RBAC¶
Minimal RBAC with least privilege. Role assignments control who can access Azure resources and what operations they can perform.
Role assignments¶
| Principal | Role | Scope |
|---|---|---|
| Owner (you) | Owner |
rg-jersal-projects-shared |
| Owner (you) | Owner |
rg-jersal-site-sc |
| GitHub Actions OIDC | Contributor |
rg-jersal-projects-shared |
| GitHub Actions OIDC | Contributor |
rg-jersal-site-sc |
| GitHub Actions OIDC | Storage Blob Data Contributor |
stjersalprojcore |
| GitHub Actions OIDC | Storage Blob Data Contributor |
stjersalprojcoresite |
Terraform wiring¶
Role assignments are optional and can be provided via rbac_assignments in
terraform/envs/shared and terraform/envs/site. The RBAC module uses for_each
over assignment objects, keyed by "${principal_id}-${role_definition_name}-${scope}".
Example variable value:
rbac_assignments = [
{
principal_id = "<principal-id>"
role_definition_name = "Contributor"
scope = "/subscriptions/<subscription-id>/resourceGroups/rg-jersal-projects-shared"
}
]
Security
Keep secrets out of GitHub variables. Use OIDC for Actions authentication -- no stored credentials. See OIDC setup for details.