From 64725ebd546e9f61b8ac8ee5a04fc935ecfd5985 Mon Sep 17 00:00:00 2001
From: Automatic Update <radix@statoilsrm.onmicrosoft.com>
Date: Mon, 6 May 2024 15:37:48 +0200
Subject: [PATCH 1/2] Remove networkmanager

---
 .../install_prerequisites_in_cluster.sh       | 57 +----------
 .../modules/networkmanager/main.tf            | 14 ---
 .../modules/networkmanager/output.tf          |  4 -
 .../modules/networkmanager/variables.tf       | 19 ----
 .../networkmanager_connectivity/main.tf       | 15 ---
 .../networkmanager_connectivity/output.tf     |  4 -
 .../networkmanager_connectivity/variables.tf  | 19 ----
 .../networkmanager_networkgroup/main.tf       |  5 -
 .../networkmanager_networkgroup/output.tf     |  4 -
 .../networkmanager_networkgroup/variables.tf  |  9 --
 .../modules/policyassignment/main.tf          | 12 ---
 .../modules/policyassignment/output.tf        |  4 -
 .../modules/policyassignment/variables.tf     | 19 ----
 .../subscriptions/s940/c2/clusters/main.tf    |  2 +-
 .../s940/extmon/clusters/main.tf              |  2 +-
 .../subscriptions/s940/prod/clusters/main.tf  |  2 +-
 .../s940/prod/networkmanager/backend.tf       | 24 -----
 .../s940/prod/networkmanager/inputs.tf        | 57 -----------
 .../s940/prod/networkmanager/main.tf          | 96 -------------------
 .../s940/prod/post-clusters/vnet-peering.tf   |  4 +-
 .../subscriptions/s941/dev/clusters/main.tf   |  2 +-
 .../s941/playground/clusters/main.tf          |  2 +-
 22 files changed, 8 insertions(+), 368 deletions(-)
 delete mode 100644 terraform/subscriptions/modules/networkmanager/main.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager/output.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager/variables.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_connectivity/main.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_connectivity/output.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_connectivity/variables.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_networkgroup/main.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_networkgroup/output.tf
 delete mode 100644 terraform/subscriptions/modules/networkmanager_networkgroup/variables.tf
 delete mode 100644 terraform/subscriptions/modules/policyassignment/main.tf
 delete mode 100644 terraform/subscriptions/modules/policyassignment/output.tf
 delete mode 100644 terraform/subscriptions/modules/policyassignment/variables.tf
 delete mode 100644 terraform/subscriptions/s940/prod/networkmanager/backend.tf
 delete mode 100644 terraform/subscriptions/s940/prod/networkmanager/inputs.tf
 delete mode 100644 terraform/subscriptions/s940/prod/networkmanager/main.tf

diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh
index 880db2fa6..a7d7a462f 100755
--- a/scripts/velero/install_prerequisites_in_cluster.sh
+++ b/scripts/velero/install_prerequisites_in_cluster.sh
@@ -188,30 +188,6 @@ function cleanup() {
   rm -f "$CREDENTIALS_GENERATED_PATH"
 }
 
-# function generateCredentialsFile() {
-#   local SP_JSON="$(az keyvault secret show \
-#     --vault-name $AZ_RESOURCE_KEYVAULT \
-#     --name $APP_REGISTRATION_VELERO |
-#     jq '.value | fromjson')"
-
-#   # Set variables used in the manifest templates
-#   local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
-#   local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
-#   local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
-#   local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"
-
-#   # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
-#   CREDENTIALS_GENERATED_PATH="$(mktemp)"
-#   local tmp_heredoc="$(mktemp)"
-#   (
-#     echo "#!/bin/sh"
-#     echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
-#     cat ${CREDENTIALS_TEMPLATE_PATH}
-#     echo ""
-#     echo "EOF"
-#   ) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
-#   source "$tmp_heredoc"
-# }
 
 # Run cleanup even if script crashed
 trap cleanup 0 2 3 15
@@ -224,15 +200,6 @@ case "$(kubectl get ns $VELERO_NAMESPACE 2>&1)" in
 esac
 printf "...Done"
 
-# printf "\nWorking on credentials..."
-# generateCredentialsFile
-# kubectl create secret generic cloud-credentials \
-#   --namespace "$VELERO_NAMESPACE" \
-#   --from-file=cloud=$CREDENTIALS_GENERATED_PATH \
-#   --dry-run=client -o yaml |
-#   kubectl apply -f - \
-#     2>&1 >/dev/null
-printf "...Done"
 
 MYIP=$(curl http://ifconfig.me/ip) ||
   {
@@ -268,29 +235,6 @@ az storage account network-rule remove \
   --output none \
   --only-show-errors
 
-# Velero custom RBAC clusterrole
-RBAC_CLUSTERROLE="velero-admin"
-printf "\nCreating $RBAC_CLUSTERROLE clusterrole..\n"
-cat <<EOF | kubectl apply -f -
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: $RBAC_CLUSTERROLE
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-rules:
-- apiGroups:
-  - "*"
-  resources:
-  - "*"
-  verbs:
-  - "*"
-- nonResourceURLs: ["*"]
-  verbs: ["*"]
-EOF
-
 # Create configMap that will hold the cluster specific values that Flux will later use when it manages the deployment of Velero
 printf "Working on configmap for flux..."
 cat <<EOF | kubectl apply -f - 2>&1 >/dev/null
@@ -310,6 +254,7 @@ data:
         config:
           resourceGroup: "common-${RADIX_ZONE}"
           storageAccount: "$AZ_VELERO_STORAGE_ACCOUNT_ID"
+          useAAD: "true"
       volumeSnapshotLocation:
         - name: azure
           provider: azure
diff --git a/terraform/subscriptions/modules/networkmanager/main.tf b/terraform/subscriptions/modules/networkmanager/main.tf
deleted file mode 100644
index aab0e1885..000000000
--- a/terraform/subscriptions/modules/networkmanager/main.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-resource "azurerm_network_manager" "networkmanager" {
-  name                = "${var.subscription_shortname}-ANVM"
-  location            = var.location
-  resource_group_name = var.resource_group
-  scope_accesses      = ["Connectivity"]
-  description         = "${var.subscription_shortname}-Azure Network Mananger - ${var.location}"
-  tags = {
-    IaC = "terraform"
-  }
-
-  scope {
-    subscription_ids = ["/subscriptions/${var.subscription}"]
-  }
-}
diff --git a/terraform/subscriptions/modules/networkmanager/output.tf b/terraform/subscriptions/modules/networkmanager/output.tf
deleted file mode 100644
index 732d7f160..000000000
--- a/terraform/subscriptions/modules/networkmanager/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "data" {
-  description = "Network mananger"
-  value       = azurerm_network_manager.networkmanager
-}
diff --git a/terraform/subscriptions/modules/networkmanager/variables.tf b/terraform/subscriptions/modules/networkmanager/variables.tf
deleted file mode 100644
index 10d1aec97..000000000
--- a/terraform/subscriptions/modules/networkmanager/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "location" {
-  description = "Specifies the Azure Region where the Network Managers should exist. Changing this forces a new resource to be created."
-  type        = string
-}
-
-variable "subscription_shortname" {
-  description = "The shortname to the subscription"
-  type        = string
-}
-
-variable "resource_group" {
-  description = "Specifies the name of the Resource Group where the Network Managers should exist."
-  type        = string
-}
-
-variable "subscription" {
-  description = "The subscription ID"
-  type        = string
-}
diff --git a/terraform/subscriptions/modules/networkmanager_connectivity/main.tf b/terraform/subscriptions/modules/networkmanager_connectivity/main.tf
deleted file mode 100644
index c55b58ed8..000000000
--- a/terraform/subscriptions/modules/networkmanager_connectivity/main.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-resource "azurerm_network_manager_connectivity_configuration" "config" {
-  name                  = "Hub-and-Spoke-${var.enviroment}"
-  description           = "Hub-and-Spoke config"
-  network_manager_id    = var.network_manager_id
-  connectivity_topology = "HubAndSpoke"
-  applies_to_group {
-    group_connectivity = "None"
-    network_group_id   = var.network_group_id
-  }
-
-  hub {
-    resource_id   = var.vnethub_id
-    resource_type = "Microsoft.Network/virtualNetworks"
-  }
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/networkmanager_connectivity/output.tf b/terraform/subscriptions/modules/networkmanager_connectivity/output.tf
deleted file mode 100644
index 67cb16cdb..000000000
--- a/terraform/subscriptions/modules/networkmanager_connectivity/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "data" {
-  description = "Networkmanager connectivity"
-  value       = azurerm_network_manager_connectivity_configuration.config
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/networkmanager_connectivity/variables.tf b/terraform/subscriptions/modules/networkmanager_connectivity/variables.tf
deleted file mode 100644
index 03c596949..000000000
--- a/terraform/subscriptions/modules/networkmanager_connectivity/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "enviroment" {
-  description = "Enviroment (dev/playground/prod/c2)"
-  type        = string
-}
-
-variable "network_manager_id" {
-  description = "Specifies the ID of the Network Manager"
-  type        = string
-}
-
-
-variable "network_group_id" {
-  description = "Specifies the resource ID used as in Network group"
-  type        = string
-}
-variable "vnethub_id" {
-  description = "Specifies the resource ID used as hub in Hub And Spoke"
-  type        = string
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/networkmanager_networkgroup/main.tf b/terraform/subscriptions/modules/networkmanager_networkgroup/main.tf
deleted file mode 100644
index 7d66f8596..000000000
--- a/terraform/subscriptions/modules/networkmanager_networkgroup/main.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-resource "azurerm_network_manager_network_group" "group" {
-  name               = var.enviroment
-  network_manager_id = var.network_manager_id
-  description        = "Network Group for ${var.enviroment} virtual networks"
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/networkmanager_networkgroup/output.tf b/terraform/subscriptions/modules/networkmanager_networkgroup/output.tf
deleted file mode 100644
index 4137296f2..000000000
--- a/terraform/subscriptions/modules/networkmanager_networkgroup/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "data" {
-  description = "Network mananger - Networkgroup"
-  value       = azurerm_network_manager_network_group.group
-}
diff --git a/terraform/subscriptions/modules/networkmanager_networkgroup/variables.tf b/terraform/subscriptions/modules/networkmanager_networkgroup/variables.tf
deleted file mode 100644
index fc9fb4daa..000000000
--- a/terraform/subscriptions/modules/networkmanager_networkgroup/variables.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-variable "enviroment" {
-  description = "Enviroment (dev/playground/prod/c2)"
-  type        = string
-}
-
-variable "network_manager_id" {
-  description = "Specifies the ID of the Network Manager"
-  type        = string
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/policyassignment/main.tf b/terraform/subscriptions/modules/policyassignment/main.tf
deleted file mode 100644
index 93f981df6..000000000
--- a/terraform/subscriptions/modules/policyassignment/main.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-resource "azurerm_subscription_policy_assignment" "assignment" {
-  display_name         = "Kubernetes-vnets-in-${var.enviroment}"
-  name                 = "Kubernetes-vnets-in-${var.enviroment}"
-  location             = var.location
-  policy_definition_id = var.policy_id
-  subscription_id      = "/subscriptions/${var.subscription}"
-  parameters           = jsonencode({})
-  identity {
-    identity_ids = []
-    type         = "SystemAssigned"
-  }
-}
diff --git a/terraform/subscriptions/modules/policyassignment/output.tf b/terraform/subscriptions/modules/policyassignment/output.tf
deleted file mode 100644
index 98477bb25..000000000
--- a/terraform/subscriptions/modules/policyassignment/output.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-output "data" {
-  description = "Policy Assignment"
-  value       = azurerm_subscription_policy_assignment.assignment
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/modules/policyassignment/variables.tf b/terraform/subscriptions/modules/policyassignment/variables.tf
deleted file mode 100644
index f2600af37..000000000
--- a/terraform/subscriptions/modules/policyassignment/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "enviroment" {
-  description = "Enviroment (dev/playground/prod/c2)"
-  type        = string
-}
-
-variable "location" {
-  description = "Specifies the Azure Region where the Network Managers should exist. Changing this forces a new resource to be created."
-  type        = string
-}
-
-variable "policy_id" {
-  description = "The ID of the Policy Definition or Policy Definition Set."
-  type        = string
-}
-
-variable "subscription" {
-  description = "The ID of the Subscription where this Policy Assignment should be created"
-  type        = string
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/s940/c2/clusters/main.tf b/terraform/subscriptions/s940/c2/clusters/main.tf
index c53fd4aee..e59461ec6 100644
--- a/terraform/subscriptions/s940/c2/clusters/main.tf
+++ b/terraform/subscriptions/s940/c2/clusters/main.tf
@@ -44,7 +44,7 @@ module "radix_id_velero_mi" {
   resource_group_name = "common-${module.config.environment}"
   roleassignments = {
     sac_user = {
-      role     = "Storage Account Contributor"
+      role     = "Storage Blob Data Contributor"
       scope_id = data.azurerm_storage_account.velero.id
     }
   }
diff --git a/terraform/subscriptions/s940/extmon/clusters/main.tf b/terraform/subscriptions/s940/extmon/clusters/main.tf
index 8c8040321..aef0935aa 100644
--- a/terraform/subscriptions/s940/extmon/clusters/main.tf
+++ b/terraform/subscriptions/s940/extmon/clusters/main.tf
@@ -46,7 +46,7 @@ module "radix_id_velero_mi" {
   resource_group_name = "common-${module.config.environment}"
   roleassignments = {
     sac_user = {
-      role     = "Storage Account Contributor"
+      role     = "Storage Blob Data Contributor"
       scope_id = data.azurerm_storage_account.velero.id
     }
   }
diff --git a/terraform/subscriptions/s940/prod/clusters/main.tf b/terraform/subscriptions/s940/prod/clusters/main.tf
index 13762d620..05267feff 100644
--- a/terraform/subscriptions/s940/prod/clusters/main.tf
+++ b/terraform/subscriptions/s940/prod/clusters/main.tf
@@ -49,7 +49,7 @@ module "radix_id_velero_mi" {
   resource_group_name = "common-${module.config.environment}"
   roleassignments = {
     sac_user = {
-      role     = "Storage Account Contributor"
+      role     = "Storage Blob Data Contributor"
       scope_id = data.azurerm_storage_account.velero.id
     }
   }
diff --git a/terraform/subscriptions/s940/prod/networkmanager/backend.tf b/terraform/subscriptions/s940/prod/networkmanager/backend.tf
deleted file mode 100644
index 490896a58..000000000
--- a/terraform/subscriptions/s940/prod/networkmanager/backend.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-terraform {
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "<=3.100.0"
-    }
-  }
-
-  backend "azurerm" {
-    tenant_id       = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
-    subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
-    #client_id            = "043e5510-738f-4c30-8b9d-ee32578c7fe8"
-    resource_group_name  = "s940-tfstate"
-    storage_account_name = "s940radixinfra"
-    container_name       = "infrastructure"
-    key                  = "prod/networkmanager/terraform.tfstate"
-  }
-}
-
-provider "azurerm" {
-  subscription_id = "ded7ca41-37c8-4085-862f-b11d21ab341a"
-  features {
-  }
-}
diff --git a/terraform/subscriptions/s940/prod/networkmanager/inputs.tf b/terraform/subscriptions/s940/prod/networkmanager/inputs.tf
deleted file mode 100644
index a2635f4cf..000000000
--- a/terraform/subscriptions/s940/prod/networkmanager/inputs.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-locals {
-  policy_notcontains_name = "c2"
-
-  external_outputs = {
-    global         = data.terraform_remote_state.global.outputs
-    common         = data.terraform_remote_state.common.outputs
-    networkmanager = data.terraform_remote_state.networkmanager.outputs
-    virtualnetwork = data.terraform_remote_state.virtualnetwork.outputs
-    clusters       = data.terraform_remote_state.clusters.outputs
-  }
-  ## Backend Config
-  backend = {
-    resource_group_name  = "s940-tfstate"
-    storage_account_name = "s940radixinfra"
-    container_name       = "infrastructure"
-    subscription_id      = "ded7ca41-37c8-4085-862f-b11d21ab341a"
-  }
-}
-
-### Remote States
-## Common
-data "terraform_remote_state" "common" {
-  backend = "azurerm"
-  config = merge(
-    local.backend,
-  { key = "prod/common/terraform.tfstate" })
-}
-
-## Networkmananger
-data "terraform_remote_state" "networkmanager" {
-  backend = "azurerm"
-  config = merge(
-    local.backend,
-  { key = "prod/networkmanager/terraform.tfstate" })
-}
-
-## Virtualnetwork
-data "terraform_remote_state" "virtualnetwork" {
-  backend = "azurerm"
-  config = merge(
-    local.backend,
-  { key = "prod/virtualnetwork/terraform.tfstate" })
-}
-
-data "terraform_remote_state" "clusters" {
-  backend = "azurerm"
-  config = merge(
-    local.backend,
-  { key = "prod/clusters/terraform.tfstate" })
-}
-
-data "terraform_remote_state" "global" {
-  backend = "azurerm"
-  config = merge(
-    local.backend,
-  { key = "prod/globals/terraform.tfstate" })
-}
diff --git a/terraform/subscriptions/s940/prod/networkmanager/main.tf b/terraform/subscriptions/s940/prod/networkmanager/main.tf
deleted file mode 100644
index b6163151f..000000000
--- a/terraform/subscriptions/s940/prod/networkmanager/main.tf
+++ /dev/null
@@ -1,96 +0,0 @@
-module "config" {
-  source = "../../../modules/config"
-}
-
-
-data "azurerm_virtual_network" "this" {
-  name                = "vnet-hub"
-  resource_group_name = "cluster-vnet-hub-prod"
-}
-
-# resource "azurerm_network_manager" "networkmanager" {
-#   name                = "${local.external_outputs.common.shared.AZ_SUBSCRIPTION_SHORTNAME}-ANVM"
-#   location            = local.external_outputs.common.shared.location
-#   resource_group_name = local.external_outputs.clusters.outputs.clusters.resource_group
-#   scope_accesses      = ["Connectivity"]
-#   description         = "${local.external_outputs.common.shared.AZ_SUBSCRIPTION_SHORTNAME}-Azure Network Mananger - ${local.external_outputs.clusters.outputs.clusters.location}"
-
-#   scope {
-#     subscription_ids = [data.azurerm_subscription.current.id]
-#   }
-# }
-
-module "azurerm_network_manager" {
-  source                 = "../../../modules/networkmanager"
-  subscription_shortname = "s940"
-  location               = module.config.location
-  resource_group         = "clusters"
-  subscription           = module.config.subscription
-}
-
-module "azurerm_network_manager_network_group" {
-  source             = "../../../modules/networkmanager_networkgroup"
-  enviroment         = "prod"
-  network_manager_id = module.azurerm_network_manager.data.id
-}
-
-module "azurerm_network_manager_connectivity_configuration" {
-  source             = "../../../modules/networkmanager_connectivity"
-  enviroment         = "prod"
-  network_manager_id = module.azurerm_network_manager.data.id
-  network_group_id   = module.azurerm_network_manager_network_group.data.id
-  vnethub_id         = data.azurerm_virtual_network.this.id
-}
-
-resource "azurerm_policy_definition" "policy" {
-  name         = "Kubernetes-vnets-in-prod"
-  policy_type  = "Custom"
-  mode         = "Microsoft.Network.Data"
-  display_name = "Kubernetes vnets in prod"
-
-  metadata = <<METADATA
-    {
-    "category": "Azure Virtual Network Manager"
-    }
-
-METADATA
-
-  policy_rule = <<POLICY_RULE
-  {
-    "if": {
-      "allOf": [
-        {
-          "field": "type",
-          "equals": "Microsoft.Network/virtualNetworks"
-        },
-        {
-          "allOf": [
-            {
-              "value": "[resourceGroup().Name]",
-              "contains": "clusters"
-            },
-            {
-              "field": "location",
-              "contains": "${module.config.location}"
-            }
-          ]
-        }
-      ]
-    },
-    "then": {
-      "effect": "addToNetworkGroup",
-      "details": {
-        "networkGroupId": "/subscriptions/${module.config.subscription}/resourceGroups/clusters/providers/Microsoft.Network/networkManagers/S940-ANVM/networkGroups/prod"
-      }
-    }
-  }
-  POLICY_RULE
-}
-
-module "azurerm_subscription_policy_assignment" {
-  source       = "../../../modules/policyassignment"
-  enviroment   = "prod"
-  location     = module.config.location
-  policy_id    = azurerm_policy_definition.policy.id
-  subscription = module.config.subscription
-}
\ No newline at end of file
diff --git a/terraform/subscriptions/s940/prod/post-clusters/vnet-peering.tf b/terraform/subscriptions/s940/prod/post-clusters/vnet-peering.tf
index f0dac51ef..091b17039 100644
--- a/terraform/subscriptions/s940/prod/post-clusters/vnet-peering.tf
+++ b/terraform/subscriptions/s940/prod/post-clusters/vnet-peering.tf
@@ -24,8 +24,8 @@ data "azurerm_virtual_network" "vnets" {
 module "vnet_peering" {
   source                      = "../../../modules/vnet-peering"
   for_each                    = module.clusters.vnets_url
-  hub_to_cluster_peering_name = "ANM_22740FFA83EB4B03043CC7E_vnet-hub_vnet-eu-18_3520520940"
-  cluster_to_hub_peering_name = "ANM_22740FFA83EB4B03043CC7E_vnet-eu-18_vnet-hub_3520520940"
+  hub_to_cluster_peering_name = "hub-to-${each.key}"
+  cluster_to_hub_peering_name = "${each.key}-to-hub"
   cluster_vnet_resource_group = "clusters" #TODO
   vnet_cluster_name           = data.azurerm_virtual_network.vnets[each.key].name
   vnet_cluster_id             = data.azurerm_virtual_network.vnets[each.key].id
diff --git a/terraform/subscriptions/s941/dev/clusters/main.tf b/terraform/subscriptions/s941/dev/clusters/main.tf
index d369c9269..3d7fb2806 100644
--- a/terraform/subscriptions/s941/dev/clusters/main.tf
+++ b/terraform/subscriptions/s941/dev/clusters/main.tf
@@ -46,7 +46,7 @@ module "radix_id_velero_mi" {
   resource_group_name = "common-${module.config.environment}"
   roleassignments = {
     sac_user = {
-      role     = "Storage Account Contributor"
+      role     = "Storage Blob Data Contributor"
       scope_id = data.azurerm_storage_account.velero.id
     }
   }
diff --git a/terraform/subscriptions/s941/playground/clusters/main.tf b/terraform/subscriptions/s941/playground/clusters/main.tf
index d369c9269..3d7fb2806 100644
--- a/terraform/subscriptions/s941/playground/clusters/main.tf
+++ b/terraform/subscriptions/s941/playground/clusters/main.tf
@@ -46,7 +46,7 @@ module "radix_id_velero_mi" {
   resource_group_name = "common-${module.config.environment}"
   roleassignments = {
     sac_user = {
-      role     = "Storage Account Contributor"
+      role     = "Storage Blob Data Contributor"
       scope_id = data.azurerm_storage_account.velero.id
     }
   }

From 02b83562a2e27cc0e3b17afef0b7f1528abc2626 Mon Sep 17 00:00:00 2001
From: Automatic Update <radix@statoilsrm.onmicrosoft.com>
Date: Tue, 7 May 2024 13:24:13 +0200
Subject: [PATCH 2/2] Containers in Storage Accounts

---
 .../c2/post-clusters/storageaccount-container.tf   | 14 ++++++++++++++
 .../post-clusters/storageaccount-container.tf      | 14 ++++++++++++++
 .../prod/post-clusters/storageaccount-container.tf | 14 ++++++++++++++
 .../dev/post-clusters/storageaccount-container.tf  | 14 ++++++++++++++
 .../post-clusters/storageaccount-container.tf      | 14 ++++++++++++++
 5 files changed, 70 insertions(+)
 create mode 100644 terraform/subscriptions/s940/c2/post-clusters/storageaccount-container.tf
 create mode 100644 terraform/subscriptions/s940/extmon/post-clusters/storageaccount-container.tf
 create mode 100644 terraform/subscriptions/s940/prod/post-clusters/storageaccount-container.tf
 create mode 100644 terraform/subscriptions/s941/dev/post-clusters/storageaccount-container.tf
 create mode 100644 terraform/subscriptions/s941/playground/post-clusters/storageaccount-container.tf

diff --git a/terraform/subscriptions/s940/c2/post-clusters/storageaccount-container.tf b/terraform/subscriptions/s940/c2/post-clusters/storageaccount-container.tf
new file mode 100644
index 000000000..45ec9cdba
--- /dev/null
+++ b/terraform/subscriptions/s940/c2/post-clusters/storageaccount-container.tf
@@ -0,0 +1,14 @@
+data "azurerm_storage_account" "this" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
+
+resource "azurerm_storage_container" "this" {
+  for_each              = module.clusters.oidc_issuer_url
+  name                  = each.key
+  storage_account_name  = data.azurerm_storage_account.this.name
+  container_access_type = "private"
+  lifecycle {
+    prevent_destroy = true
+  }
+}
\ No newline at end of file
diff --git a/terraform/subscriptions/s940/extmon/post-clusters/storageaccount-container.tf b/terraform/subscriptions/s940/extmon/post-clusters/storageaccount-container.tf
new file mode 100644
index 000000000..45ec9cdba
--- /dev/null
+++ b/terraform/subscriptions/s940/extmon/post-clusters/storageaccount-container.tf
@@ -0,0 +1,14 @@
+data "azurerm_storage_account" "this" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
+
+resource "azurerm_storage_container" "this" {
+  for_each              = module.clusters.oidc_issuer_url
+  name                  = each.key
+  storage_account_name  = data.azurerm_storage_account.this.name
+  container_access_type = "private"
+  lifecycle {
+    prevent_destroy = true
+  }
+}
\ No newline at end of file
diff --git a/terraform/subscriptions/s940/prod/post-clusters/storageaccount-container.tf b/terraform/subscriptions/s940/prod/post-clusters/storageaccount-container.tf
new file mode 100644
index 000000000..45ec9cdba
--- /dev/null
+++ b/terraform/subscriptions/s940/prod/post-clusters/storageaccount-container.tf
@@ -0,0 +1,14 @@
+data "azurerm_storage_account" "this" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
+
+resource "azurerm_storage_container" "this" {
+  for_each              = module.clusters.oidc_issuer_url
+  name                  = each.key
+  storage_account_name  = data.azurerm_storage_account.this.name
+  container_access_type = "private"
+  lifecycle {
+    prevent_destroy = true
+  }
+}
\ No newline at end of file
diff --git a/terraform/subscriptions/s941/dev/post-clusters/storageaccount-container.tf b/terraform/subscriptions/s941/dev/post-clusters/storageaccount-container.tf
new file mode 100644
index 000000000..45ec9cdba
--- /dev/null
+++ b/terraform/subscriptions/s941/dev/post-clusters/storageaccount-container.tf
@@ -0,0 +1,14 @@
+data "azurerm_storage_account" "this" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
+
+resource "azurerm_storage_container" "this" {
+  for_each              = module.clusters.oidc_issuer_url
+  name                  = each.key
+  storage_account_name  = data.azurerm_storage_account.this.name
+  container_access_type = "private"
+  lifecycle {
+    prevent_destroy = true
+  }
+}
\ No newline at end of file
diff --git a/terraform/subscriptions/s941/playground/post-clusters/storageaccount-container.tf b/terraform/subscriptions/s941/playground/post-clusters/storageaccount-container.tf
new file mode 100644
index 000000000..45ec9cdba
--- /dev/null
+++ b/terraform/subscriptions/s941/playground/post-clusters/storageaccount-container.tf
@@ -0,0 +1,14 @@
+data "azurerm_storage_account" "this" {
+  name                = "radixvelero${module.config.environment}"
+  resource_group_name = module.config.common_resource_group
+}
+
+resource "azurerm_storage_container" "this" {
+  for_each              = module.clusters.oidc_issuer_url
+  name                  = each.key
+  storage_account_name  = data.azurerm_storage_account.this.name
+  container_access_type = "private"
+  lifecycle {
+    prevent_destroy = true
+  }
+}
\ No newline at end of file