Skip to content

Commit fd1450a

Browse files
baoduybaoduy
committed
update to support multi sub
1 parent c240c05 commit fd1450a

9 files changed

+263
-235
lines changed

AzAd/EnvRoles.ts

+5-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,11 @@ const envRoleConfig = {
1919
} as RoleNameType,
2020
};
2121

22-
export const getEnvRoleNames = (includeOrganization = false) => ({
22+
export type EnvRoleNamesType = { [k in keyof typeof envRoleConfig]: string };
23+
24+
export const getEnvRoleNames = (
25+
includeOrganization = false
26+
): EnvRoleNamesType => ({
2327
readOnly: getRoleName({ ...envRoleConfig.readOnly, includeOrganization }),
2428
contributor: getRoleName({
2529
...envRoleConfig.contributor,

Core/ResourceGroup.ts

+16-17
Original file line numberDiff line numberDiff line change
@@ -2,31 +2,30 @@ import {
22
DefaultResourceArgs,
33
ResourceGroupInfo,
44
ResourceResultProps,
5-
} from "../types";
5+
} from '../types';
66
import {
77
ResourceGroup,
88
ResourceGroupArgs,
9-
} from "@pulumi/azure-native/resources";
10-
import { BasicResourceArgs } from "./../types.d";
11-
import ResourceCreator from "./ResourceCreator";
12-
import { getResourceGroupName } from "../Common/Naming";
13-
import { envRoleNames } from "../AzAd/EnvRoles";
14-
import { assignRolesToGroup } from "../AzAd/Group";
15-
import { currentEnv, Environments } from "../Common/AzureEnv";
9+
} from '@pulumi/azure-native/resources';
10+
import { BasicResourceArgs } from './../types.d';
11+
import ResourceCreator from './ResourceCreator';
12+
import { getResourceGroupName } from '../Common/Naming';
13+
import { EnvRoleNamesType } from '../AzAd/EnvRoles';
14+
import { assignRolesToGroup } from '../AzAd/Group';
1615

1716
interface Props
18-
extends Omit<DefaultResourceArgs, "monitoring">,
19-
Omit<BasicResourceArgs, "group"> {
17+
extends Omit<DefaultResourceArgs, 'monitoring'>,
18+
Omit<BasicResourceArgs, 'group'> {
2019
formattedName?: boolean;
2120

22-
/**Grant permission of this group into Environment Roles groups*/
23-
enableEnvRbac?: boolean;
21+
/** Grant permission of this group into Environment Roles groups*/
22+
envRoleNames?: EnvRoleNamesType;
2423
}
2524

2625
export default async ({
2726
name,
2827
formattedName,
29-
enableEnvRbac = currentEnv !== Environments.Global,
28+
envRoleNames,
3029
...others
3130
}: Props): Promise<
3231
ResourceResultProps<ResourceGroup> & { toGroupInfo: () => ResourceGroupInfo }
@@ -43,20 +42,20 @@ export default async ({
4342

4443
const g = resource as ResourceGroup;
4544

46-
if (enableEnvRbac) {
45+
if (envRoleNames) {
4746
await assignRolesToGroup({
4847
groupName: envRoleNames.readOnly,
49-
roles: ["Reader"],
48+
roles: ['Reader'],
5049
scope: g.id,
5150
});
5251
await assignRolesToGroup({
5352
groupName: envRoleNames.contributor,
54-
roles: ["Contributor"],
53+
roles: ['Contributor'],
5554
scope: g.id,
5655
});
5756
await assignRolesToGroup({
5857
groupName: envRoleNames.admin,
59-
roles: ["Owner"],
58+
roles: ['Owner'],
6059
scope: g.id,
6160
});
6261
}

KeyVault/VaultAccess.ts

+26-20
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
1-
import { PermissionProps } from "./VaultPermissions";
2-
import GroupRole from "../AzAd/Role";
3-
import { currentEnv, currentServicePrincipal } from "../Common/AzureEnv";
4-
import { getAdGroup } from "../AzAd/Group";
5-
import { envRoleNames } from "../AzAd/EnvRoles";
6-
import * as azuread from "@pulumi/azuread";
1+
import { PermissionProps } from './VaultPermissions';
2+
import GroupRole from '../AzAd/Role';
3+
import { currentEnv, currentServicePrincipal } from '../Common/AzureEnv';
4+
import { getAdGroup } from '../AzAd/Group';
5+
import { EnvRoleNamesType } from '../AzAd/EnvRoles';
6+
import * as azuread from '@pulumi/azuread';
77

88
export type VaultAccessType = {
9-
useEnvRoles?: boolean;
10-
enableRbac?: boolean;
9+
/** Grant permission of this group into Environment Roles groups*/
10+
envRoleNames?: EnvRoleNamesType;
1111
permissions?: Array<PermissionProps>;
1212
};
1313

@@ -18,35 +18,41 @@ interface Props {
1818

1919
export default async ({ name, auth }: Props) => {
2020
//Permission Groups
21-
const readOnlyGroup = auth.useEnvRoles
22-
? await getAdGroup(envRoleNames.readOnly)
21+
const readOnlyGroup = auth.envRoleNames
22+
? await getAdGroup(auth.envRoleNames.readOnly)
2323
: await GroupRole({
2424
env: currentEnv,
2525
appName: `${name}-vault`,
26-
roleName: "ReadOnly",
26+
roleName: 'ReadOnly',
2727
});
28-
const adminGroup = auth.useEnvRoles
29-
? await getAdGroup(envRoleNames.contributor)
28+
const adminGroup = auth.envRoleNames
29+
? await getAdGroup(auth.envRoleNames.contributor)
3030
: await GroupRole({
3131
env: currentEnv,
3232
appName: `${name}-vault`,
33-
roleName: "Admin",
33+
roleName: 'Admin',
3434
});
3535

3636
//Add current service principal in
37-
if (auth!.permissions!.length <= 0) {
38-
auth.permissions!.push({
37+
if (auth.permissions == undefined) {
38+
auth.permissions = [
39+
{
40+
objectId: currentServicePrincipal,
41+
permission: 'ReadWrite',
42+
},
43+
];
44+
} else
45+
auth.permissions.push({
3946
objectId: currentServicePrincipal,
40-
permission: "ReadWrite",
47+
permission: 'ReadWrite',
4148
});
42-
}
4349

4450
//Add Permission to Groups
45-
auth.permissions!.forEach(
51+
auth.permissions.forEach(
4652
({ objectId, applicationId, permission }, index) =>
4753
new azuread.GroupMember(`${name}-${permission}-${index}`, {
4854
groupObjectId:
49-
permission === "ReadOnly"
55+
permission === 'ReadOnly'
5056
? readOnlyGroup.objectId
5157
: adminGroup.objectId,
5258
memberObjectId: objectId ?? applicationId,

0 commit comments

Comments
 (0)