add table reader role

pagopa · Feb 19, 2025 · 20dd8af · 20dd8af
1 parent 10056f0
commit 20dd8af
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/.changeset/small-crabs-enjoy.md b/.changeset/small-crabs-enjoy.md
@@ -0,0 +1,5 @@
+---
+"azure_github_environment_bootstrap": patch
+---
+
+Add Storage Table Data Reader role at resource group level to Infra CI identity
diff --git a/infra/modules/azure_github_environment_bootstrap/README.md b/infra/modules/azure_github_environment_bootstrap/README.md
@@ -62,6 +62,7 @@
 | [azurerm_role_assignment.infra_ci_rg_st_queue_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_st_queue_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_st_table_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_ci_rg_st_table_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_apim_secrets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_pagopa_iac_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |

diff --git a/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf b/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf
@@ -82,6 +82,13 @@ resource "azurerm_role_assignment" "infra_ci_rg_st_queue_reader" {
   description          = "Allow ${var.repository.name} Infra CI identity to read Storage Account queues monorepository resource group scope"
 }
 
+resource "azurerm_role_assignment" "infra_ci_rg_st_table_reader" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Storage Table Data Reader"
+  principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read Storage Account tables monorepository resource group scope"
+}
+
 # DNS Zone
 resource "azurerm_role_assignment" "infra_ci_rg_ext_pagopa_dns_reader" {
   scope                = var.dns_zone_resource_group_id

diff --git a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
@@ -352,6 +352,7 @@ run "validate_github_id_infra" {
       azurerm_role_assignment.infra_ci_rg_kv_crypto,
       azurerm_role_assignment.infra_ci_rg_st_blob_reader,
       azurerm_role_assignment.infra_ci_rg_st_queue_reader,
+      azurerm_role_assignment.infra_ci_rg_st_table_reader,
       azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader,
       azurerm_key_vault_access_policy.infra_ci_kv_common,
       azurerm_role_assignment.infra_cd_subscription_reader,
@@ -494,6 +495,11 @@ run "validate_github_id_infra" {
     error_message = "The Infra CI managed identity can't read Storage Account queues at resource group scope"
   }
 
+  assert {
+    condition     = azurerm_role_assignment.infra_ci_rg_st_table_reader != null
+    error_message = "The Infra CI managed identity can't read Storage Account tables at resource group scope"
+  }
+
   assert {
     condition     = azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader != null
     error_message = "The Infra CI managed identity can't read external DNS configuration at resource group scope"