From 193dbefb1a15b76386acfd6ff047ea72b8a363b9 Mon Sep 17 00:00:00 2001 From: Florian Nowarre Date: Wed, 4 Mar 2026 15:21:19 +0100 Subject: [PATCH] chore: principal_type = "ServicePrincipal" --- modules/azure/aks/backplane/main.tf | 32 +++++++++---------- modules/azure/azure-bastion/backplane/main.tf | 1 + .../azure-virtual-machine/backplane/main.tf | 2 ++ .../azure/budget-alert/backplane/README.md | 2 +- modules/azure/budget-alert/backplane/main.tf | 2 ++ .../azure/budget-alert/backplane/outputs.tf | 3 +- .../container-registry/backplane/main.tf | 8 +++++ modules/azure/key-vault/backplane/main.tf | 32 +++++++++---------- modules/azure/postgresql/backplane/main.tf | 1 + modules/azure/spoke-network/backplane/main.tf | 1 + .../azure/storage-account/backplane/main.tf | 2 ++ 11 files changed, 52 insertions(+), 34 deletions(-) diff --git a/modules/azure/aks/backplane/main.tf b/modules/azure/aks/backplane/main.tf index 61c43dce..9fe9f103 100644 --- a/modules/azure/aks/backplane/main.tf +++ b/modules/azure/aks/backplane/main.tf @@ -133,16 +133,16 @@ resource "azurerm_role_definition" "buildingblock_deploy" { } resource "azurerm_role_assignment" "existing_principals" { - for_each = var.existing_principal_ids - + for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope } resource "azurerm_role_assignment" "created_principal" { - count = var.create_service_principal_name != null ? 1 : 0 - + count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope @@ -193,8 +193,8 @@ resource "azurerm_role_definition" "buildingblock_landingzone_to_hub" { } resource "azurerm_role_assignment" "existing_principals_hub" { - for_each = var.existing_hub_principal_ids - + for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = each.value @@ -202,8 +202,8 @@ resource "azurerm_role_assignment" "existing_principals_hub" { } resource "azurerm_role_assignment" "created_principal_hub" { - count = var.create_hub_service_principal_name != null ? 1 : 0 - + count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id @@ -211,32 +211,32 @@ resource "azurerm_role_assignment" "created_principal_hub" { } resource "azurerm_role_assignment" "existing_principals_hub_to_landingzone" { - for_each = var.existing_hub_principal_ids - + for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = each.value scope = var.scope } resource "azurerm_role_assignment" "created_principal_hub_to_landingzone" { - count = var.create_hub_service_principal_name != null ? 1 : 0 - + count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id scope = var.scope } resource "azurerm_role_assignment" "existing_principals_landingzone_to_hub" { - for_each = var.existing_principal_ids - + for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = each.value scope = var.hub_scope } resource "azurerm_role_assignment" "created_principal_landingzone_to_hub" { - count = var.create_service_principal_name != null ? 1 : 0 - + count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.hub_scope diff --git a/modules/azure/azure-bastion/backplane/main.tf b/modules/azure/azure-bastion/backplane/main.tf index 306bedc8..e0c8d093 100644 --- a/modules/azure/azure-bastion/backplane/main.tf +++ b/modules/azure/azure-bastion/backplane/main.tf @@ -26,6 +26,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" { resource "azurerm_role_assignment" "buildingblock_deploy" { for_each = var.principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope diff --git a/modules/azure/azure-virtual-machine/backplane/main.tf b/modules/azure/azure-virtual-machine/backplane/main.tf index 055c4844..6c17e8fe 100644 --- a/modules/azure/azure-virtual-machine/backplane/main.tf +++ b/modules/azure/azure-virtual-machine/backplane/main.tf @@ -97,6 +97,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" { resource "azurerm_role_assignment" "existing_principals" { for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope @@ -106,6 +107,7 @@ resource "azurerm_role_assignment" "existing_principals" { resource "azurerm_role_assignment" "created_principal" { count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope diff --git a/modules/azure/budget-alert/backplane/README.md b/modules/azure/budget-alert/backplane/README.md index 87867209..dd02a5f7 100644 --- a/modules/azure/budget-alert/backplane/README.md +++ b/modules/azure/budget-alert/backplane/README.md @@ -49,7 +49,7 @@ No modules. | Name | Description | |------|-------------| -| [application\_password](#output\_application\_password) | Information about the created application password (excludes the actual password value for security). | +| [application\_password](#output\_application\_password) | Information about the created application password including the password value. | | [created\_application](#output\_created\_application) | Information about the created Azure AD application. | | [created\_service\_principal](#output\_created\_service\_principal) | Information about the created service principal. | | [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Budget Alert building block backplane | diff --git a/modules/azure/budget-alert/backplane/main.tf b/modules/azure/budget-alert/backplane/main.tf index 057ddc2e..cbacfc68 100644 --- a/modules/azure/budget-alert/backplane/main.tf +++ b/modules/azure/budget-alert/backplane/main.tf @@ -55,6 +55,7 @@ resource "azurerm_role_assignment" "existing_principals" { for_each = var.existing_principal_ids role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id + principal_type = "ServicePrincipal" principal_id = each.value scope = var.scope } @@ -63,6 +64,7 @@ resource "azurerm_role_assignment" "created_principal" { count = var.create_service_principal_name != null ? 1 : 0 role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id + principal_type = "ServicePrincipal" principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope } diff --git a/modules/azure/budget-alert/backplane/outputs.tf b/modules/azure/budget-alert/backplane/outputs.tf index 2810be8f..d8b7c381 100644 --- a/modules/azure/budget-alert/backplane/outputs.tf +++ b/modules/azure/budget-alert/backplane/outputs.tf @@ -58,8 +58,9 @@ output "application_password" { value = var.create_service_principal_name != null && var.workload_identity_federation == null ? { key_id = azuread_application_password.buildingblock_deploy[0].key_id display_name = azuread_application_password.buildingblock_deploy[0].display_name + value = azuread_application_password.buildingblock_deploy[0].value } : null - description = "Information about the created application password (excludes the actual password value for security)." + description = "Information about the created application password including the password value." sensitive = true } diff --git a/modules/azure/container-registry/backplane/main.tf b/modules/azure/container-registry/backplane/main.tf index 316300f6..ae1e7347 100644 --- a/modules/azure/container-registry/backplane/main.tf +++ b/modules/azure/container-registry/backplane/main.tf @@ -149,6 +149,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" { resource "azurerm_role_assignment" "existing_principals" { for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope @@ -157,6 +158,7 @@ resource "azurerm_role_assignment" "existing_principals" { resource "azurerm_role_assignment" "created_principal" { count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope @@ -209,6 +211,7 @@ resource "azurerm_role_definition" "buildingblock_landingzone_to_hub" { resource "azurerm_role_assignment" "existing_principals_hub" { for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = each.value @@ -218,6 +221,7 @@ resource "azurerm_role_assignment" "existing_principals_hub" { resource "azurerm_role_assignment" "created_principal_hub" { count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id @@ -227,6 +231,7 @@ resource "azurerm_role_assignment" "created_principal_hub" { resource "azurerm_role_assignment" "existing_principals_hub_to_landingzone" { for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = each.value scope = var.scope @@ -235,6 +240,7 @@ resource "azurerm_role_assignment" "existing_principals_hub_to_landingzone" { resource "azurerm_role_assignment" "created_principal_hub_to_landingzone" { count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id scope = var.scope @@ -243,6 +249,7 @@ resource "azurerm_role_assignment" "created_principal_hub_to_landingzone" { resource "azurerm_role_assignment" "existing_principals_landingzone_to_hub" { for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = each.value scope = var.hub_scope @@ -251,6 +258,7 @@ resource "azurerm_role_assignment" "existing_principals_landingzone_to_hub" { resource "azurerm_role_assignment" "created_principal_landingzone_to_hub" { count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.hub_scope diff --git a/modules/azure/key-vault/backplane/main.tf b/modules/azure/key-vault/backplane/main.tf index 0232aade..bc73fbc6 100644 --- a/modules/azure/key-vault/backplane/main.tf +++ b/modules/azure/key-vault/backplane/main.tf @@ -133,16 +133,16 @@ resource "azurerm_role_definition" "buildingblock_deploy" { } resource "azurerm_role_assignment" "existing_principals" { - for_each = var.existing_principal_ids - + for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope } resource "azurerm_role_assignment" "created_principal" { - count = var.create_service_principal_name != null ? 1 : 0 - + count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope @@ -193,8 +193,8 @@ resource "azurerm_role_definition" "buildingblock_landingzone_to_hub" { } resource "azurerm_role_assignment" "existing_principals_hub" { - for_each = var.existing_hub_principal_ids - + for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = each.value @@ -202,8 +202,8 @@ resource "azurerm_role_assignment" "existing_principals_hub" { } resource "azurerm_role_assignment" "created_principal_hub" { - count = var.create_hub_service_principal_name != null ? 1 : 0 - + count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id @@ -211,32 +211,32 @@ resource "azurerm_role_assignment" "created_principal_hub" { } resource "azurerm_role_assignment" "existing_principals_hub_to_landingzone" { - for_each = var.existing_hub_principal_ids - + for_each = var.existing_hub_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = each.value scope = var.scope } resource "azurerm_role_assignment" "created_principal_hub_to_landingzone" { - count = var.create_hub_service_principal_name != null ? 1 : 0 - + count = var.create_hub_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_hub_to_landingzone.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy_hub[0].object_id scope = var.scope } resource "azurerm_role_assignment" "existing_principals_landingzone_to_hub" { - for_each = var.existing_principal_ids - + for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = each.value scope = var.hub_scope } resource "azurerm_role_assignment" "created_principal_landingzone_to_hub" { - count = var.create_service_principal_name != null ? 1 : 0 - + count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_landingzone_to_hub.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.hub_scope diff --git a/modules/azure/postgresql/backplane/main.tf b/modules/azure/postgresql/backplane/main.tf index 9bda2841..b0549383 100644 --- a/modules/azure/postgresql/backplane/main.tf +++ b/modules/azure/postgresql/backplane/main.tf @@ -18,6 +18,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" { resource "azurerm_role_assignment" "buildingblock_deploy" { for_each = var.principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope diff --git a/modules/azure/spoke-network/backplane/main.tf b/modules/azure/spoke-network/backplane/main.tf index 12e986f8..e4784272 100644 --- a/modules/azure/spoke-network/backplane/main.tf +++ b/modules/azure/spoke-network/backplane/main.tf @@ -31,6 +31,7 @@ resource "azurerm_role_definition" "buildingblock_deploy_hub" { resource "azurerm_role_assignment" "buildingblock_deploy_hub" { for_each = var.principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id description = azurerm_role_definition.buildingblock_deploy_hub.description principal_id = each.key diff --git a/modules/azure/storage-account/backplane/main.tf b/modules/azure/storage-account/backplane/main.tf index 44e93d18..9b79382d 100644 --- a/modules/azure/storage-account/backplane/main.tf +++ b/modules/azure/storage-account/backplane/main.tf @@ -72,6 +72,7 @@ resource "azurerm_role_definition" "buildingblock_deploy" { resource "azurerm_role_assignment" "existing_principals" { for_each = var.existing_principal_ids + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = each.value scope = var.scope @@ -81,6 +82,7 @@ resource "azurerm_role_assignment" "existing_principals" { resource "azurerm_role_assignment" "created_principal" { count = var.create_service_principal_name != null ? 1 : 0 + principal_type = "ServicePrincipal" role_definition_id = azurerm_role_definition.buildingblock_deploy.role_definition_resource_id principal_id = azuread_service_principal.buildingblock_deploy[0].object_id scope = var.scope