0.Core.Foundation/identity.tf (32 lines of code) (raw):
#############################################################################################################
# Managed Identity (https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview) #
#############################################################################################################
variable managedIdentity {
type = object({
name = string
})
}
resource azurerm_user_assigned_identity studio {
name = var.managedIdentity.name
resource_group_name = azurerm_resource_group.studio.name
location = azurerm_resource_group.studio.location
}
resource azurerm_role_assignment managed_identity_operator {
role_definition_name = "Managed Identity Operator" # https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/identity#managed-identity-operator
principal_id = azurerm_user_assigned_identity.studio.principal_id
scope = azurerm_user_assigned_identity.studio.id
}
resource azurerm_role_assignment storage_blob_data_owner {
role_definition_name = "Storage Blob Data Owner" # https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-owner
principal_id = azurerm_user_assigned_identity.studio.principal_id
scope = azurerm_storage_account.studio.id
}
resource azurerm_role_assignment virtual_machine_contributor {
role_definition_name = "Virtual Machine Contributor" # https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/compute#virtual-machine-contributor
principal_id = azurerm_user_assigned_identity.studio.principal_id
scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
}
output managedIdentity {
value = {
id = azurerm_user_assigned_identity.studio.id
name = azurerm_user_assigned_identity.studio.name
principalId = azurerm_user_assigned_identity.studio.principal_id
}
}