@@ -75,8 +75,102 @@ similar to this will occur:
7575}
7676```
7777This is expected, since the ` cloud_native_blob_protection ` is not in the Terraform configuration. Do NOT apply the diff,
78- instead add the ` cloud_native_blob_protection ` definition that Terraform wants to remove to your configuration. When the
79- configuration has been updated correctly, there will be no diff when running ` terraform plan ` .
78+ instead add the ` cloud_native_blob_protection ` definition that Terraform wants to remove to your configuration. Note,
79+ the Cloud Native Blob Protection feature requires additional role definitions and role assignments. By passing the
80+ ` CLOUD_NATIVE_BLOB_PROTECTION ` value to the ` polaris_azure_permissions ` data source, and using the
81+ ` polaris_azure_permissions ` data source as input to the ` azurerm_role_definition ` and ` azurerm_role_assignment `
82+ resources, the required role definitions and role assignments will be created, see
83+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L72 ) ,
84+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L107 )
85+ and
86+ [ here] ( https://github.com/rubrikinc/terraform-provider-polaris-examples/blob/d2b0bf0b5458b3cd3ebcc6ab401a43f4daa89cd7/azure/main.tf#L123 )
87+ in the example.
88+
89+ After updating the ` polaris_azure_permissions ` data source and adding the ` cloud_native_blob_protection ` nested schema
90+ to the configuration, a diff similar to this will occur:
91+ ``` hcl
92+ # azurerm_role_assignment.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
93+ + resource "azurerm_role_assignment" "resource_group" {
94+ + id = (known after apply)
95+ + name = (known after apply)
96+ + principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
97+ + principal_type = (known after apply)
98+ + role_definition_id = (known after apply)
99+ + role_definition_name = (known after apply)
100+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
101+ + skip_service_principal_aad_check = (known after apply)
102+ }
103+
104+ # azurerm_role_assignment.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
105+ + resource "azurerm_role_assignment" "subscription" {
106+ + id = (known after apply)
107+ + name = (known after apply)
108+ + principal_id = "32bbeaba-92b4-4162-9a69-0d39753b82c7"
109+ + principal_type = (known after apply)
110+ + role_definition_id = (known after apply)
111+ + role_definition_name = (known after apply)
112+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
113+ + skip_service_principal_aad_check = (known after apply)
114+ }
115+
116+ # azurerm_role_definition.resource_group["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
117+ + resource "azurerm_role_definition" "resource_group" {
118+ + assignable_scopes = (known after apply)
119+ + id = (known after apply)
120+ + name = "Terraform3 - Azure Permissions Example Resource Group Level - CLOUD_NATIVE_BLOB_PROTECTION"
121+ + role_definition_id = (known after apply)
122+ + role_definition_resource_id = (known after apply)
123+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6/resourceGroups/terraform-azure-permissions-example"
124+ }
125+
126+ # azurerm_role_definition.subscription["CLOUD_NATIVE_BLOB_PROTECTION"] will be created
127+ + resource "azurerm_role_definition" "subscription" {
128+ + assignable_scopes = (known after apply)
129+ + id = (known after apply)
130+ + name = "Terraform3 - Azure Permissions Example Subscription Level - CLOUD_NATIVE_BLOB_PROTECTION"
131+ + role_definition_id = (known after apply)
132+ + role_definition_resource_id = (known after apply)
133+ + scope = "/subscriptions/18677418-4fe7-43db-baf1-99646d610dd6"
134+
135+ + permissions {
136+ + actions = [
137+ + "Microsoft.Insights/Metrics/Read",
138+ + "Microsoft.Resources/subscriptions/resourceGroups/read",
139+ + "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
140+ + "Microsoft.Storage/storageAccounts/blobServices/containers/read",
141+ + "Microsoft.Storage/storageAccounts/blobServices/containers/write",
142+ + "Microsoft.Storage/storageAccounts/delete",
143+ + "Microsoft.Storage/storageAccounts/read",
144+ + "Microsoft.Storage/storageAccounts/write",
145+ ]
146+ + data_actions = [
147+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
148+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
149+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
150+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
151+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read",
152+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
153+ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
154+ ]
155+ + not_actions = []
156+ }
157+ }
158+
159+ # polaris_azure_subscription.subscription will be updated in-place
160+ ~ resource "polaris_azure_subscription" "subscription" {
161+ id = "60967b1e-20cb-4b61-acf6-454a55599b82"
162+ # (4 unchanged attributes hidden)
163+
164+ ~ cloud_native_blob_protection {
165+ + permissions = "b7dba84b286e4088f12b3a90852483add05b68f17be9cdab5e5eac055b6584d6"
166+ # (3 unchanged attributes hidden)
167+ }
168+
169+ # (1 unchanged block hidden)
170+ }
171+ ```
172+ If the only thing changing is the ` permissions ` field of the nested ` cloud_native_blob_protection ` schema, along with
173+ new Cloud Native Blob Protection role definitions and role assignments, the diff can be applied without any issues.
80174
81175### New Permissions Field
82176A new ` permissions ` field has been added to the nested ` role ` schema of the ` polaris_aws_cnp_account_attachments `
0 commit comments