Refactor role assignment clauses to support conditional logic for ServicePrincipal only assignments

main.tf

@@ -7,6 +7,36 @@ locals {
   rbac_admin_write_constraint_principal_type  = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
   rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
 
+  rbac_admin_write_clause = (
+    var.delegable_roles_to_sp_only ?
+    <<-EOT
+    (
+      @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
+    )
+    AND
+    (
+      ${local.rbac_admin_write_constraint_principal_type}
+    )
+    EOT
+    :
+    "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
+  )
+
+  rbac_admin_delete_clause = (
+    var.delegable_roles_to_sp_only ?
+    <<-EOT
+    (
+      @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
+    )
+    AND
+    (
+      ${local.rbac_admin_delete_constraint_principal_type}
+    )
+    EOT
+    :
+    "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
+  )
+
   rbac_admin_condition = <<-EOT
   (
     (
@@ -14,10 +44,7 @@ locals {
     )
     OR
     (
-      (
-        @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
-      )
-      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_write_constraint_principal_type})" : ""}
+      ${trimspace(local.rbac_admin_write_clause)}
     )
   )
   AND
@@ -27,10 +54,7 @@ locals {
     )
     OR
     (
-      (
-        @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
-      )
-      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_delete_constraint_principal_type})" : ""}
+      ${trimspace(local.rbac_admin_delete_clause)}
     )
   )
   EOT