Add Read Action to Role Assignment Condition (#1111)

ianstanton · web-flow · commit 20969073adbd · 2024-12-24T13:48:27.000-05:00
Signed-off-by: Ian Stanton &lt;ian@tembo.io&gt;
diff --git a/conductor/src/azure/uami_builder.rs b/conductor/src/azure/uami_builder.rs
@@ -176,12 +176,12 @@ pub async fn create_role_assignment(
         !(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}})
         AND
         !(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}})
+        AND
+        !(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}})
     )
     OR
     (
         @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{azure_backup_container}'
-        AND
-        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '{namespace}/*'
     )
 )
     "

Original file line number	Diff line number	Diff line change
`@@ -176,12 +176,12 @@ pub async fn create_role_assignment(`
`176`	`176`	`!(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}})`
`177`	`177`	`AND`
`178`	`178`	`!(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}})`
	`179`	`+ AND`
	`180`	`+ !(ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}})`
`179`	`181`	`)`
`180`	`182`	`OR`
`181`	`183`	`(`
`182`	`184`	`@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{azure_backup_container}'`
`183`		`- AND`
`184`		`- @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '{namespace}/*'`
`185`	`185`	`)`
`186`	`186`	`)`
`187`	`187`	`"`