@@ -75,8 +75,102 @@ similar to this will occur:
75
75
}
76
76
```
77
77
This is expected, since the ` cloud_native_blob_protection ` is not in the Terraform configuration. Do NOT apply the diff,
78
- instead add the ` cloud_native_blob_protection ` definition that Terraform wants to remove to your configuration. When the
79
- configuration has been updated correctly, there will be no diff when running ` terraform plan ` .
78
+ instead add the ` cloud_native_blob_protection ` definition that Terraform wants to remove to your configuration. Note,
79
+ the Cloud Native Blob Protection feature requires additional role definitions and role assignments. By passing the
80
+ ` CLOUD_NATIVE_BLOB_PROTECTION ` value to the ` polaris_azure_permissions ` data source, and using the
81
+ ` polaris_azure_permissions ` data source as input to the ` azurerm_role_definition ` and ` azurerm_role_assignment `
82
+ resources, the required role definitions and role assignments will be created, see
83
+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L72 ) ,
84
+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L107 )
85
+ and
86
+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L123 )
87
+ in the example.
88
+
89
+ After updating the ` polaris_azure_permissions ` data source and adding the ` cloud_native_blob_protection ` nested schema
90
+ to the configuration, a diff similar to this will occur:
91
+ ``` hcl
92
+ # azurerm_role_assignment.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
93
+ + resource "azurerm_role_assignment" "resource_group" {
94
+ + id = (known after apply)
95
+ + name = (known after apply)
96
+ + principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
97
+ + principal_type = (known after apply)
98
+ + role_definition_id = (known after apply)
99
+ + role_definition_name = (known after apply)
100
+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
101
+ + skip_service_principal_aad_check = (known after apply)
102
+ }
103
+
104
+ # azurerm_role_assignment.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
105
+ + resource "azurerm_role_assignment" "subscription" {
106
+ + id = (known after apply)
107
+ + name = (known after apply)
108
+ + principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
109
+ + principal_type = (known after apply)
110
+ + role_definition_id = (known after apply)
111
+ + role_definition_name = (known after apply)
112
+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
113
+ + skip_service_principal_aad_check = (known after apply)
114
+ }
115
+
116
+ # azurerm_role_definition.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
117
+ + resource "azurerm_role_definition" "resource_group" {
118
+ + assignable_scopes = (known after apply)
119
+ + id = (known after apply)
120
+ + name = "Terraform3 - Azure Permissions Example Resource Group Level - CLOUD_NATIVE_BLOB_PROTECTION"
121
+ + role_definition_id = (known after apply)
122
+ + role_definition_resource_id = (known after apply)
123
+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
124
+ }
125
+
126
+ # azurerm_role_definition.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
127
+ + resource "azurerm_role_definition" "subscription" {
128
+ + assignable_scopes = (known after apply)
129
+ + id = (known after apply)
130
+ + name = "Terraform3 - Azure Permissions Example Subscription Level - CLOUD_NATIVE_BLOB_PROTECTION"
131
+ + role_definition_id = (known after apply)
132
+ + role_definition_resource_id = (known after apply)
133
+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
134
+
135
+ + permissions {
136
+ + actions = [
137
+ + "Microsoft.Insights/Metrics/Read",
138
+ + "Microsoft.Resources/subscriptions/resourceGroups/read",
139
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
140
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/read",
141
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/write",
142
+ + "Microsoft.Storage/storageAccounts/delete",
143
+ + "Microsoft.Storage/storageAccounts/read",
144
+ + "Microsoft.Storage/storageAccounts/write",
145
+ ]
146
+ + data_actions = [
147
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
148
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
149
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
150
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
151
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read",
152
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
153
+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
154
+ ]
155
+ + not_actions = []
156
+ }
157
+ }
158
+
159
+ # polaris_azure_subscription.subscription will be updated in-place
160
+ ~ resource "polaris_azure_subscription" "subscription" {
161
+ id = "60967b1e-20cb-4b61-acf6-454a55599b82"
162
+ # (4 unchanged attributes hidden)
163
+
164
+ ~ cloud_native_blob_protection {
165
+ + permissions = "b7dba84b286e4088f12b3a90852483add05b68f17be9cdab5e5eac055b6584d6"
166
+ # (3 unchanged attributes hidden)
167
+ }
168
+
169
+ # (1 unchanged block hidden)
170
+ }
171
+ ```
172
+ If the only thing changing is the ` permissions ` field of the nested ` cloud_native_blob_protection ` schema, along with
173
+ new Cloud Native Blob Protection role definitions and role assignments, the diff can be applied without any issues.
80
174
81
175
### New Permissions Field
82
176
A new ` permissions ` field has been added to the nested ` role ` schema of the ` polaris_aws_cnp_account_attachments `
0 commit comments