Merge pull request #2 from otterize/david/add-support-for-multiple-su…

…bscriptions Add support for managing multiple subscriptions
otterize · Dec 11, 2024 · 65a681a · 65a681a
2 parents a68a7d0 + 3ddb663
commit 65a681a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/data.tf b/data.tf
@@ -1,4 +1,6 @@
-data "azurerm_subscription" "primary" {}
+data "azurerm_subscription" "current_subscription" {
+  subscription_id = var.azure_subscription_id
+}
 
 data "azurerm_resource_group" "current_resource_group" {
   name = var.azure_resource_group
@@ -7,4 +9,9 @@ data "azurerm_resource_group" "current_resource_group" {
 data "azurerm_kubernetes_cluster" "current_aks_cluster" {
   name                = var.aks_cluster_name
   resource_group_name = data.azurerm_resource_group.current_resource_group.name
+}
+
+data "azurerm_subscription" "managed_subscriptions" {
+  for_each        = toset(var.managed_subscription_ids)
+  subscription_id = each.key
 }
diff --git a/resource.tf b/resource.tf
@@ -5,7 +5,7 @@ resource "azurerm_user_assigned_identity" "otterize_operator_managed_identity" {
 }
 
 resource "azurerm_role_assignment" "assign_otterize_operator_resource_group_owner" {
-  scope                = data.azurerm_subscription.primary.id
+  scope                = data.azurerm_resource_group.current_resource_group.id
   role_definition_name = "Owner"
   principal_id         = azurerm_user_assigned_identity.otterize_operator_managed_identity.principal_id
 
@@ -14,6 +14,27 @@ resource "azurerm_role_assignment" "assign_otterize_operator_resource_group_owne
   ]
 }
 
+resource "azurerm_role_assignment" "assign_otterize_operator_subscription_user_access_administrator" {
+  scope                = data.azurerm_subscription.current_subscription.id
+  role_definition_name = "User Access Administrator"
+  principal_id         = azurerm_user_assigned_identity.otterize_operator_managed_identity.principal_id
+
+  depends_on = [
+    azurerm_user_assigned_identity.otterize_operator_managed_identity,
+  ]
+}
+
+resource "azurerm_role_assignment" "assign_otterize_operator_managed_subscriptions_user_access_administrator" {
+  for_each            = data.azurerm_subscription.managed_subscriptions
+  scope               = each.value.id
+  role_definition_name = "User Access Administrator"
+  principal_id        = azurerm_user_assigned_identity.otterize_operator_managed_identity.principal_id
+
+  depends_on = [
+    azurerm_user_assigned_identity.otterize_operator_managed_identity,
+  ]
+}
+
 resource "azurerm_federated_identity_credential" "intents_operator_federated_identity_credential" {
   name                = "ottr-k8s-operator-intents-federated-identity-credential-${var.aks_cluster_name}"
   resource_group_name = data.azurerm_resource_group.current_resource_group.name

diff --git a/variable.tf b/variable.tf
@@ -22,4 +22,10 @@ variable "otterize_deploy_namespace" {
   description = "The namespace Otterize is deployed in"
   type        = string
   default     = "otterize-system"
+}
+
+variable "managed_subscription_ids" {
+  description = "To allow the operator to manage access to resources outside the provided AKS cluster's subscription, provide a list of additional subscription IDs"
+  type    = list(string)
+  default = []
 }