Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role Definition: support for Data Actions #1971

Merged
merged 2 commits into from
Sep 27, 2018
Merged

Role Definition: support for Data Actions #1971

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
43c8353
Role Definition: support for Data Actions
tombuildsstuff Sep 23, 2018
41cd213
Switching the data fields to be a Set not a List
tombuildsstuff Sep 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions azurerm/resource_arm_role_definition.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,20 @@ func resourceArmRoleDefinition() *schema.Resource {
Type: schema.TypeString,
},
},
"data_actions": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"not_data_actions": {
Type: schema.TypeList,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
Expand Down Expand Up @@ -194,13 +208,27 @@ func expandRoleDefinitionPermissions(d *schema.ResourceData) []authorization.Per
}
permission.Actions = &actionsOutput

dataActionsOutput := make([]string, 0)
dataActions := input["data_actions"].([]interface{})
for _, a := range dataActions {
dataActionsOutput = append(dataActionsOutput, a.(string))
}
permission.DataActions = &dataActionsOutput

notActionsOutput := make([]string, 0)
notActions := input["not_actions"].([]interface{})
for _, a := range notActions {
notActionsOutput = append(notActionsOutput, a.(string))
}
permission.NotActions = &notActionsOutput

notDataActionsOutput := make([]string, 0)
notDataActions := input["not_data_actions"].([]interface{})
for _, a := range notDataActions {
notDataActionsOutput = append(notDataActionsOutput, a.(string))
}
permission.NotDataActions = &notDataActionsOutput

output = append(output, permission)
}

Expand Down Expand Up @@ -232,6 +260,14 @@ func flattenRoleDefinitionPermissions(input *[]authorization.Permission) []inter
}
output["actions"] = actions

dataActions := make([]string, 0)
if permission.DataActions != nil {
for _, dataAction := range *permission.DataActions {
dataActions = append(dataActions, dataAction)
}
}
output["data_actions"] = dataActions

notActions := make([]string, 0)
if permission.NotActions != nil {
for _, action := range *permission.NotActions {
Expand All @@ -240,6 +276,14 @@ func flattenRoleDefinitionPermissions(input *[]authorization.Permission) []inter
}
output["not_actions"] = notActions

notDataActions := make([]string, 0)
if permission.NotDataActions != nil {
for _, dataAction := range *permission.NotDataActions {
notDataActions = append(notDataActions, dataAction)
}
}
output["not_data_actions"] = notDataActions

permissions = append(permissions, output)
}

Expand Down
6 changes: 4 additions & 2 deletions azurerm/resource_arm_role_definition_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,8 +191,10 @@ resource "azurerm_role_definition" "test" {
description = "Acceptance Test Role Definition"

permissions {
actions = ["*"]
not_actions = ["Microsoft.Authorization/*/read"]
actions = ["*"]
data_actions = ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"]
not_actions = ["Microsoft.Authorization/*/read"]
not_data_actions = []
}

assignable_scopes = [
Expand Down
6 changes: 5 additions & 1 deletion website/docs/r/role_definition.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,14 @@ The following arguments are supported:

A `permissions` block as the following properties:

* `action` - (Optional) One or more Allowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.
* `action` - (Optional) One or more Allowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.

* `data_action` - (Optional) One or more Allowed Data Actions, such as `*`, `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.

* `not_action` - (Optional) One or more Disallowed Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.

* `not_data_action` - (Optional) One or more Disallowed Data Actions, such as `*`, `Microsoft.Resources/subscriptions/resourceGroups/read`. See ['Azure Resource Manager resource provider operations'](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations) for details.

## Attributes Reference

The following attributes are exported:
Expand Down