From 7b46c3aeedf3c70ef95b32e982625bf3f82a1de8 Mon Sep 17 00:00:00 2001
From: h-elango <76998354+h-elango@users.noreply.github.com>
Date: Tue, 18 Apr 2023 15:17:01 +0530
Subject: [PATCH] Update roles, add archival roles (#3)

1. Update the latest permissions for CNP, exocompute roles.
2. Add roles for archival.
---
 polaris-custom-role-archival-encryption.json  | 22 ++++++++++
 polaris-custom-role-archival.json             | 40 +++++++++++++++++++
 ...s-custom-role-cloud-native-protection.json |  4 +-
 polaris-custom-role-exocompute.json           |  6 ++-
 4 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 polaris-custom-role-archival-encryption.json
 create mode 100644 polaris-custom-role-archival.json
 rename polaris-custom-role-definition.json => polaris-custom-role-cloud-native-protection.json (95%)

diff --git a/polaris-custom-role-archival-encryption.json b/polaris-custom-role-archival-encryption.json
new file mode 100644
index 0000000..83c9f27
--- /dev/null
+++ b/polaris-custom-role-archival-encryption.json
@@ -0,0 +1,22 @@
+{
+  "id": "/subscriptions/abcdefgh-1234-abcd-1234-abcdefghijkl/providers/Microsoft.Authorization/roleDefinitions/01234567-abcd-1234-abcd-123456789012",
+  "properties": {
+    "roleName": "Rubrik Polaris ARCHIVAL ENCRYPTION - 01234567-abcd-1234-abcd-123456789012",
+    "description": "Rubrik Polaris role for ARCHIVAL ENCRYPTION",
+    "assignableScopes": [
+      "/subscriptions/abcdefgh-1234-abcd-1234-abcdefghijkl"
+    ],
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.KeyVault/vaults/keys/unwrap/action",
+          "Microsoft.KeyVault/vaults/keys/wrap/action",
+          "Microsoft.KeyVault/vaults/keys/read"
+        ],
+        "notActions": [],
+        "dataActions": [],
+        "notDataActions": []
+      }
+    ]
+  }
+}
diff --git a/polaris-custom-role-archival.json b/polaris-custom-role-archival.json
new file mode 100644
index 0000000..4ed3d34
--- /dev/null
+++ b/polaris-custom-role-archival.json
@@ -0,0 +1,40 @@
+{
+  "id": "/subscriptions/abcdefgh-1234-abcd-1234-abcdefghijkl/providers/Microsoft.Authorization/roleDefinitions/01234567-abcd-1234-abcd-123456789012",
+  "properties": {
+    "roleName": "Rubrik Polaris ARCHIVAL - 01234567-abcd-1234-abcd-123456789012",
+    "description": "Rubrik Polaris role for ARCHIVAL",
+    "assignableScopes": [
+      "/subscriptions/abcdefgh-1234-abcd-1234-abcdefghijkl"
+    ],
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.Storage/storageAccounts/read",
+          "Microsoft.Storage/storageAccounts/write",
+          "Microsoft.Storage/storageAccounts/listkeys/action",
+          "Microsoft.Storage/storageAccounts/listServiceSas/action",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+          "Microsoft.Resources/subscriptions/resourceGroups/read",
+          "Microsoft.Resources/subscriptions/resourceGroups/write",
+          "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
+          "Microsoft.Storage/storageAccounts/encryptionScopes/read",
+          "Microsoft.Storage/storageAccounts/encryptionScopes/write",
+          "Microsoft.KeyVault/vaults/read",
+          "Microsoft.KeyVault/vaults/keys/read",
+          "Microsoft.Storage/storageAccounts/blobServices/read",
+          "Microsoft.Storage/storageAccounts/blobServices/write"
+        ],
+        "notActions": [],
+        "dataActions": [
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+        ],
+        "notDataActions": []
+      }
+    ]
+  }
+}
diff --git a/polaris-custom-role-definition.json b/polaris-custom-role-cloud-native-protection.json
similarity index 95%
rename from polaris-custom-role-definition.json
rename to polaris-custom-role-cloud-native-protection.json
index 6f71819..faeb60c 100644
--- a/polaris-custom-role-definition.json
+++ b/polaris-custom-role-cloud-native-protection.json
@@ -52,7 +52,9 @@
           "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
           "Microsoft.Compute/availabilitySets/read",
           "Microsoft.Storage/storageAccounts/read",
-          "Microsoft.Compute/diskEncryptionSets/read"
+          "Microsoft.Compute/diskEncryptionSets/read",
+          "Microsoft.Compute/galleries/images/versions/read",
+          "Microsoft.Storage/storageAccounts/listkeys/action"
         ],
         "notActions": [],
         "dataActions": [
diff --git a/polaris-custom-role-exocompute.json b/polaris-custom-role-exocompute.json
index f302807..e633dc2 100644
--- a/polaris-custom-role-exocompute.json
+++ b/polaris-custom-role-exocompute.json
@@ -16,7 +16,11 @@
           "Microsoft.ContainerRegistry/registries/pull/read",
           "Microsoft.ContainerRegistry/registries/read",
           "Microsoft.Network/virtualNetworks/subnets/join/action",
-          "Microsoft.Network/virtualNetworks/subnets/read"
+          "Microsoft.Network/virtualNetworks/subnets/read",
+          "Microsoft.Network/virtualNetworks/read",
+          "Microsoft.Compute/disks/read",
+          "Microsoft.Compute/disks/write",
+          "Microsoft.Compute/disks/delete"
         ],
         "notActions": [],
         "dataActions": [],