Update for User Assigned Identity new roles and System Assigned Ident…

…ity roles.
iknowjason · Oct 16, 2024 · feac7b9 · feac7b9
1 parent 52246ae
commit feac7b9
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 2 deletions.
diff --git a/generators/sentinel/files/win10/bootstrap-win10-sentinel.ps1.tpl b/generators/sentinel/files/win10/bootstrap-win10-sentinel.ps1.tpl
@@ -451,3 +451,4 @@ if ( $jd -eq 1 ) {
 
 $mtime = Get-Date
 lwrite("$mtime End bootstrap powershell script")
+
diff --git a/generators/sentinel/sentinel.py b/generators/sentinel/sentinel.py
@@ -1102,6 +1102,27 @@ def get_endpoint_template():
   filename = "${path.module}/hosts-${var.ENDPOINT_HOSTNAME_VAR_NAME}.cfg"
 }
 
+# add 'Contributor' role scoped to subscription for system-assigned managed identity
+resource "azurerm_role_assignment" "contributor_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME" {
+  scope                = data.azurerm_subscription.mi.id
+  role_definition_name = "Contributor"
+  principal_id   = azurerm_virtual_machine.AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.identity[0].principal_id
+}
+
+# add 'Virtual Machine Contributor' role scoped to subscription for system-assigned managed identity
+resource "azurerm_role_assignment" "vm_contributor_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME" {
+  scope                = data.azurerm_subscription.mi.id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id   = azurerm_virtual_machine.AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.identity[0].principal_id
+}
+
+# add 'Key Vault Reader' role scoped to subscription for system-assigned managed identity
+resource "azurerm_role_assignment" "key_vault_reader_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME" {
+  scope                = data.azurerm_subscription.mi.id
+  role_definition_name = "Key Vault Reader"
+  principal_id   = azurerm_virtual_machine.AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.identity[0].principal_id
+}
+
 output "windows_endpoint_details_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME" {
   value = <<EOS
 -------------------------
@@ -1117,6 +1138,10 @@ def get_endpoint_template():
 -------------
 ssh ${var.ADMIN_USERNAME_VAR_NAME}@${azurerm_public_ip.AZURERM_PUBLIC_IP_VAR_NAME.ip_address}
 
+System-Assigned Identity for ${var.ENDPOINT_HOSTNAME_VAR_NAME}:
+-------------------------
+Object ID:   ${azurerm_virtual_machine.AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.identity[0].principal_id}
+Roles:       ${azurerm_role_assignment.contributor_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.role_definition_name}, ${azurerm_role_assignment.vm_contributor_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.role_definition_name}, ${azurerm_role_assignment.key_vault_reader_si_AZURERM_WINDOWS_VIRTUAL_MACHINE_VAR_NAME.role_definition_name}
 EOS
 }
 
@@ -1141,16 +1166,50 @@ def get_midentity_template():
   default = "SystemAssigned, UserAssigned"
 }
 
-# Assign the reader role on subscription to the Managed Identity
-resource "azurerm_role_assignment" "uai" {
+# add 'Owner' role scoped to subscription for user-assigned managed identity
+resource "azurerm_role_assignment" "owner_uai" {
   scope                = data.azurerm_subscription.mi.id
   role_definition_name = "Owner"
   principal_id         = azurerm_user_assigned_identity.uai.principal_id
 }
 
+# add 'Virtual Machine Contributor' role scoped to subscription for user-assigned managed identity
+resource "azurerm_role_assignment" "vm_contributor_uai" {
+  scope                = data.azurerm_subscription.mi.id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = azurerm_user_assigned_identity.uai.principal_id
+}
+
+# add 'Key Vault Reader' role scoped to subscription for user-assigned managed identity
+resource "azurerm_role_assignment" "key_vault_reader_uai" {
+  scope                = data.azurerm_subscription.mi.id
+  role_definition_name = "Key Vault Reader"
+  principal_id         = azurerm_user_assigned_identity.uai.principal_id
+}
+
 data "azurerm_subscription" "mi" {
 }
 
+output "managed_identity_details" {
+  value = <<EOS
+-------------------------
+Managed Identity Details
+-------------------------
+Subscription ID:   ${split("/", data.azurerm_subscription.mi.id)[2]}
+Subscription Name: ${data.azurerm_subscription.mi.display_name}
+Resource Group:    ${azurerm_resource_group.network.name}
+
+User-Assigned Identity:
+-------------------------
+Name:        ${azurerm_user_assigned_identity.uai.name}
+Client ID:   ${azurerm_user_assigned_identity.uai.client_id}
+Object ID:   ${azurerm_user_assigned_identity.uai.principal_id}
+Roles:       ${azurerm_role_assignment.owner_uai.role_definition_name}, ${azurerm_role_assignment.vm_contributor_uai.
+role_definition_name}, ${azurerm_role_assignment.key_vault_reader_uai.role_definition_name}
+
+EOS
+}
+
 '''
     return template
 # End of managed identity template
Original file line number	Diff line number	Diff line change
Expand Up		@@ -451,3 +451,4 @@ if ( $jd -eq 1 ) {

		$mtime = Get-Date
		lwrite("$mtime End bootstrap powershell script")