From 5dc36154ebcaabe72d594140d581ac67f4d26c63 Mon Sep 17 00:00:00 2001
From: Andrea Grillo <andrea.grillo@pagopa.it>
Date: Mon, 3 Feb 2025 16:29:02 +0100
Subject: [PATCH] [CES-715] Remove roles from Entra ID groups on Terraform
 Storage Account in azure github bootstrap module (#259)

---
 .changeset/wicked-gifts-deliver.md            |  5 +++++
 .../README.md                                 |  3 ---
 .../ad_admin_iam.tf                           |  7 -------
 .../ad_devs_iam.tf                            |  8 --------
 .../ad_ext_iam.tf                             | 10 ----------
 .../tests/mono_repo.tftest.hcl                | 19 -------------------
 6 files changed, 5 insertions(+), 47 deletions(-)
 create mode 100644 .changeset/wicked-gifts-deliver.md

diff --git a/.changeset/wicked-gifts-deliver.md b/.changeset/wicked-gifts-deliver.md
new file mode 100644
index 000000000..942d8cc16
--- /dev/null
+++ b/.changeset/wicked-gifts-deliver.md
@@ -0,0 +1,5 @@
+---
+"azure_github_environment_bootstrap": patch
+---
+
+Remove roles from Entra ID groups on Terraform Storage Account
diff --git a/infra/modules/azure_github_environment_bootstrap/README.md b/infra/modules/azure_github_environment_bootstrap/README.md
index 91ed952ef..a12830d97 100644
--- a/infra/modules/azure_github_environment_bootstrap/README.md
+++ b/infra/modules/azure_github_environment_bootstrap/README.md
@@ -32,15 +32,12 @@
 | [azurerm_role_assignment.admins_group_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.admins_group_rg_kv_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.admins_group_rg_kv_data](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.admins_group_st_tf](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.app_cd_rg_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.app_cd_subscription_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.app_cd_tf_rg_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.devs_group_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.devs_group_tf_rg_kv_secr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.devs_group_tf_st](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.externals_group_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.externals_group_tf_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_apim_service_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_ext_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
diff --git a/infra/modules/azure_github_environment_bootstrap/ad_admin_iam.tf b/infra/modules/azure_github_environment_bootstrap/ad_admin_iam.tf
index 6d0fcbe98..e33663c6b 100644
--- a/infra/modules/azure_github_environment_bootstrap/ad_admin_iam.tf
+++ b/infra/modules/azure_github_environment_bootstrap/ad_admin_iam.tf
@@ -8,13 +8,6 @@ resource "azurerm_role_assignment" "admins_group_rg" {
   description          = "Allow ${var.repository.name} AD Admin group the complete ownership at monorepository resource group scope"
 }
 
-# Storage Account - Terraform state file
-resource "azurerm_role_assignment" "admins_group_st_tf" {
-  scope                = local.tf_storage_account.id
-  role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = var.entraid_groups.admins_object_id
-  description          = "Allow ${var.repository.name} AD Admin group to apply changes to the Terraform state file Storage Account scope"
-}
 
 # Key Vault
 resource "azurerm_role_assignment" "admins_group_rg_kv_data" {
diff --git a/infra/modules/azure_github_environment_bootstrap/ad_devs_iam.tf b/infra/modules/azure_github_environment_bootstrap/ad_devs_iam.tf
index 2c2c38930..588a28a55 100644
--- a/infra/modules/azure_github_environment_bootstrap/ad_devs_iam.tf
+++ b/infra/modules/azure_github_environment_bootstrap/ad_devs_iam.tf
@@ -6,14 +6,6 @@ resource "azurerm_role_assignment" "devs_group_rg" {
   description          = "Allow ${var.repository.name} AD Dev group to apply changes at monorepository resource group scope"
 }
 
-# Storage Account - Terraform state file
-resource "azurerm_role_assignment" "devs_group_tf_st" {
-  scope                = local.tf_storage_account.id
-  role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = var.entraid_groups.devs_object_id
-  description          = "Allow ${var.repository.name} AD Dev group to apply changes to the Terraform state file Storage Account scope"
-}
-
 # Key Vault
 resource "azurerm_role_assignment" "devs_group_tf_rg_kv_secr" {
   scope                = azurerm_resource_group.main.id
diff --git a/infra/modules/azure_github_environment_bootstrap/ad_ext_iam.tf b/infra/modules/azure_github_environment_bootstrap/ad_ext_iam.tf
index 885feda38..0bfd1d551 100644
--- a/infra/modules/azure_github_environment_bootstrap/ad_ext_iam.tf
+++ b/infra/modules/azure_github_environment_bootstrap/ad_ext_iam.tf
@@ -7,13 +7,3 @@ resource "azurerm_role_assignment" "externals_group_rg" {
   principal_id         = var.entraid_groups.externals_object_id
   description          = "Allow ${var.repository.name} AD external group to read resources at resource group scope"
 }
-
-# Storage Account - Terraform state file
-resource "azurerm_role_assignment" "externals_group_tf_rg" {
-  count = var.entraid_groups.externals_object_id == null ? 0 : 1
-
-  scope                = local.tf_storage_account.id
-  role_definition_name = "Storage Blob Data Reader"
-  principal_id         = var.entraid_groups.externals_object_id
-  description          = "Allow ${var.repository.name} AD external group to read blobs at the Terraform state file Storage Account scope"
-}
diff --git a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
index 4d3410860..c494f0bad 100644
--- a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
+++ b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
@@ -578,14 +578,11 @@ run "validate_rbac_entraid" {
   plan_options {
     target = [
       azurerm_role_assignment.admins_group_rg,
-      azurerm_role_assignment.admins_group_st_tf,
       azurerm_role_assignment.admins_group_rg_kv_data,
       azurerm_role_assignment.admins_group_rg_kv_admin,
       azurerm_role_assignment.devs_group_rg,
-      azurerm_role_assignment.devs_group_tf_st,
       azurerm_role_assignment.devs_group_tf_rg_kv_secr,
       azurerm_role_assignment.externals_group_rg,
-      azurerm_role_assignment.externals_group_tf_rg,
     ]
   }
 
@@ -642,22 +639,11 @@ run "validate_rbac_entraid" {
     error_message = "The Admins group should have role assignments at resource group scope"
   }
 
-  assert {
-    condition     = azurerm_role_assignment.admins_group_st_tf != null
-    error_message = "The Admins group should have role assignments for Terraform state storage"
-  }
-
   assert {
     condition     = azurerm_role_assignment.devs_group_rg != null
     error_message = "The Developers group should have role assignments at resource group scope"
   }
 
-  assert {
-    condition     = azurerm_role_assignment.devs_group_tf_st != null
-    error_message = "The Developers group should have role assignments for Terraform state storage"
-  }
-
-
   assert {
     condition     = azurerm_role_assignment.devs_group_tf_rg_kv_secr != null
     error_message = "The Developers group should have Key Vault Secrets role"
@@ -667,11 +653,6 @@ run "validate_rbac_entraid" {
     condition     = azurerm_role_assignment.externals_group_rg != null
     error_message = "The Externals group should have role assignments at resource group scope"
   }
-
-  assert {
-    condition     = azurerm_role_assignment.externals_group_tf_rg != null
-    error_message = "The Externals group should have role assignments for Terraform resource group"
-  }
 }
 
 run "validate_github_id_opex" {