Merge pull request #13 from truefoundry/add-diagnotic-settings-read-role

Add diagnostic settings role to service principal
truefoundry · Jan 8, 2025 · 8e79dd7 · 8e79dd7
2 parents e03108c + d982b1b
commit 8e79dd7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ No modules.
 | [azuread_service_principal.truefoundry_platform_features_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azuread_service_principal_password.truefoundry_platform_features_service_principal_password](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
 | [azurerm_container_registry.truefoundry_container_registry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |
+| [azurerm_role_assignment.truefoundry_diagnostic_settings_read_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.truefoundry_reader_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_storage_account.truefoundry_platform_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
 | [azurerm_storage_container.truefoundry_platform_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
@@ -49,6 +50,7 @@ No modules.
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | ID of the AKS cluster | `string` | n/a | yes |
 | <a name="input_cluster_integration_azuread_application_enable_override"></a> [cluster\_integration\_azuread\_application\_enable\_override](#input\_cluster\_integration\_azuread\_application\_enable\_override) | Enable overriding the name of azuread application. This will only be used if feature\_cluster\_integration\_azuread\_application\_enabled is true. You need to pass cluster\_integration\_azuread\_application\_override\_name to pass the azuread application name | `bool` | `false` | no |
 | <a name="input_cluster_integration_azuread_application_override_name"></a> [cluster\_integration\_azuread\_application\_override\_name](#input\_cluster\_integration\_azuread\_application\_override\_name) | Azuread application name. Only used if cluster\_integration\_azuread\_application\_enable\_override is true | `string` | `""` | no |
+| <a name="input_cluster_integration_diagnostic_settings_role"></a> [cluster\_integration\_diagnostic\_settings\_role](#input\_cluster\_integration\_diagnostic\_settings\_role) | Role that will be assigned to the service principal on AKS cluster for diagnostic settings | `string` | `"Monitoring Reader"` | no |
 | <a name="input_cluster_integration_service_principal_password_expiry_end_date"></a> [cluster\_integration\_service\_principal\_password\_expiry\_end\_date](#input\_cluster\_integration\_service\_principal\_password\_expiry\_end\_date) | End date post which service principal password would expire | `string` | `"2124-02-12T09:42:53Z"` | no |
 | <a name="input_cluster_integration_service_principal_role"></a> [cluster\_integration\_service\_principal\_role](#input\_cluster\_integration\_service\_principal\_role) | Role that will be assigned to the service principal on AKS cluster | `string` | `"Reader"` | no |
 | <a name="input_cluster_integration_sign_in_audience"></a> [cluster\_integration\_sign\_in\_audience](#input\_cluster\_integration\_sign\_in\_audience) | sign\_in\_audience of the cluster integration | `string` | `"AzureADMyOrg"` | no |

diff --git a/cluster_integration.tf b/cluster_integration.tf
@@ -22,3 +22,11 @@ resource "azurerm_role_assignment" "truefoundry_reader_role_assignment" {
   role_definition_name = var.cluster_integration_service_principal_role
   principal_id         = azuread_service_principal.truefoundry_platform_features_service_principal[0].object_id
 }
+
+
+resource "azurerm_role_assignment" "truefoundry_diagnostic_settings_read_role_assignment" {
+  count                = var.feature_cluster_integration_enabled ? 1 : 0
+  scope                = var.cluster_id
+  role_definition_name = var.cluster_integration_diagnostic_settings_role
+  principal_id         = azuread_service_principal.truefoundry_platform_features_service_principal[0].object_id
+}
diff --git a/variables.tf b/variables.tf
@@ -198,6 +198,12 @@ variable "cluster_integration_service_principal_role" {
   default     = "Reader"
 }
 
+variable "cluster_integration_diagnostic_settings_role" {
+  description = "Role that will be assigned to the service principal on AKS cluster for diagnostic settings"
+  type        = string
+  default     = "Monitoring Reader"
+}
+
 ##################################################################################
 ## Other variables
 ##################################################################################