From c73af7e4c3bebb05927a734cd459494c7cb2c76d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 17:59:38 +0000 Subject: [PATCH 1/5] chore(pre-commit): autoupdate hooks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/psf/black: 23.10.0 → 23.10.1](https://github.com/psf/black/compare/23.10.0...23.10.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 55f11d31..a6d452b9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,7 @@ repos: - id: check-added-large-files - repo: https://github.com/psf/black - rev: 23.10.0 + rev: 23.10.1 hooks: - id: black types: From 128fdf884e73e741edfc7c57295382e050336cec Mon Sep 17 00:00:00 2001 From: Angela Tran Date: Mon, 30 Oct 2023 23:29:45 +0000 Subject: [PATCH 2/5] refactor: remove role from Terraform, add docs on manual steps --- docs/deployment/infrastructure.md | 22 ++++++++++++++++++++++ terraform/roles.tf | 16 ---------------- 2 files changed, 22 insertions(+), 16 deletions(-) delete mode 100644 terraform/roles.tf diff --git a/docs/deployment/infrastructure.md b/docs/deployment/infrastructure.md index 9cb745e2..d0c6ae12 100644 --- a/docs/deployment/infrastructure.md +++ b/docs/deployment/infrastructure.md @@ -12,6 +12,7 @@ The following things in Azure are managed outside of Terraform: - Active Directory (users, groups, service principals, etc.) - Service connections - Configuration files, stored as blobs +- Role assignments ## Environments @@ -136,3 +137,24 @@ In general, the steps that must be done manually before the pipeline can be run - Create Terraform workspace for each environment - Trigger a pipeline run to verify `plan` and `apply` - Known chicken-and-egg problem: Terraform both creates the Key Vault and expects a secret within it, so will always fail on the first deploy. Add the Benefits slack email secret and re-run the pipeline. + +Once the pipeline has run, there are a few more steps to be done manually in the Azure portal. These are related to configuring the service principal used for ETL: + +- [Create the service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) +- Give the ETL service principal access to the `prod` storage account created by the pipeline: + - Navigate to the storage account + - Select **Access Control (IAM)** + - Select **Add**, then select **Add role assignment** + - In the **Role** tab, select `Storage Blob Data Contributor` + - In the **Members** tab, select `Select Members` and search for the ETL service principal. Add it to the role. + - Also in the **Members** tab, add a description of `This role assignment gives write access only for the path of the hashed data file.` + - In the **Conditions** tab, select **Add condition** and change the editor type to `Code` + - Add the following condition into the editor, filling in `` with the appropriate value: + +```text +( + ( + @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike '' + ) +) +``` diff --git a/terraform/roles.tf b/terraform/roles.tf deleted file mode 100644 index 92008dba..00000000 --- a/terraform/roles.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "azurerm_role_assignment" "agency_card_data_etl" { - count = local.is_prod ? 1 : 0 - - description = "This role assignment gives write access only for the path of the hashed data file." - scope = azurerm_storage_container.config.resource_manager_id - role_definition_name = "Storage Blob Data Contributor" - principal_id = var.AGENCY_CARD_DATA_ETL_APP_OBJECT_ID - condition = < Date: Mon, 30 Oct 2023 23:58:30 +0000 Subject: [PATCH 3/5] chore: remove now unused variable for ETL service principal --- terraform/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index da63ec03..3e21666b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -8,11 +8,6 @@ variable "AGENCY_CARD" { type = string } -variable "AGENCY_CARD_DATA_ETL_APP_OBJECT_ID" { - description = "Object ID from the registered application for the Agency Card server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID" - type = string -} - variable "AGENCY_CARD_DATA_ETL_FILE" { description = "The name of the hashed data file that's uploaded to the storage account" type = string From 83d5231d7f9510986f83ce3ed1de939c903c4683 Mon Sep 17 00:00:00 2001 From: Angela Tran Date: Tue, 31 Oct 2023 17:01:56 +0000 Subject: [PATCH 4/5] chore: remove unused variable and values for ETL file name --- terraform/mst/azure-vars.yml | 1 - terraform/sbmtd/azure-vars.yml | 1 - terraform/variables.tf | 5 ----- 3 files changed, 7 deletions(-) diff --git a/terraform/mst/azure-vars.yml b/terraform/mst/azure-vars.yml index 9d2326b6..6a18fedd 100644 --- a/terraform/mst/azure-vars.yml +++ b/terraform/mst/azure-vars.yml @@ -4,4 +4,3 @@ variables: TF_VAR_AGENCY_CARD: "mst-courtesy-cards" TF_VAR_AGENCY_RESOURCE_GROUP_PREFIX: "courtesy-cards" TF_VAR_AGENCY_STORAGE_ACCOUNT_PREFIX: "mstcceligibility" - TF_VAR_AGENCY_CARD_DATA_ETL_FILE: "velocity.csv" diff --git a/terraform/sbmtd/azure-vars.yml b/terraform/sbmtd/azure-vars.yml index 2b19445b..4287dc60 100644 --- a/terraform/sbmtd/azure-vars.yml +++ b/terraform/sbmtd/azure-vars.yml @@ -4,4 +4,3 @@ variables: TF_VAR_AGENCY_CARD: "sbmtd-mobility-pass" TF_VAR_AGENCY_RESOURCE_GROUP_PREFIX: "sbmtd-mobility-pass" TF_VAR_AGENCY_STORAGE_ACCOUNT_PREFIX: "sbmtdmobilitypass" - TF_VAR_AGENCY_CARD_DATA_ETL_FILE: "mobilitypass.csv" diff --git a/terraform/variables.tf b/terraform/variables.tf index 3e21666b..40e5d8d5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -8,11 +8,6 @@ variable "AGENCY_CARD" { type = string } -variable "AGENCY_CARD_DATA_ETL_FILE" { - description = "The name of the hashed data file that's uploaded to the storage account" - type = string -} - variable "AGENCY_RESOURCE_GROUP_PREFIX" { description = "The prefix to the name of the resource group for each environment" type = string From d04bbe9e9d6ede4294a4e3e2ace1b7c194d593e1 Mon Sep 17 00:00:00 2001 From: Angela Tran Date: Tue, 31 Oct 2023 17:17:38 +0000 Subject: [PATCH 5/5] docs: correction on where the role needs to be assigned --- docs/deployment/infrastructure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployment/infrastructure.md b/docs/deployment/infrastructure.md index d0c6ae12..e04e60f9 100644 --- a/docs/deployment/infrastructure.md +++ b/docs/deployment/infrastructure.md @@ -142,7 +142,7 @@ Once the pipeline has run, there are a few more steps to be done manually in the - [Create the service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) - Give the ETL service principal access to the `prod` storage account created by the pipeline: - - Navigate to the storage account + - Navigate to the storage account container - Select **Access Control (IAM)** - Select **Add**, then select **Add role assignment** - In the **Role** tab, select `Storage Blob Data Contributor`