cli: give Azure uami all perms previously given to app registration (#1334)

This is the first step for deprecating app registrations on Azure. The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration. * cli: give Azure uami all permissions previously given to app registratio * docs: document required owner role for user-assigned managed identity on Azure
2025-05-16 13:12:21 -04:00 · 2023-03-21 10:00:13 +01:00 · 2023-03-21 10:00:13 +01:00 · 44db16b42e
commit 44db16b42e
parent 88340ba4cb
2 changed files with 12 additions and 2 deletions
--- a/cli/internal/terraform/terraform/iam/azure/main.tf
+++ b/cli/internal/terraform/terraform/iam/azure/main.tf
@ -59,6 +59,16 @@ resource "azurerm_role_assignment" "application_insights_component_contributor_r
  principal_id         = azurerm_user_assigned_identity.identity_uami.principal_id
 }

+resource "azurerm_role_assignment" "uami_owner_role" {
+  scope                = azurerm_resource_group.base_resource_group.id
+  role_definition_name = "Owner"
+  principal_id         = azurerm_user_assigned_identity.identity_uami.principal_id
+}
+
+# the app registration, application secrets
+# and role assignments below will be removed in the future
+# TODO(malt3): remove app registration as planned by AB#2961
+
 # Create application registration
 resource "azuread_application" "base_application" {
  display_name = "${var.resource_group_name}-application"
@ -72,7 +82,7 @@ resource "azuread_service_principal" "application_principal" {
 }

 # Set identity as base resource group owner
-resource "azurerm_role_assignment" "owner_role" {
+resource "azurerm_role_assignment" "app_registration_owner_role" {
  scope                = azurerm_resource_group.base_resource_group.id
  role_definition_name = "Owner"
  principal_id         = azuread_service_principal.application_principal.object_id