From 20dd8aff36f8581cd77ddbc55fa195167557d21d Mon Sep 17 00:00:00 2001
From: Krusty93 <andrea.grillo@pagopa.it>
Date: Wed, 19 Feb 2025 16:27:45 +0100
Subject: [PATCH] add table reader role

---
 .changeset/small-crabs-enjoy.md                            | 5 +++++
 infra/modules/azure_github_environment_bootstrap/README.md | 1 +
 .../azure_github_environment_bootstrap/id_infra_ci_iam.tf  | 7 +++++++
 .../tests/mono_repo.tftest.hcl                             | 6 ++++++
 4 files changed, 19 insertions(+)
 create mode 100644 .changeset/small-crabs-enjoy.md

diff --git a/.changeset/small-crabs-enjoy.md b/.changeset/small-crabs-enjoy.md
new file mode 100644
index 000000000..24f6936f2
--- /dev/null
+++ b/.changeset/small-crabs-enjoy.md
@@ -0,0 +1,5 @@
+---
+"azure_github_environment_bootstrap": patch
+---
+
+Add Storage Table Data Reader role at resource group level to Infra CI identity
diff --git a/infra/modules/azure_github_environment_bootstrap/README.md b/infra/modules/azure_github_environment_bootstrap/README.md
index 9504745bd..920b475ff 100644
--- a/infra/modules/azure_github_environment_bootstrap/README.md
+++ b/infra/modules/azure_github_environment_bootstrap/README.md
@@ -62,6 +62,7 @@
 | [azurerm_role_assignment.infra_ci_rg_st_queue_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_st_queue_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_st_table_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_ci_rg_st_table_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_apim_secrets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_pagopa_iac_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
diff --git a/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf b/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf
index 9b4065f7b..2fe3dbe79 100644
--- a/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf
+++ b/infra/modules/azure_github_environment_bootstrap/id_infra_ci_iam.tf
@@ -82,6 +82,13 @@ resource "azurerm_role_assignment" "infra_ci_rg_st_queue_reader" {
   description          = "Allow ${var.repository.name} Infra CI identity to read Storage Account queues monorepository resource group scope"
 }
 
+resource "azurerm_role_assignment" "infra_ci_rg_st_table_reader" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Storage Table Data Reader"
+  principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read Storage Account tables monorepository resource group scope"
+}
+
 # DNS Zone
 resource "azurerm_role_assignment" "infra_ci_rg_ext_pagopa_dns_reader" {
   scope                = var.dns_zone_resource_group_id
diff --git a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
index 66f26f09e..007e2a0de 100644
--- a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
+++ b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
@@ -352,6 +352,7 @@ run "validate_github_id_infra" {
       azurerm_role_assignment.infra_ci_rg_kv_crypto,
       azurerm_role_assignment.infra_ci_rg_st_blob_reader,
       azurerm_role_assignment.infra_ci_rg_st_queue_reader,
+      azurerm_role_assignment.infra_ci_rg_st_table_reader,
       azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader,
       azurerm_key_vault_access_policy.infra_ci_kv_common,
       azurerm_role_assignment.infra_cd_subscription_reader,
@@ -494,6 +495,11 @@ run "validate_github_id_infra" {
     error_message = "The Infra CI managed identity can't read Storage Account queues at resource group scope"
   }
 
+  assert {
+    condition     = azurerm_role_assignment.infra_ci_rg_st_table_reader != null
+    error_message = "The Infra CI managed identity can't read Storage Account tables at resource group scope"
+  }
+
   assert {
     condition     = azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader != null
     error_message = "The Infra CI managed identity can't read external DNS configuration at resource group scope"