pagopa · Krusty93 · Jan 17, 2025 · Jan 17, 2025
@@ -9,6 +9,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_apim"></a> [apim](#module\_apim) | ./modules/apim | n/a |
 | <a name="module_cosmos"></a> [cosmos](#module\_cosmos) | ./modules/cosmos | n/a |
 | <a name="module_event_hub"></a> [event\_hub](#module\_event\_hub) | ./modules/event_hub | n/a |
 | <a name="module_key_vault"></a> [key\_vault](#module\_key\_vault) | ./modules/key_vault | n/a |
@@ -23,6 +24,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_apim"></a> [apim](#input\_apim) | A list of APIM role assignments | <pre>list(object({<br/>    name                = string<br/>    resource_group_name = string<br/>    role                = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_cosmos"></a> [cosmos](#input\_cosmos) | A list of CosmosDB role assignments | <pre>list(object({<br/>    account_name        = string<br/>    resource_group_name = string<br/>    role                = string<br/>    database            = optional(string, "*")<br/>    collections         = optional(list(string), ["*"])<br/>  }))</pre> | `[]` | no |
 | <a name="input_event_hub"></a> [event\_hub](#input\_event\_hub) | A list of event hub role assignments | <pre>list(object({<br/>    namespace_name      = string<br/>    resource_group_name = string<br/>    event_hub_names     = optional(list(string), ["*"])<br/>    role                = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | A list of key vault role assignments | <pre>list(object({<br/>    name                = string<br/>    resource_group_name = string<br/>    roles = object({<br/>      secrets      = optional(string, "")<br/>      certificates = optional(string, "")<br/>      keys         = optional(string, "")<br/>    })<br/><br/>    override_roles = optional(object({<br/>      secrets      = optional(list(string), [])<br/>      certificates = optional(list(string), [])<br/>      keys         = optional(list(string), [])<br/>      }), {<br/>      secrets      = []<br/>      certificates = []<br/>      keys         = []<br/>    })<br/>  }))</pre> | `[]` | no |

@@ -33,4 +33,11 @@ module "storage_account" {
   storage_blob  = var.storage_blob
   storage_queue = var.storage_queue
   storage_table = var.storage_table
-}
+}
+
+module "apim" {
+  source = "./modules/apim"
+
+  principal_id = var.principal_id
+  apim         = var.apim
+}
@@ -0,0 +1,31 @@
+# apim
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_api_management.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_apim"></a> [apim](#input\_apim) | A list of APIM role assignments | <pre>list(object({<br/>    name                = string<br/>    resource_group_name = string<br/>    role                = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_principal_id"></a> [principal\_id](#input\_principal\_id) | The ID of the principal to which assign roles. It can be a managed identity. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_azurerm_role_assignment"></a> [azurerm\_role\_assignment](#output\_azurerm\_role\_assignment) | n/a |
+<!-- END_TF_DOCS -->
@@ -0,0 +1,6 @@
+data "azurerm_api_management" "this" {
+  for_each = { for apim in local.apims : "${apim.resource_group_name}|${apim.name}" => apim }
+
+  name                = each.value.name
+  resource_group_name = each.value.resource_group_name
+}
@@ -0,0 +1,9 @@
+locals {
+  apims = distinct([for assignment in var.apim : { name = assignment.name, resource_group_name = assignment.resource_group_name }])
+
+  role_definition_name = {
+    reader = "API Management Service Reader"
+    writer = "API Management Service Editor"
+    owner  = "API Management Service Contributor"
+  }
+}
@@ -0,0 +1,6 @@
+resource "azurerm_role_assignment" "this" {
+  for_each             = { for apim in var.apim : "${apim.resource_group_name}|${apim.name}|${apim.role}" => apim }
+  role_definition_name = local.role_definition_name[lower(each.value.role)]
+  scope                = data.azurerm_api_management.this["${each.value.resource_group_name}|${each.value.name}"].id
+  principal_id         = var.principal_id
+}
@@ -0,0 +1,3 @@
+output "azurerm_role_assignment" {
+  value = azurerm_role_assignment.this
+}
@@ -0,0 +1,27 @@
+variable "principal_id" {
+  description = "The ID of the principal to which assign roles. It can be a managed identity."
+  type        = string
+}
+
+variable "apim" {
+  description = "A list of APIM role assignments"
+  type = list(object({
+    name                = string
+    resource_group_name = string
+    role                = string
+  }))
+
+  validation {
+    condition = alltrue([
+      for assignment in var.apim : contains(["reader", "writer", "owner"], assignment.role)
+    ])
+    error_message = "The role must be set either to \"reader\", \"writer\" or \"owner\""
+  }
+
+  validation {
+    condition     = length(var.apim) == length(distinct(var.apim))
+    error_message = "Each assignment must be unique. Found ${length(var.apim) - length(distinct(var.apim))} duplicates."
+  }
+
+  default = []
+}
@@ -21,8 +21,8 @@ run "setup_tests" {
   }
 }
 
-run "rbac_role_assignment_is_correct_apply" {
-  command = apply
+run "rbac_role_assignment_is_correct" {
+  command = plan
 
   variables {
     principal_id = run.setup_tests.principal_id
@@ -36,6 +36,24 @@ run "rbac_role_assignment_is_correct_apply" {
         }
       }
     ]
+
+    apim = [
+      {
+        name                = "dx-d-itn-playground-pg-apim-01"
+        resource_group_name = "dx-d-itn-test-rg-01"
+        role                = "owner"
+      },
+      {
+        name                = "dx-d-itn-playground-pg-apim-01"
+        resource_group_name = "dx-d-itn-test-rg-01"
+        role                = "writer"
+      },
+      {
+        name                = "dx-d-itn-playground-pg-apim-01"
+        resource_group_name = "dx-d-itn-test-rg-01"
+        role                = "reader"
+      }
+    ]
   }
 
   # Checks some assertions
@@ -48,4 +66,19 @@ run "rbac_role_assignment_is_correct_apply" {
     condition     = module.key_vault.secrets_role_assignment["dx-d-itn-common-rg-01|dx-d-itn-common-kv-01|reader"].principal_id == run.setup_tests.principal_id
     error_message = "The role assignment must be assigned to the correct managed identity"
   }
+
+  assert {
+    condition     = module.apim.azurerm_role_assignment["dx-d-itn-test-rg-01|dx-d-itn-playground-pg-apim-01|owner"].role_definition_name == "API Management Service Contributor"
+    error_message = "The role assigned must be API Management Service Contributor"
+  }
+
+  assert {
+    condition     = module.apim.azurerm_role_assignment["dx-d-itn-test-rg-01|dx-d-itn-playground-pg-apim-01|writer"].role_definition_name == "API Management Service Editor"
+    error_message = "The role assigned must be API Management Service Editor"
+  }
+
+  assert {
+    condition     = module.apim.azurerm_role_assignment["dx-d-itn-test-rg-01|dx-d-itn-playground-pg-apim-01|reader"].role_definition_name == "API Management Service Reader"
+    error_message = "The role assigned must be API Management Service Reader"
+  }
 }
@@ -100,4 +100,15 @@ variable "event_hub" {
   }))
 
   default = []
-}
+}
+
+variable "apim" {
+  description = "A list of APIM role assignments"
+  type = list(object({
+    name                = string
+    resource_group_name = string
+    role                = string
+  }))
+
+  default = []
+}