Question 104480 in Azure Question posted in
The official documentation to get you started can be found here.

How do you give "Storage Blob Data Contributor" permission to your Azure Devops project in Terraform?

It seems my question is related to this post but since there is no answer I will ask again.

I have an Azure Devops project which I use to deploy static content into a container inside a Storage Account via Pipelines. I’ve recently decided to deploy my infrastructure using Terraform as well as my code but I’m running into an issue. I managed to create all my infrastructure with Terraform inside my Pipeline except for the Role Assignment.

I basically need to add a new Role Assignment to my Storage Account, through Azure it goes :

  1. Go to my Storage Account
  2. Go to Access Control (IAM)
  3. Add a new Role Assignments
  4. Select Storage Blob Data Contributor
  5. Click on Select members
  6. Select my Azure Devops Project
  7. Review + assign

From what I understand in the Terraform documentation I should do something like this :

resource "azurerm_resource_group" "resource_group" {
  name     = var.resource_group_name
  location = var.location
}

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.resource_group.name
  location                 = azurerm_resource_group.resource_group.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_role_assignment" "role_assignment" {
  scope                = azurerm_storage_account.storage_account.id
  role_definition_id = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe" # Which is the Storage Blob Data Contributor role if I'm not mistaken. 
  principal_id         = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" # Which should be the Application ID ?
}

Except it doesn’t work, when I try to run it in local without the Azure Pipeline to check if this works, the process is stuck in the "Still creating…" state for more than 10 minutes, which seems weird since when you do it manually it only takes up to a few seconds. I don’t have any error I just end up canceling the command.

What am I missing / doing wrong here ?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I've found what was the issue. For the principal_id you need to put the Object_ID of your Service Principal and not your Application_ID. You end up with something like :

    main.tf

    ...

locals {
  sub = "/subscription"
  permission_storage_blob_data_contributor = "providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe"
}

data "azurerm_subscription" "primary" { }

resource "azurerm_resource_group" "resource_group" {
  name     = var.resource_group_name
  location = var.location
}

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.resource_group.name
  location                 = azurerm_resource_group.resource_group.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_role_assignment" "role_assignment" {
  scope               = azurerm_storage_account.storage_account.id
  role_definition_id  = join("/", [local.sub, data.azurerm_subscription.primary.subscription_id, local.permission_storage_blob_data_contributor])
  principal_id        = var.devops_project_object_id
}

...

    variables.tf

    ...

variable "location" {
    type = string
    description = "Location for the deployment"
    default = "West Europe"
}

variable "resource_group_name" {
    type = string
    description = "Resource Group Name"
}

variable "storage_account_name" {
    type = string
    description = "Storage Account Name"
}

# yyyyyyyy-yyyy-yyyy-yyyyyyyyyyyy format
variable "devops_project_object_id" {
    type = string
    description = "Object ID (principal_id) for the Devops Project linked to the Azure Subscription in the Azure Active Directory."
}

...

  2. 0

    Role assignment can be simplified to this call:

    resource "azurerm_role_assignment" "blob_contributor" {
  scope                 = azurerm_storage_account.storage_account.id
  role_definition_name  = "Storage Blob Data Contributor"
  principal_id          = var.devops_project_object_id
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search