Feature/azure storage bb integration

modules/azure/storage-account/backplane/README.md

@@ -108,8 +108,8 @@ module "storage_account_backplane" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.7.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.8 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4.64 |
 
 ## Modules
 
@@ -123,9 +123,9 @@ No modules.
 | [azuread_application_federated_identity_credential.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_application_password.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
 | [azuread_service_principal.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azurerm_role_assignment.created_principal](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.existing_principals](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_role_assignment.created_principal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.existing_principals](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 
 ## Inputs
 

modules/azure/storage-account/backplane/main.tf

@@ -14,11 +14,15 @@ resource "azuread_service_principal" "buildingblock_deploy" {
 
 
 # Create federated identity credentials (one per subject)
+# Use a map with static numeric string keys so that for_each keys are known at plan time,
+# even when subject values contain apply-time unknowns (e.g. building block definition UUIDs).
 resource "azuread_application_federated_identity_credential" "buildingblock_deploy" {
-  for_each = var.create_service_principal_name != null && var.workload_identity_federation != null ? toset(var.workload_identity_federation.subjects) : toset([])
+  for_each = var.create_service_principal_name != null && var.workload_identity_federation != null ? {
+    for i, s in var.workload_identity_federation.subjects : tostring(i) => s
+  } : {}
 
   application_id = azuread_application.buildingblock_deploy[0].id
-  display_name   = reverse(split(":", each.value))[0]
+  display_name   = "subject-${each.key}"
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = var.workload_identity_federation.issuer
   subject        = each.value

modules/azure/storage-account/backplane/versions.tf

@@ -4,11 +4,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.116.0"
+      version = "~> 4.64"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 3.7.0"
+      version = "~> 3.8"
     }
   }
 }

modules/azure/storage-account/buildingblock/README.md

@@ -37,9 +37,9 @@ provider "azurerm" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.18.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.3 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.8 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4.64 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.8 |
 
 ## Modules
 
@@ -49,19 +49,18 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_resource_group.storage_account_rg](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/resources/resource_group) | resource |
-| [azurerm_storage_account.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/resources/storage_account) | resource |
-| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource |
-| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/data-sources/client_config) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/data-sources/subscription) | data source |
+| [azurerm_resource_group.storage_account_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_storage_account.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_location"></a> [location](#input\_location) | The location/region where the storage account is created. | `string` | n/a | yes |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | The name of the storage account. Must be unique across entire Azure Region, not just within a Subscription. | `string` | n/a | yes |
-| <a name="input_storage_account_resource_group_name"></a> [storage\_account\_resource\_group\_name](#input\_storage\_account\_resource\_group\_name) | The name of the resource group containing the storage account. | `string` | n/a | yes |
 
 ## Outputs
 

modules/azure/storage-account/buildingblock/main.tf

@@ -9,7 +9,7 @@ resource "random_string" "resource_code" {
 }
 
 resource "azurerm_resource_group" "storage_account_rg" {
-  name     = var.storage_account_resource_group_name
+  name     = "rg-${var.storage_account_name}"
   location = var.location
 }
 

modules/azure/storage-account/buildingblock/variables.tf

@@ -4,12 +4,6 @@ variable "storage_account_name" {
   description = "The name of the storage account. Must be unique across entire Azure Region, not just within a Subscription."
 }
 
-variable "storage_account_resource_group_name" {
-  type        = string
-  nullable    = false
-  description = "The name of the resource group containing the storage account."
-}
-
 variable "location" {
   type        = string
   description = "The location/region where the storage account is created."

modules/azure/storage-account/buildingblock/versions.tf

@@ -2,15 +2,15 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "4.18.0"
+      version = "~> 4.64"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "3.1.0"
+      version = "~> 3.8"
     }
     random = {
       source  = "hashicorp/random"
-      version = "3.6.3"
+      version = "~> 3.8"
     }
   }
 }