Role Definition: support for Data Actions (#1971)

* Role Definition: support for Data Actions ``` $ acctests azurerm TestAccAzureRMRoleDefinition_complete === RUN TestAccAzureRMRoleDefinition_complete --- PASS: TestAccAzureRMRoleDefinition_complete (46.46s) PASS ok github.com/terraform-providers/terraform-provider-azurerm/azurerm 47.349s ``` Fixes #1538 * Switching the data fields to be a Set not a List
hashicorp · Sep 27, 2018 · d7811a3 · d7811a3
1 parent f895741
commit d7811a3
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/azurerm/resource_arm_role_definition.go b/azurerm/resource_arm_role_definition.go
@@ -64,6 +64,22 @@ func resourceArmRoleDefinition() *schema.Resource {
 								Type: schema.TypeString,
 							},
 						},
+						"data_actions": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Set: schema.HashString,
+						},
+						"not_data_actions": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							Set: schema.HashString,
+						},
 					},
 				},
 			},
@@ -194,13 +210,27 @@ func expandRoleDefinitionPermissions(d *schema.ResourceData) []authorization.Per
 		}
 		permission.Actions = &actionsOutput
 
+		dataActionsOutput := make([]string, 0)
+		dataActions := input["data_actions"].(*schema.Set)
+		for _, a := range dataActions.List() {
+			dataActionsOutput = append(dataActionsOutput, a.(string))
+		}
+		permission.DataActions = &dataActionsOutput
+
 		notActionsOutput := make([]string, 0)
 		notActions := input["not_actions"].([]interface{})
 		for _, a := range notActions {
 			notActionsOutput = append(notActionsOutput, a.(string))
 		}
 		permission.NotActions = &notActionsOutput
 
+		notDataActionsOutput := make([]string, 0)
+		notDataActions := input["not_data_actions"].(*schema.Set)
+		for _, a := range notDataActions.List() {
+			notDataActionsOutput = append(notDataActionsOutput, a.(string))
+		}
+		permission.NotDataActions = &notDataActionsOutput
+
 		output = append(output, permission)
 	}
 
@@ -232,6 +262,14 @@ func flattenRoleDefinitionPermissions(input *[]authorization.Permission) []inter
 		}
 		output["actions"] = actions
 
+		dataActions := make([]interface{}, 0)
+		if permission.DataActions != nil {
+			for _, dataAction := range *permission.DataActions {
+				dataActions = append(dataActions, dataAction)
+			}
+		}
+		output["data_actions"] = schema.NewSet(schema.HashString, dataActions)
+
 		notActions := make([]string, 0)
 		if permission.NotActions != nil {
 			for _, action := range *permission.NotActions {
@@ -240,6 +278,14 @@ func flattenRoleDefinitionPermissions(input *[]authorization.Permission) []inter
 		}
 		output["not_actions"] = notActions
 
+		notDataActions := make([]interface{}, 0)
+		if permission.NotDataActions != nil {
+			for _, dataAction := range *permission.NotDataActions {
+				notDataActions = append(notDataActions, dataAction)
+			}
+		}
+		output["not_data_actions"] = schema.NewSet(schema.HashString, notDataActions)
+
 		permissions = append(permissions, output)
 	}
 

diff --git a/azurerm/resource_arm_role_definition_test.go b/azurerm/resource_arm_role_definition_test.go
@@ -191,8 +191,10 @@ resource "azurerm_role_definition" "test" {
   description        = "Acceptance Test Role Definition"
 
   permissions {
-    actions     = ["*"]
-    not_actions = ["Microsoft.Authorization/*/read"]
+    actions          = ["*"]
+    data_actions     = ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"]
+    not_actions      = ["Microsoft.Authorization/*/read"]
+    not_data_actions = []
   }
 
   assignable_scopes = [

diff --git a/website/docs/r/role_definition.html.markdown b/website/docs/r/role_definition.html.markdown
@@ -50,10 +50,14 @@ The following arguments are supported:
 
 A `permissions` block as the following properties:
 
-* `action` - (Optional) One or more Allowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details. 
+* `action` - (Optional) One or more Allowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.
+
+* `data_action` - (Optional) One or more Allowed Data Actions, such as `*`, `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.
 
 * `not_action` - (Optional) One or more Disallowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.
 
+* `not_data_action` - (Optional) One or more Disallowed Data Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.
+
 ## Attributes Reference
 
 The following attributes are exported: