Merge pull request #98 from SvenAelterman/95-adf-managed-private-endp…

…oint-for-the-spoke-airlock-storage-account-is-not-approved Assign Storage Account Contributor role to UAMI to approve private endpoints on airlock storage account
Azure · Aug 1, 2024 · 3b514c7 · 3b514c7
2 parents f8968ee + 5a95b7d
commit 3b514c7
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/research-spoke/spoke-modules/airlock/main.bicep b/research-spoke/spoke-modules/airlock/main.bicep
@@ -176,6 +176,17 @@ module uamiProjectStorageRoleAssignmentModule '../../../module-library/roleAssig
   }
 }
 
+// Assign UAMI a role to approve the airlock storage account's private endpoint (GitHub issue #95)
+module uamiAirlockStorageRoleAssignmentModule '../../../module-library/roleAssignments/roleAssignment-st.bicep' = if (!useCentralizedReview) {
+  name: replace(deploymentNameStructure, '{rtype}', 'uami-airlock-role2')
+  params: {
+    principalId: uamiModule.outputs.principalId
+    roleDefinitionId: roles.StorageAccountContributor
+    storageAccountName: spokeAirlockStorageAccountModule.outputs.storageAccountName
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // Azure Data Factory resource and contents
 module adfModule 'adf.bicep' = {
   name: replace(deploymentNameStructure, '{rtype}', 'adf')
@@ -409,6 +420,14 @@ var privateEndpointIdsToApprove = join(
   '\',\''
 )
 
+var privateLinkResourceIds = join(
+  [
+    privateManagedPrivateEndpointModule.outputs.privateLinkResourceId
+    airlockManagedPrivateEndpointModule.outputs.privateLinkResourceId
+  ],
+  '\',\''
+)
+
 // Start the triggers in the Data Factory
 module startTriggerDeploymentScriptModule 'deploymentScript.bicep' = {
   name: replace(deploymentNameStructure, '{rtype}', 'dplscr-StartTriggers')
@@ -432,7 +451,7 @@ module approvePrivateEndpointDeploymentScriptModule 'deploymentScript.bicep' = {
     location: location
     subWorkloadName: 'ApprovePep'
     namingStructure: namingStructure
-    arguments: '-PrivateLinkResourceIds @(\'${privateManagedPrivateEndpointModule.outputs.privateLinkResourceId}\', \'${airlockManagedPrivateEndpointModule.outputs.privateLinkResourceId}\') -PrivateEndpointIds @(\'${privateEndpointIdsToApprove}\') -SubscriptionId ${subscription().subscriptionId}'
+    arguments: '-PrivateLinkResourceIds @(\'${privateLinkResourceIds}\') -PrivateEndpointIds @(\'${privateEndpointIdsToApprove}\') -SubscriptionId ${subscription().subscriptionId}'
     scriptContent: loadTextContent('./content/ApproveManagedPrivateEndpoint.ps1')
     userAssignedIdentityId: uamiModule.outputs.id
     tags: tags