RBACs added

Author: brown9804

README.md

@@ -75,7 +75,11 @@ terraform validate
 terraform apply -auto-approve
 ```
 
-3) In Azure portal, open the Artifact Signing account and complete **Identity validation** (portal-only).
+3) Artifact Signing **identity verification / identity validation** (portal-only):
+
+- In Azure portal, open the Artifact Signing account and complete **Identity validation**.
+- This is required by the service and cannot be automated by Terraform.
+- If the portal says you need **Artifact Signing Identity Verifier**, re-run Terraform (it assigns this role to the identity running `terraform apply` by default) and wait a few minutes for RBAC to propagate.
 
 4) Copy the **Identity validation Id** from the portal and set it in Key Vault:
 
@@ -112,14 +116,18 @@ terraform apply -auto-approve -var-file=terraform.tfvars -var-file=terraform.ado
 
 Alternative: set `ado_enabled = true` and `ado_org_service_url` in `terraform.tfvars`.
 
+> If you prefer variables over env vars, you can also set `$env:TF_VAR_ado_org_service_url = "https://dev.azure.com/<your-org>"`.
+
 4) Terraform will:
 - create the Azure DevOps project + repo + YAML pipeline
 - create the AzureRM service connection using Workload Identity Federation (WIF)
 - read the generated WIF Issuer/Subject and create the Entra federated credential
 
 Notes:
+- Artifact Signing identity validation remains **portal-only** even when Azure DevOps is Terraform-managed. Treat it as part of the "Deploy with Terraform" flow above (once completed, store the Id in Key Vault and the pipeline can create the certificate profile automatically).
 - The `WorkloadIdentityFederation` auth scheme requires your org feature to be enabled. If your org can’t use it yet, set `ado_service_endpoint_authentication_scheme = "ServicePrincipal"` and also set `TF_VAR_ado_service_principal_client_secret` for the service principal secret.
 - Terraform creates an empty repo. You still need to push this repo’s code into the Azure DevOps repo (Terraform will output the clone URL).
+- Least privilege: by default this repo does **not** grant RG `Contributor` to the Azure DevOps service principal. If you want the pipeline to auto-create the certificate profile, set `assign_contributor_role_to_ado_sp = true`.
 
 ## Pipeline
 
@@ -144,8 +152,19 @@ Optional (only used when creating the certificate profile):
 ### Azure Key Vault for pipeline variables
 
 Terraform creates a Key Vault by default and wires RBAC so:
-- your current identity can set secrets
-- the Azure DevOps service principal can read secrets
+- your current identity (the identity running `terraform apply`) can set secrets (`Key Vault Secrets Officer`)
+- the Azure DevOps service principal can read secrets (`Key Vault Secrets User`)
+
+> This Key Vault is **RBAC-enabled** (`rbac_authorization_enabled = true`). You will see access under **Key Vault → Access control (IAM)** (not under “Access policies”).
+
+Least privilege options:
+- Set `keyvault_populate_secrets = false` if you do not want Terraform to write secrets into Key Vault (you can manage secrets yourself and/or set pipeline variables another way).
+- The pipeline does not attempt to self-assign RBAC by default (it only does if `pipeline_attempt_rbac_assignment = true`).
+- If you want to view **Keys** and/or **Certificates** in the Azure portal, opt in to RBAC for your current identity:
+  - `keyvault_grant_keys_access_to_current = true` (assigns `Key Vault Crypto User`)
+  - `keyvault_grant_certificates_access_to_current = true` (assigns `Key Vault Certificates User`)
+  - Or, if you want the simplest “make the portal work” option (broad permissions):
+    - `keyvault_grant_administrator_to_current = true` (assigns `Key Vault Administrator`)
 
 Terraform also populates these Key Vault secrets during `terraform apply`:
 - `artifactSigningEndpoint`

terraform-infrastructure/main.tf

@@ -33,13 +33,24 @@ locals {
     length(trimspace(var.ado_wif_subject == null ? "" : var.ado_wif_subject)) > 0
   ) ? trimspace(var.ado_wif_subject == null ? "" : var.ado_wif_subject) : try(azuredevops_serviceendpoint_azurerm.azurerm[0].workload_identity_federation_subject, null)
 
+  # Object id for the ADO service principal, regardless of whether Terraform created it
+  # or you provided an existing client id.
+  ado_sp_object_id_effective = var.ado_enabled ? (
+    var.ado_create_app ? try(azuread_service_principal.ado_sp[0].object_id, null) : try(data.azuread_service_principal.ado_sp_existing[0].object_id, null)
+  ) : null
+
   keyvault_name_input = var.keyvault_name != null ? trimspace(var.keyvault_name) : ""
 }
 
 data "azurerm_client_config" "current" {}
 
 data "azurerm_subscription" "current" {}
 
+data "azuread_service_principal" "ado_sp_existing" {
+  count     = var.ado_enabled && !var.ado_create_app ? 1 : 0
+  client_id = local.ado_sp_client_id
+}
+
 resource "azurerm_resource_group" "rg" {
   name     = var.resource_group_name
   location = var.location
@@ -62,6 +73,14 @@ resource "azapi_resource" "code_signing_account" {
   }
 }
 
+resource "azurerm_role_assignment" "current_identity_verifier" {
+  count = var.assign_identity_verifier_role_to_current ? 1 : 0
+
+  scope                = azapi_resource.code_signing_account.id
+  role_definition_name = "Artifact Signing Identity Verifier"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
 resource "azapi_resource" "certificate_profile" {
   count     = var.identity_validation_id == null ? 0 : 1
   type      = "Microsoft.CodeSigning/codeSigningAccounts/certificateProfiles@2025-10-13"
@@ -101,27 +120,27 @@ resource "azuread_application_federated_identity_credential" "ado_fic" {
 }
 
 resource "azurerm_role_assignment" "ado_account_signer" {
-  count = var.assign_signer_role_to_ado_sp && var.ado_enabled && var.ado_create_app ? 1 : 0
+  count = var.assign_signer_role_to_ado_sp_at_account_scope && var.ado_enabled ? 1 : 0
 
   scope                = azapi_resource.code_signing_account.id
   role_definition_name = "Artifact Signing Certificate Profile Signer"
-  principal_id         = azuread_service_principal.ado_sp[0].object_id
+  principal_id         = local.ado_sp_object_id_effective
 }
 
 resource "azurerm_role_assignment" "ado_profile_signer" {
-  count = var.assign_signer_role_to_ado_sp && var.ado_enabled && var.ado_create_app && length(azapi_resource.certificate_profile) > 0 ? 1 : 0
+  count = var.assign_signer_role_to_ado_sp && var.ado_enabled && length(azapi_resource.certificate_profile) > 0 ? 1 : 0
 
   scope                = azapi_resource.certificate_profile[0].id
   role_definition_name = "Artifact Signing Certificate Profile Signer"
-  principal_id         = azuread_service_principal.ado_sp[0].object_id
+  principal_id         = local.ado_sp_object_id_effective
 }
 
 resource "azurerm_role_assignment" "ado_rg_contributor" {
-  count = var.assign_contributor_role_to_ado_sp && var.ado_enabled && var.ado_create_app ? 1 : 0
+  count = var.assign_contributor_role_to_ado_sp && var.ado_enabled ? 1 : 0
 
   scope                = azurerm_resource_group.rg.id
   role_definition_name = "Contributor"
-  principal_id         = azuread_service_principal.ado_sp[0].object_id
+  principal_id         = local.ado_sp_object_id_effective
 }
 
 resource "random_string" "kv_suffix" {
@@ -155,17 +174,38 @@ resource "azurerm_key_vault" "kv" {
 }
 
 resource "azurerm_role_assignment" "kv_secrets_officer_current" {
-  count                = var.keyvault_enabled ? 1 : 0
+  count                = var.keyvault_enabled && var.keyvault_populate_secrets ? 1 : 0
   scope                = azurerm_key_vault.kv[0].id
   role_definition_name = "Key Vault Secrets Officer"
   principal_id         = data.azurerm_client_config.current.object_id
 }
 
+resource "azurerm_role_assignment" "kv_crypto_user_current" {
+  count                = var.keyvault_enabled && var.keyvault_grant_keys_access_to_current ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
+  role_definition_name = "Key Vault Crypto User"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "kv_certificates_user_current" {
+  count                = var.keyvault_enabled && var.keyvault_grant_certificates_access_to_current ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
+  role_definition_name = "Key Vault Certificates User"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "kv_administrator_current" {
+  count                = var.keyvault_enabled && var.keyvault_grant_administrator_to_current ? 1 : 0
+  scope                = azurerm_key_vault.kv[0].id
+  role_definition_name = "Key Vault Administrator"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
 resource "azurerm_role_assignment" "kv_secrets_user_ado" {
-  count                = var.keyvault_enabled && var.ado_enabled && var.ado_create_app ? 1 : 0
+  count                = var.keyvault_enabled && var.ado_enabled ? 1 : 0
   scope                = azurerm_key_vault.kv[0].id
   role_definition_name = "Key Vault Secrets User"
-  principal_id         = azuread_service_principal.ado_sp[0].object_id
+  principal_id         = local.ado_sp_object_id_effective
 }
 
 resource "time_sleep" "kv_rbac_propagation" {
@@ -179,7 +219,7 @@ resource "time_sleep" "kv_rbac_propagation" {
 }
 
 resource "azurerm_key_vault_secret" "artifact_signing_endpoint" {
-  count        = var.keyvault_enabled ? 1 : 0
+  count        = var.keyvault_enabled && var.keyvault_populate_secrets ? 1 : 0
   key_vault_id = azurerm_key_vault.kv[0].id
   name         = "artifactSigningEndpoint"
   value        = local.artifact_signing_endpoint != null ? local.artifact_signing_endpoint : " "
@@ -191,7 +231,7 @@ resource "azurerm_key_vault_secret" "artifact_signing_endpoint" {
 }
 
 resource "azurerm_key_vault_secret" "artifact_signing_account_name" {
-  count        = var.keyvault_enabled ? 1 : 0
+  count        = var.keyvault_enabled && var.keyvault_populate_secrets ? 1 : 0
   key_vault_id = azurerm_key_vault.kv[0].id
   name         = "artifactSigningAccountName"
   value        = azapi_resource.code_signing_account.name
@@ -203,7 +243,7 @@ resource "azurerm_key_vault_secret" "artifact_signing_account_name" {
 }
 
 resource "azurerm_key_vault_secret" "artifact_signing_certificate_profile_name" {
-  count        = var.keyvault_enabled ? 1 : 0
+  count        = var.keyvault_enabled && var.keyvault_populate_secrets ? 1 : 0
   key_vault_id = azurerm_key_vault.kv[0].id
   name         = "artifactSigningCertificateProfileName"
   value        = var.certificate_profile_name
@@ -215,7 +255,7 @@ resource "azurerm_key_vault_secret" "artifact_signing_certificate_profile_name"
 }
 
 resource "azurerm_key_vault_secret" "artifact_signing_identity_validation_id" {
-  count        = var.keyvault_enabled ? 1 : 0
+  count        = var.keyvault_enabled && var.keyvault_populate_secrets ? 1 : 0
   key_vault_id = azurerm_key_vault.kv[0].id
   name         = "artifactSigningIdentityValidationId"
   value        = local.identity_validation_id_trimmed != "" ? local.identity_validation_id_trimmed : " "
@@ -324,7 +364,7 @@ resource "azuredevops_variable_group" "signing" {
 
   variable {
     name  = "adoServicePrincipalObjectId"
-    value = var.ado_create_app ? azuread_service_principal.ado_sp[0].object_id : ""
+    value = var.pipeline_attempt_rbac_assignment && local.ado_sp_object_id_effective != null ? local.ado_sp_object_id_effective : ""
   }
 }
 

terraform-infrastructure/outputs.tf

@@ -35,8 +35,8 @@ output "ado_app_client_id" {
 }
 
 output "ado_sp_object_id" {
-  value       = var.ado_enabled && var.ado_create_app ? azuread_service_principal.ado_sp[0].object_id : null
-  description = "Object ID for the service principal. Useful for troubleshooting RBAC."
+  value       = var.ado_enabled ? local.ado_sp_object_id_effective : null
+  description = "Object ID for the Azure DevOps service principal used by the service connection (useful for troubleshooting RBAC)."
 }
 
 output "ado_project_id" {

terraform-infrastructure/provider.tf

@@ -40,5 +40,9 @@ provider "azuread" {}
 provider "azuredevops" {
   # Provider blocks can't be conditional. Use a syntactically-valid placeholder URL when
   # Azure DevOps resources are disabled so non-ADO applies still work.
-  org_service_url = var.ado_enabled ? var.ado_org_service_url : "https://dev.azure.com/unused"
+  # When ado_enabled=true and ado_org_service_url is null/empty, the azuredevops provider can
+  # read AZDO_ORG_SERVICE_URL from the environment.
+  org_service_url = var.ado_enabled ? (
+    length(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)) > 0 ? trimspace(var.ado_org_service_url) : null
+  ) : "https://dev.azure.com/unused"
 }

terraform-infrastructure/terraform.ado.tfvars

@@ -25,6 +25,16 @@ ado_service_connection_name = "sc-artifact-signing"
 # Default: secretless auth (requires org feature enabled)
 ado_service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
 
+# Least-privilege notes:
+# - By default, this repo no longer grants RG Contributor to the ADO SP.
+#   If you want the PIPELINE to auto-create the certificate profile (to avoid a second terraform apply),
+#   you can opt in by setting this to true:
+# assign_contributor_role_to_ado_sp = true
+#
+# - By default, the pipeline will NOT attempt to self-assign RBAC via az role assignment create.
+#   (RBAC should be handled by Terraform instead.)
+# pipeline_attempt_rbac_assignment = true
+
 # If your org can't use WIF yet, switch to ServicePrincipal and provide the secret via:
 #   $env:TF_VAR_ado_service_principal_client_secret = "..."
 # ado_service_endpoint_authentication_scheme = "ServicePrincipal"

terraform-infrastructure/terraform.tfvars

@@ -16,6 +16,10 @@ keyvault_enabled = true
 # Optional override (must be globally unique):
 # keyvault_name = "kvREPLACE_ME"
 
+# If you want full portal access (Secrets/Keys/Certificates) without needing separate RBAC roles,
+# grant the identity running `terraform apply` the Key Vault Administrator role.
+keyvault_grant_administrator_to_current = true
+
 # Azure DevOps Workload Identity Federation (optional)
 ado_enabled         = false
 ado_org_service_url = "https://dev.azure.com/REPLACE_ME"

terraform-infrastructure/variables.tf

@@ -96,12 +96,15 @@ variable "ado_org_service_url" {
   validation {
     condition = (
       var.ado_enabled == false || (
-        length(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)) > 0 &&
-        can(regex("^https://dev\\.azure\\.com/[^\\s/]+$", trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url))) &&
-        !strcontains(upper(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)), "REPLACE_ME")
+        # Either provide ado_org_service_url explicitly, OR leave it null/empty and let
+        # the azuredevops provider read AZDO_ORG_SERVICE_URL from the environment.
+        length(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)) == 0 || (
+          can(regex("^https://dev\\.azure\\.com/[^\\s/]+$", trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url))) &&
+          !strcontains(upper(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)), "REPLACE_ME")
+        )
       )
     )
-    error_message = "When ado_enabled=true you must set ado_org_service_url to a real org URL like https://dev.azure.com/your-org (not REPLACE_ME)."
+    error_message = "When ado_enabled=true set ado_org_service_url to a real org URL like https://dev.azure.com/your-org (not REPLACE_ME), or leave it null/empty and set env var AZDO_ORG_SERVICE_URL."
   }
 }
 
@@ -232,10 +235,28 @@ variable "assign_signer_role_to_ado_sp" {
   default     = true
 }
 
+variable "assign_signer_role_to_ado_sp_at_account_scope" {
+  type        = bool
+  description = "If true, assigns 'Artifact Signing Certificate Profile Signer' to the Azure DevOps service principal at the Code Signing ACCOUNT scope. This is broader than profile-scope; prefer false for least privilege."
+  default     = false
+}
+
+variable "assign_identity_verifier_role_to_current" {
+  type        = bool
+  description = "If true, assigns 'Artifact Signing Identity Verifier' on the Artifact Signing account to the identity running terraform apply. Required to complete identity validation in the Azure portal."
+  default     = true
+}
+
 variable "assign_contributor_role_to_ado_sp" {
   type        = bool
   description = "If true, assigns Contributor at the resource group scope to the Azure DevOps service principal. Required if you want the pipeline to create the certificate profile (so you don't need a second terraform apply)."
-  default     = true
+  default     = false
+}
+
+variable "pipeline_attempt_rbac_assignment" {
+  type        = bool
+  description = "If true, Terraform passes the ADO service principal object id to the pipeline so it can attempt az role assignment create. Prefer false for least privilege (do RBAC in Terraform instead)."
+  default     = false
 }
 
 variable "keyvault_enabled" {
@@ -244,6 +265,30 @@ variable "keyvault_enabled" {
   default     = true
 }
 
+variable "keyvault_populate_secrets" {
+  type        = bool
+  description = "If true, Terraform writes the artifactSigning* secrets into Key Vault during apply (requires data-plane RBAC on the vault). Set false for least privilege if you prefer managing secrets outside Terraform."
+  default     = true
+}
+
+variable "keyvault_grant_keys_access_to_current" {
+  type        = bool
+  description = "If true, grants the identity running terraform apply permission to view/use Key Vault Keys via RBAC (assigns 'Key Vault Crypto User'). Default false (least privilege)."
+  default     = false
+}
+
+variable "keyvault_grant_certificates_access_to_current" {
+  type        = bool
+  description = "If true, grants the identity running terraform apply permission to view/use Key Vault Certificates via RBAC (assigns 'Key Vault Certificates User'). Default false (least privilege)."
+  default     = false
+}
+
+variable "keyvault_grant_administrator_to_current" {
+  type        = bool
+  description = "If true, grants the identity running terraform apply full Key Vault administration rights via RBAC (assigns 'Key Vault Administrator'). Broad; prefer the narrower key/cert toggles when possible. Default false."
+  default     = false
+}
+
 variable "keyvault_name" {
   type        = string
   description = "Optional Key Vault name override (globally unique, 3-24 chars, alphanumeric). If null/empty and keyvault_enabled=true, Terraform generates a name."