Skip to content

Commit b623fec

Browse files
authored
Update upgrade guide (#226)
1 parent 4b50424 commit b623fec

File tree

2 files changed

+192
-4
lines changed

2 files changed

+192
-4
lines changed

docs/guides/upgrade_guide_v1.0.0.md

+96-2
Original file line numberDiff line numberDiff line change
@@ -75,8 +75,102 @@ similar to this will occur:
7575
}
7676
```
7777
This is expected, since the `cloud_native_blob_protection` is not in the Terraform configuration. Do NOT apply the diff,
78-
instead add the `cloud_native_blob_protection` definition that Terraform wants to remove to your configuration. When the
79-
configuration has been updated correctly, there will be no diff when running `terraform plan`.
78+
instead add the `cloud_native_blob_protection` definition that Terraform wants to remove to your configuration. Note,
79+
the Cloud Native Blob Protection feature requires additional role definitions and role assignments. By passing the
80+
`CLOUD_NATIVE_BLOB_PROTECTION` value to the `polaris_azure_permissions` data source, and using the
81+
`polaris_azure_permissions` data source as input to the `azurerm_role_definition` and `azurerm_role_assignment`
82+
resources, the required role definitions and role assignments will be created, see
83+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L72),
84+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L107)
85+
and
86+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L123)
87+
in the example.
88+
89+
After updating the `polaris_azure_permissions` data source and adding the `cloud_native_blob_protection` nested schema
90+
to the configuration, a diff similar to this will occur:
91+
```hcl
92+
# azurerm_role_assignment.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
93+
+ resource "azurerm_role_assignment" "resource_group" {
94+
+ id = (known after apply)
95+
+ name = (known after apply)
96+
+ principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
97+
+ principal_type = (known after apply)
98+
+ role_definition_id = (known after apply)
99+
+ role_definition_name = (known after apply)
100+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
101+
+ skip_service_principal_aad_check = (known after apply)
102+
}
103+
104+
# azurerm_role_assignment.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
105+
+ resource "azurerm_role_assignment" "subscription" {
106+
+ id = (known after apply)
107+
+ name = (known after apply)
108+
+ principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
109+
+ principal_type = (known after apply)
110+
+ role_definition_id = (known after apply)
111+
+ role_definition_name = (known after apply)
112+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
113+
+ skip_service_principal_aad_check = (known after apply)
114+
}
115+
116+
# azurerm_role_definition.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
117+
+ resource "azurerm_role_definition" "resource_group" {
118+
+ assignable_scopes = (known after apply)
119+
+ id = (known after apply)
120+
+ name = "Terraform3 - Azure Permissions Example Resource Group Level - CLOUD_NATIVE_BLOB_PROTECTION"
121+
+ role_definition_id = (known after apply)
122+
+ role_definition_resource_id = (known after apply)
123+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
124+
}
125+
126+
# azurerm_role_definition.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
127+
+ resource "azurerm_role_definition" "subscription" {
128+
+ assignable_scopes = (known after apply)
129+
+ id = (known after apply)
130+
+ name = "Terraform3 - Azure Permissions Example Subscription Level - CLOUD_NATIVE_BLOB_PROTECTION"
131+
+ role_definition_id = (known after apply)
132+
+ role_definition_resource_id = (known after apply)
133+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
134+
135+
+ permissions {
136+
+ actions = [
137+
+ "Microsoft.Insights/Metrics/Read",
138+
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
139+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
140+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/read",
141+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/write",
142+
+ "Microsoft.Storage/storageAccounts/delete",
143+
+ "Microsoft.Storage/storageAccounts/read",
144+
+ "Microsoft.Storage/storageAccounts/write",
145+
]
146+
+ data_actions = [
147+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
148+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
149+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
150+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
151+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read",
152+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
153+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
154+
]
155+
+ not_actions = []
156+
}
157+
}
158+
159+
# polaris_azure_subscription.subscription will be updated in-place
160+
~ resource "polaris_azure_subscription" "subscription" {
161+
id = "60967b1e-20cb-4b61-acf6-454a55599b82"
162+
# (4 unchanged attributes hidden)
163+
164+
~ cloud_native_blob_protection {
165+
+ permissions = "b7dba84b286e4088f12b3a90852483add05b68f17be9cdab5e5eac055b6584d6"
166+
# (3 unchanged attributes hidden)
167+
}
168+
169+
# (1 unchanged block hidden)
170+
}
171+
```
172+
If the only thing changing is the `permissions` field of the nested `cloud_native_blob_protection` schema, along with
173+
new Cloud Native Blob Protection role definitions and role assignments, the diff can be applied without any issues.
80174

81175
### New Permissions Field
82176
A new `permissions` field has been added to the nested `role` schema of the `polaris_aws_cnp_account_attachments`

templates/guides/upgrade_guide_v1.0.0.md.tmpl

+96-2
Original file line numberDiff line numberDiff line change
@@ -75,8 +75,102 @@ similar to this will occur:
7575
}
7676
```
7777
This is expected, since the `cloud_native_blob_protection` is not in the Terraform configuration. Do NOT apply the diff,
78-
instead add the `cloud_native_blob_protection` definition that Terraform wants to remove to your configuration. When the
79-
configuration has been updated correctly, there will be no diff when running `terraform plan`.
78+
instead add the `cloud_native_blob_protection` definition that Terraform wants to remove to your configuration. Note,
79+
the Cloud Native Blob Protection feature requires additional role definitions and role assignments. By passing the
80+
`CLOUD_NATIVE_BLOB_PROTECTION` value to the `polaris_azure_permissions` data source, and using the
81+
`polaris_azure_permissions` data source as input to the `azurerm_role_definition` and `azurerm_role_assignment`
82+
resources, the required role definitions and role assignments will be created, see
83+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L72),
84+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L107)
85+
and
86+
[here](https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L123)
87+
in the example.
88+
89+
After updating the `polaris_azure_permissions` data source and adding the `cloud_native_blob_protection` nested schema
90+
to the configuration, a diff similar to this will occur:
91+
```hcl
92+
# azurerm_role_assignment.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
93+
+ resource "azurerm_role_assignment" "resource_group" {
94+
+ id = (known after apply)
95+
+ name = (known after apply)
96+
+ principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
97+
+ principal_type = (known after apply)
98+
+ role_definition_id = (known after apply)
99+
+ role_definition_name = (known after apply)
100+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
101+
+ skip_service_principal_aad_check = (known after apply)
102+
}
103+
104+
# azurerm_role_assignment.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
105+
+ resource "azurerm_role_assignment" "subscription" {
106+
+ id = (known after apply)
107+
+ name = (known after apply)
108+
+ principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
109+
+ principal_type = (known after apply)
110+
+ role_definition_id = (known after apply)
111+
+ role_definition_name = (known after apply)
112+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
113+
+ skip_service_principal_aad_check = (known after apply)
114+
}
115+
116+
# azurerm_role_definition.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
117+
+ resource "azurerm_role_definition" "resource_group" {
118+
+ assignable_scopes = (known after apply)
119+
+ id = (known after apply)
120+
+ name = "Terraform3 - Azure Permissions Example Resource Group Level - CLOUD_NATIVE_BLOB_PROTECTION"
121+
+ role_definition_id = (known after apply)
122+
+ role_definition_resource_id = (known after apply)
123+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
124+
}
125+
126+
# azurerm_role_definition.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
127+
+ resource "azurerm_role_definition" "subscription" {
128+
+ assignable_scopes = (known after apply)
129+
+ id = (known after apply)
130+
+ name = "Terraform3 - Azure Permissions Example Subscription Level - CLOUD_NATIVE_BLOB_PROTECTION"
131+
+ role_definition_id = (known after apply)
132+
+ role_definition_resource_id = (known after apply)
133+
+ scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
134+
135+
+ permissions {
136+
+ actions = [
137+
+ "Microsoft.Insights/Metrics/Read",
138+
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
139+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
140+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/read",
141+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/write",
142+
+ "Microsoft.Storage/storageAccounts/delete",
143+
+ "Microsoft.Storage/storageAccounts/read",
144+
+ "Microsoft.Storage/storageAccounts/write",
145+
]
146+
+ data_actions = [
147+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
148+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
149+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
150+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
151+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read",
152+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
153+
+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
154+
]
155+
+ not_actions = []
156+
}
157+
}
158+
159+
# polaris_azure_subscription.subscription will be updated in-place
160+
~ resource "polaris_azure_subscription" "subscription" {
161+
id = "60967b1e-20cb-4b61-acf6-454a55599b82"
162+
# (4 unchanged attributes hidden)
163+
164+
~ cloud_native_blob_protection {
165+
+ permissions = "b7dba84b286e4088f12b3a90852483add05b68f17be9cdab5e5eac055b6584d6"
166+
# (3 unchanged attributes hidden)
167+
}
168+
169+
# (1 unchanged block hidden)
170+
}
171+
```
172+
If the only thing changing is the `permissions` field of the nested `cloud_native_blob_protection` schema, along with
173+
new Cloud Native Blob Protection role definitions and role assignments, the diff can be applied without any issues.
80174

81175
### New Permissions Field
82176
A new `permissions` field has been added to the nested `role` schema of the `polaris_aws_cnp_account_attachments`

0 commit comments

Comments
 (0)