slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor role assignment clauses to support conditional logic for ServicePrincipal only assignments

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-23 22:12:19 +01:00
parent 84faa4d027
commit 04de6345d8
1 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
main.tf
View File

@@ -7,6 +7,36 @@ locals {
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}" rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}" rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_write_clause = (
var.delegable_roles_to_sp_only ?
<<-EOT
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
AND
(
${local.rbac_admin_write_constraint_principal_type}
)
EOT
:
"@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
)
rbac_admin_delete_clause = (
var.delegable_roles_to_sp_only ?
<<-EOT
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
AND
(
${local.rbac_admin_delete_constraint_principal_type}
)
EOT
:
"@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
)
rbac_admin_condition = <<-EOT rbac_admin_condition = <<-EOT
( (
( (
@@ -14,10 +44,7 @@ locals {
) )
OR OR
( (
( ${trimspace(local.rbac_admin_write_clause)}
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_write_constraint_principal_type})" : ""}
) )
) )
AND AND
@@ -27,10 +54,7 @@ locals {
) )
OR OR
( (
( ${trimspace(local.rbac_admin_delete_clause)}
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_delete_constraint_principal_type})" : ""}
) )
) )
EOT EOT