
 # Blob container
 # shellcheck disable=SC2154
 az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table