Changed data resource name for aks_node_rg

adamrushuk · Oct 25, 2020 · f0842c4 · f0842c4
1 parent 0c348da
commit f0842c4
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 11 deletions.
diff --git a/terraform/data.tf b/terraform/data.tf
@@ -4,3 +4,7 @@ data "azurerm_subscription" "current" {}
 data "azuread_group" "aks" {
   name = var.aad_group_name
 }
+
+data "azurerm_resource_group" "aks_node_rg" {
+  name = azurerm_kubernetes_cluster.aks.node_resource_group
+}
diff --git a/terraform/function_app.tf b/terraform/function_app.tf
@@ -120,12 +120,8 @@ resource "azurerm_function_app" "func_app" {
 
 
 # Give Function App Reader role for the AKS cluster node resource group
-data "azurerm_resource_group" "aks" {
-  name = azurerm_kubernetes_cluster.aks.node_resource_group
-}
-
 resource "azurerm_role_assignment" "func_app" {
-  scope                = data.azurerm_resource_group.aks.id
+  scope                = data.azurerm_resource_group.aks_node_rg.id
   role_definition_name = "Reader"
   principal_id         = azurerm_function_app.func_app.identity.0.principal_id
 }
diff --git a/terraform/helm_aad_pod_identity.tf b/terraform/helm_aad_pod_identity.tf
@@ -6,15 +6,15 @@ resource "azurerm_role_assignment" "aks_mi_aks_node_rg_vm_contributor" {
   count                            = var.velero_enabled ? 1 : 0
   principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
   role_definition_name             = "Virtual Machine Contributor"
-  scope                            = data.azurerm_resource_group.aks.id
+  scope                            = data.azurerm_resource_group.aks_node_rg.id
   skip_service_principal_aad_check = true
 }
 
 resource "azurerm_role_assignment" "aks_mi_aks_node_rg_mi_operator" {
   count                            = var.velero_enabled ? 1 : 0
   principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
   role_definition_name             = "Managed Identity Operator"
-  scope                            = data.azurerm_resource_group.aks.id
+  scope                            = data.azurerm_resource_group.aks_node_rg.id
   skip_service_principal_aad_check = true
 }
 

diff --git a/terraform/velero_mi_auth.tf b/terraform/velero_mi_auth.tf
@@ -15,12 +15,11 @@ resource "azurerm_role_assignment" "velero_mi_velero_storage_rg" {
   scope                            = azurerm_resource_group.velero[0].id
 }
 
-# https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?source=docs#virtual-machine-contributor
-# vm disk read and write action / perms
+# assign velero MI contributor rights to velero storage RG
 resource "azurerm_role_assignment" "velero_mi_aks_node_rg_vm_contributor" {
   count                            = var.velero_enabled ? 1 : 0
   principal_id                     = azurerm_user_assigned_identity.velero[0].principal_id
-  role_definition_name             = "Virtual Machine Contributor"
-  scope                            = data.azurerm_resource_group.aks.id
+  role_definition_name             = "Contributor"
+  scope                            = data.azurerm_resource_group.aks_node_rg.id
   skip_service_principal_aad_check = true
 }