Add terraform-azure-permissions module

README.md

@@ -22,6 +22,7 @@ This repository contains a number of Terraform modules for creation of the pre-r
 | [terraform-azure-resource-group](modules/terraform-azure-resource-group/README.md) | Module for creation of a Resource Group on Azure. Can be used for creation of the pre-requisite resource group for Cloudera Data Platform (CDP) Public Cloud. |
 | [terraform-azure-vnet](modules/terraform-azure-vnet/README.md) | Module for creation of the Virtual Network (VNET) on Azure. Can be used for creation of the pre-requisite VNet and subnets for Cloudera Data Platform (CDP) Public Cloud. |
 | [terraform-azure-cred-permissions](modules/terraform-azure-cred-permissions/README.md) | Module for creation of the Cross Account Credential pre-requisites on Azure. Note that this module is called from the terraform-cdp-azure-prereqs module. |
+| [terraform-azure-permissions](modules/terraform-azure-permissions/README.md) | Module for creation of the Azure Managed Identity and Role Assignments required for Cloudera on Azure. Note that this module is called from the terraform-cdp-azure-prereqs module. |
 | [terraform-azure-bastion](modules/terraform-azure-bastion/README.md) | Module to create a Bastion Virtual Machine instance on Azure. |
 | [terraform-azure-nfs](modules/terraform-azure-nfs/README.md) | Module for creation of Azure NFS File Share required for Cloudera Machine Learning (CML) Public Cloud. Also optionally creates a Virtual Machine which can be used to mount and set the required ownership for CML workspace's projects folder.|
 | [terraform-azure-cdw-permissions](modules/terraform-azure-cdw-permissions/README.md) | Module for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service.|

modules/terraform-azure-permissions/.terraform-docs.yaml

@@ -0,0 +1,21 @@
+formatter: markdown
+header-from: doc_fragments/header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

modules/terraform-azure-permissions/README.md

@@ -0,0 +1,88 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform Module for Cloudera on Azure Environment Permissions
+
+This module contains resource files and example variable definition files for creation of Azure Managed Identity and Role Assignments required for Cloudera on Azure.
+
+## Usage
+
+The [examples](./examples) directory has examples of Azure Resource Group creation:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+In each directory an example `terraform.tfvars.sample` values file is included to show input variable values.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.cdp_datalake_admin_backup_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_datalake_admin_data_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_datalake_admin_log_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_idbroker_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_log_data_access_backup_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_log_data_access_log_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_ranger_audit_backup_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_ranger_audit_data_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_ranger_audit_log_container_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cdp_raz_data_storage_assign](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_user_assigned_identity.cdp_datalake_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.cdp_idbroker](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.cdp_log_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.cdp_ranger_audit_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.cdp_raz](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_azure_region"></a> [azure\_region](#input\_azure\_region) | Region which Cloud resources will be created | `string` | n/a | yes |
+| <a name="input_backup_storage_container_id"></a> [backup\_storage\_container\_id](#input\_backup\_storage\_container\_id) | Resource Manager ID of the Backup Storage Container | `string` | n/a | yes |
+| <a name="input_data_storage_container_id"></a> [data\_storage\_container\_id](#input\_data\_storage\_container\_id) | Resource Manager ID of the Data Storage Container | `string` | n/a | yes |
+| <a name="input_datalake_admin_backup_container_role_assignments"></a> [datalake\_admin\_backup\_container\_role\_assignments](#input\_datalake\_admin\_backup\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_datalake_admin_data_container_role_assignments"></a> [datalake\_admin\_data\_container\_role\_assignments](#input\_datalake\_admin\_data\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_datalake_admin_log_container_role_assignments"></a> [datalake\_admin\_log\_container\_role\_assignments](#input\_datalake\_admin\_log\_container\_role\_assignments) | List of Role Assignments for the Datalake Admin Managed Identity assigned to the Logs Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_datalake_admin_managed_identity_name"></a> [datalake\_admin\_managed\_identity\_name](#input\_datalake\_admin\_managed\_identity\_name) | Datalake Admin Managed Identity name | `string` | n/a | yes |
+| <a name="input_enable_raz"></a> [enable\_raz](#input\_enable\_raz) | Flag to enable Ranger Authorization Service (RAZ) | `bool` | n/a | yes |
+| <a name="input_idbroker_managed_identity_name"></a> [idbroker\_managed\_identity\_name](#input\_idbroker\_managed\_identity\_name) | IDBroker Managed Identity name | `string` | n/a | yes |
+| <a name="input_idbroker_role_assignments"></a> [idbroker\_role\_assignments](#input\_idbroker\_role\_assignments) | List of Role Assignments for the IDBroker Managed Identity | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_log_data_access_managed_identity_name"></a> [log\_data\_access\_managed\_identity\_name](#input\_log\_data\_access\_managed\_identity\_name) | Log Data Access Managed Identity name | `string` | n/a | yes |
+| <a name="input_log_data_access_role_assignments"></a> [log\_data\_access\_role\_assignments](#input\_log\_data\_access\_role\_assignments) | List of Role Assignments for the Log Data Access Managed Identity. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_log_storage_container_id"></a> [log\_storage\_container\_id](#input\_log\_storage\_container\_id) | Resource Manager ID of the Log Storage Container | `string` | n/a | yes |
+| <a name="input_ranger_audit_backup_container_role_assignments"></a> [ranger\_audit\_backup\_container\_role\_assignments](#input\_ranger\_audit\_backup\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Backup Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_ranger_audit_data_access_managed_identity_name"></a> [ranger\_audit\_data\_access\_managed\_identity\_name](#input\_ranger\_audit\_data\_access\_managed\_identity\_name) | Ranger Audit Managed Identity name | `string` | n/a | yes |
+| <a name="input_ranger_audit_data_container_role_assignments"></a> [ranger\_audit\_data\_container\_role\_assignments](#input\_ranger\_audit\_data\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Data Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_ranger_audit_log_container_role_assignments"></a> [ranger\_audit\_log\_container\_role\_assignments](#input\_ranger\_audit\_log\_container\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_raz_managed_identity_name"></a> [raz\_managed\_identity\_name](#input\_raz\_managed\_identity\_name) | RAZ Managed Identity name | `string` | n/a | yes |
+| <a name="input_raz_storage_role_assignments"></a> [raz\_storage\_role\_assignments](#input\_raz\_storage\_role\_assignments) | List of Role Assignments for the Ranger Audit Managed Identity assigned to the Log Storage Container. | <pre>list(object({<br/>    role        = string<br/>    description = string<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Azrue Resource Group for Managed Identities. | `string` | n/a | yes |
+| <a name="input_data_storage_account_id"></a> [data\_storage\_account\_id](#input\_data\_storage\_account\_id) | Resource Manager ID of the Data Storage Account. Required only if RAZ is enabled. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provised resources | `map(any)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_azure_datalakeadmin_identity_id"></a> [azure\_datalakeadmin\_identity\_id](#output\_azure\_datalakeadmin\_identity\_id) | Datalake Admin Managed Identity ID |
+| <a name="output_azure_idbroker_identity_id"></a> [azure\_idbroker\_identity\_id](#output\_azure\_idbroker\_identity\_id) | IDBroker Managed Identity ID |
+| <a name="output_azure_log_identity_id"></a> [azure\_log\_identity\_id](#output\_azure\_log\_identity\_id) | Log Data Access Managed Identity ID |
+| <a name="output_azure_ranger_audit_identity_id"></a> [azure\_ranger\_audit\_identity\_id](#output\_azure\_ranger\_audit\_identity\_id) | Ranger Audit Managed Identity ID |
+| <a name="output_azure_raz_identity_id"></a> [azure\_raz\_identity\_id](#output\_azure\_raz\_identity\_id) | RAZ Managed Identity ID. Value returned if RAZ is enabled |
+<!-- END_TF_DOCS -->

modules/terraform-azure-permissions/data.tf

@@ -0,0 +1,17 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Access information about Azure Subscription
+data "azurerm_subscription" "current" {}
+

modules/terraform-azure-permissions/doc_fragments/header.md

@@ -0,0 +1,11 @@
+# Terraform Module for Cloudera on Azure Environment Permissions
+
+This module contains resource files and example variable definition files for creation of Azure Managed Identity and Role Assignments required for Cloudera on Azure. 
+
+## Usage
+
+The [examples](./examples) directory has examples of Azure Resource Group creation:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+In each directory an example `terraform.tfvars.sample` values file is included to show input variable values.

modules/terraform-azure-permissions/examples/ex01-minimal_inputs/main.tf

@@ -0,0 +1,128 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.0.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+}
+
+# ------- Azure Resource Group -------
+module "rmgp" {
+  source = "../../../terraform-azure-resource-group"
+
+  resourcegroup_name = "${var.env_prefix}-rg"
+  azure_region       = var.azure_region
+
+  tags = merge(var.env_tags, { Name = "${var.env_prefix}-rg" })
+}
+
+
+# ------- Azure Storage Containers -------
+resource "azurerm_storage_account" "cdp_storage_location" {
+  # Create buckets for the unique list of buckets in data and log storage
+
+  name                = "${replace(var.env_prefix, "/[-_]/", "")}stor"
+  resource_group_name = module.rmgp.resource_group_name
+  location            = var.azure_region
+
+  public_network_access_enabled = false
+
+  account_kind             = "StorageV2"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  is_hns_enabled           = true
+
+  tags = merge(var.env_tags, { Name = "${var.env_prefix}-stor" })
+}
+
+# Data Storage Objects
+resource "azurerm_storage_container" "cdp_data_storage" {
+
+  name                  = "data"
+  storage_account_id    = azurerm_storage_account.cdp_storage_location.id
+  container_access_type = "private"
+
+}
+
+# Log Storage Objects
+resource "azurerm_storage_container" "cdp_log_storage" {
+
+  name                  = "log"
+  storage_account_id    = azurerm_storage_account.cdp_storage_location.id
+  container_access_type = "private"
+
+}
+
+# Backup Storage Object
+resource "azurerm_storage_container" "cdp_backup_storage" {
+
+  name                  = "backup"
+  storage_account_id    = azurerm_storage_account.cdp_storage_location.id
+  container_access_type = "private"
+
+}
+
+# ------- Azure Permissions -------
+module "ex01_azure_permissions" {
+  source = "../.."
+
+  azure_region        = var.azure_region
+  resource_group_name = module.rmgp.resource_group_name
+
+  idbroker_managed_identity_name = "${var.env_prefix}-idbroker-identity"
+  idbroker_role_assignments      = var.idbroker_role_assignments
+
+  datalake_admin_managed_identity_name             = "${var.env_prefix}-datalake-admin-identity"
+  datalake_admin_data_container_role_assignments   = var.datalake_admin_data_container_role_assignments
+  datalake_admin_log_container_role_assignments    = var.datalake_admin_log_container_role_assignments
+  datalake_admin_backup_container_role_assignments = var.datalake_admin_backup_container_role_assignments
+
+  data_storage_container_id   = azurerm_storage_container.cdp_data_storage.id
+  log_storage_container_id    = azurerm_storage_container.cdp_log_storage.id
+  backup_storage_container_id = azurerm_storage_container.cdp_backup_storage.id
+
+  log_data_access_managed_identity_name = "${var.env_prefix}-log-data-access-identity"
+  log_data_access_role_assignments      = var.log_data_access_role_assignments
+
+  ranger_audit_data_access_managed_identity_name = "${var.env_prefix}-ranger-audit-identity"
+  ranger_audit_data_container_role_assignments   = var.ranger_audit_data_container_role_assignments
+  ranger_audit_log_container_role_assignments    = var.ranger_audit_log_container_role_assignments
+  ranger_audit_backup_container_role_assignments = var.ranger_audit_backup_container_role_assignments
+
+  enable_raz                   = var.enable_raz
+  data_storage_account_id      = var.enable_raz ? azurerm_storage_account.cdp_storage_location.id : null
+  raz_managed_identity_name    = "${var.env_prefix}-raz-identity"
+  raz_storage_role_assignments = var.raz_storage_role_assignments
+
+  depends_on = [
+    azurerm_storage_container.cdp_data_storage,
+    azurerm_storage_container.cdp_log_storage,
+    azurerm_storage_container.cdp_backup_storage,
+    module.rmgp
+  ]
+}

modules/terraform-azure-permissions/examples/ex01-minimal_inputs/outputs.tf

@@ -0,0 +1,42 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License. 
+
+output "azure_idbroker_identity_id" {
+  value = module.ex01_azure_permissions.azure_idbroker_identity_id
+
+  description = "IDBroker Managed Identity ID"
+}
+
+output "azure_datalakeadmin_identity_id" {
+  value = module.ex01_azure_permissions.azure_datalakeadmin_identity_id
+
+  description = "Datalake Admin Managed Identity ID"
+}
+
+output "azure_log_identity_id" {
+  value       = module.ex01_azure_permissions.azure_log_identity_id
+  description = "Log Data Access Managed Identity ID"
+}
+
+output "azure_ranger_audit_identity_id" {
+  value = module.ex01_azure_permissions.azure_ranger_audit_identity_id
+
+  description = "Ranger Audit Managed Identity ID"
+}
+
+output "azure_raz_identity_id" {
+  value = module.ex01_azure_permissions.azure_raz_identity_id
+
+  description = "RAZ Managed Identity ID. Value returned if RAZ is enabled"
+}