From ec2df611bf0f5ac394338295ee40e418c13babf4 Mon Sep 17 00:00:00 2001
From: Ian Stanton <ian@tembo.io>
Date: Mon, 23 Dec 2024 13:58:52 -0500
Subject: [PATCH] Add Write Condition to Azure Role Assignment (#1106)

Signed-off-by: Ian Stanton <ian@tembo.io>
---
 conductor/src/azure/uami_builder.rs | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/conductor/src/azure/uami_builder.rs b/conductor/src/azure/uami_builder.rs
index 22df78705..413201828 100644
--- a/conductor/src/azure/uami_builder.rs
+++ b/conductor/src/azure/uami_builder.rs
@@ -177,14 +177,22 @@ pub async fn create_role_assignment(
     )
     OR 
     (
-        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{}'
+        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{azure_backup_container}'
         AND
-        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '{}/*'
+        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '{namespace}/*'
     )
 )
-    ",
-        azure_backup_container,
-        namespace
+AND
+(
+    (
+        !ActionMatches{{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}}
+    )
+    OR
+    (
+        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{azure_backup_container}'
+    )
+)
+    "
     ));
 
     let storage_account_id = get_storage_account_id(