Grant workload principals permissions to database

frasermolyneux · Jul 6, 2024 · 9f3263a · 9f3263a
1 parent 9f561bf
commit 9f3263a
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 6 deletions.
diff --git a/terraform/aad_group.tf b/terraform/aad_group.tf
@@ -0,0 +1,5 @@
+resource "azuread_group" "sql_admin_group" {
+  display_name     = local.sql_admin_group_name
+  owners           = [data.azuread_client_config.current.object_id]
+  security_enabled = true
+}
diff --git a/terraform/aad_group_membership.tf b/terraform/aad_group_membership.tf
@@ -0,0 +1,6 @@
+resource "azuread_group_member" "group_membership" {
+  for_each = { for each in var.sql_admin_aad_group_members : each => each }
+
+  group_object_id  = azuread_group.sql_admin_group.id
+  member_object_id = data.azuread_service_principal.workload[each.value].object_id
+}
diff --git a/terraform/data.service_principals.tf b/terraform/data.service_principals.tf
@@ -0,0 +1,5 @@
+data "azuread_service_principal" "workload" {
+  for_each = { for each in var.sql_admin_aad_group_members : each => each }
+
+  display_name = each.value
+}
diff --git a/terraform/sql_server.tf b/terraform/sql_server.tf
@@ -1,9 +1,3 @@
-resource "azuread_group" "sql_admin_group" {
-  display_name     = local.sql_admin_group_name
-  owners           = [data.azuread_client_config.current.object_id]
-  security_enabled = true
-}
-
 resource "random_password" "sql_admin_password" {
   length           = 16
   special          = true

diff --git a/terraform/tfvars/dev.tfvars b/terraform/tfvars/dev.tfvars
@@ -4,6 +4,11 @@ instance    = "01"
 
 subscription_id = "d68448b0-9947-46d7-8771-baa331a3063a"
 
+sql_admin_aad_group_members = [
+  "spn-portal-repository-development",
+  "spn-xtremeidiots-portal-development"
+]
+
 log_analytics_subscription_id     = "d68448b0-9947-46d7-8771-baa331a3063a"
 log_analytics_resource_group_name = "rg-platform-logging-prd-uksouth-01"
 log_analytics_workspace_name      = "log-platform-prd-uksouth-01"

diff --git a/terraform/tfvars/prd.tfvars b/terraform/tfvars/prd.tfvars
@@ -4,6 +4,11 @@ instance    = "01"
 
 subscription_id = "32444f38-32f4-409f-889c-8e8aa2b5b4d1"
 
+sql_admin_aad_group_members = [
+  "spn-portal-repository-production",
+  "spn-xtremeidiots-portal-production"
+]
+
 log_analytics_subscription_id     = "d68448b0-9947-46d7-8771-baa331a3063a"
 log_analytics_resource_group_name = "rg-platform-logging-prd-uksouth-01"
 log_analytics_workspace_name      = "log-platform-prd-uksouth-01"

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -12,6 +12,11 @@ variable "instance" {
 
 variable "subscription_id" {}
 
+variable "sql_admin_aad_group_members" {
+  type    = list(string)
+  default = []
+}
+
 variable "log_analytics_subscription_id" {}
 variable "log_analytics_resource_group_name" {}
 variable "log_analytics_workspace_name" {}