From c896fa95ce84f3e8c3382e13de91bb6d15205fc1 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Sep 2024 12:13:31 -0500 Subject: [PATCH 1/2] add permissions for what-if --- alz/azuredevops/variables.hidden.tf | 3 ++- alz/github/variables.hidden.tf | 3 ++- alz/local/variables.hidden.tf | 3 +-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/alz/azuredevops/variables.hidden.tf b/alz/azuredevops/variables.hidden.tf index 98bbe34..dbe2dea 100644 --- a/alz/azuredevops/variables.hidden.tf +++ b/alz/azuredevops/variables.hidden.tf @@ -282,7 +282,8 @@ variable "custom_role_definitions_bicep" { "Microsoft.Authorization/locks/write", "Microsoft.Network/*/write", "Microsoft.Resources/deployments/whatIf/action", - "Microsoft.Resources/deployments/write" + "Microsoft.Resources/deployments/write", + "Microsoft.SecurityInsights/onboardingStates/write" ] not_actions = [] } diff --git a/alz/github/variables.hidden.tf b/alz/github/variables.hidden.tf index e536a44..89ab382 100644 --- a/alz/github/variables.hidden.tf +++ b/alz/github/variables.hidden.tf @@ -288,7 +288,8 @@ variable "custom_role_definitions_bicep" { "Microsoft.Authorization/locks/write", "Microsoft.Network/*/write", "Microsoft.Resources/deployments/whatIf/action", - "Microsoft.Resources/deployments/write" + "Microsoft.Resources/deployments/write", + "Microsoft.SecurityInsights/onboardingStates/write" ] not_actions = [] } diff --git a/alz/local/variables.hidden.tf b/alz/local/variables.hidden.tf index 7cdbe21..47ec128 100644 --- a/alz/local/variables.hidden.tf +++ b/alz/local/variables.hidden.tf @@ -170,8 +170,7 @@ variable "custom_role_definitions_bicep" { "Microsoft.Insights/diagnosticSettings/write", "Microsoft.Insights/diagnosticSettings/read", "Microsoft.Resources/deployments/whatIf/action", - "Microsoft.Resources/deployments/write", - "Microsoft.SecurityInsights/onboardingStates/write" + "Microsoft.Resources/deployments/write" ] not_actions = [] } From 4a9f84f4100724502fbf21dba0a46c5087f85d98 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Sep 2024 15:12:41 -0500 Subject: [PATCH 2/2] Add permissions required to fix sub deployment --- alz/azuredevops/variables.hidden.tf | 4 +++- alz/github/variables.hidden.tf | 4 +++- alz/local/variables.hidden.tf | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/alz/azuredevops/variables.hidden.tf b/alz/azuredevops/variables.hidden.tf index dbe2dea..b0e3c88 100644 --- a/alz/azuredevops/variables.hidden.tf +++ b/alz/azuredevops/variables.hidden.tf @@ -229,7 +229,9 @@ variable "custom_role_definitions_bicep" { "Microsoft.Resources/deployments/write", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/operationStatuses/read" + "Microsoft.Resources/deployments/operationStatuses/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete" ] not_actions = [] } diff --git a/alz/github/variables.hidden.tf b/alz/github/variables.hidden.tf index 89ab382..6586b58 100644 --- a/alz/github/variables.hidden.tf +++ b/alz/github/variables.hidden.tf @@ -235,7 +235,9 @@ variable "custom_role_definitions_bicep" { "Microsoft.Resources/deployments/write", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/operationStatuses/read" + "Microsoft.Resources/deployments/operationStatuses/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete" ] not_actions = [] } diff --git a/alz/local/variables.hidden.tf b/alz/local/variables.hidden.tf index 47ec128..d19c8c7 100644 --- a/alz/local/variables.hidden.tf +++ b/alz/local/variables.hidden.tf @@ -150,7 +150,9 @@ variable "custom_role_definitions_bicep" { "Microsoft.Resources/deployments/write", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/operationStatuses/read" + "Microsoft.Resources/deployments/operationStatuses/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete" ] not_actions = [] }