slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove unnecessary input.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-23 20:25:13 +01:00
parent d2221a1abb
commit 7c641d5e5c
3 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -27,7 +27,6 @@ module "iam" {
# Optional # Optional
principal_type = "ServicePrincipal" principal_type = "ServicePrincipal"
skip_service_principal_aad_check = true
} }
``` ```
@@ -38,7 +37,6 @@ module "iam" {
- `roles` (list(string)): Unconditional role definition names to assign. - `roles` (list(string)): Unconditional role definition names to assign.
- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned. - `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`. - `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
- `skip_service_principal_aad_check` (bool): Passed to `azurerm_role_assignment.skip_service_principal_aad_check`.
## Outputs ## Outputs

14
main.tf
View File

@@ -1,5 +1,4 @@
locals { locals {
allowed_role_definition_ids_list = join(", ", [ allowed_role_definition_ids_list = join(", ", [
for name in var.delegable_roles : for name in var.delegable_roles :
basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id) basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
@@ -28,6 +27,13 @@ locals {
EOT EOT
} }
data "azurerm_role_definition" "rbac_admin" {
count = length(var.delegable_roles) > 0 ? 1 : 0
name = "Role Based Access Control Administrator"
scope = var.scope
}
data "azurerm_role_definition" "allowed_for_rbac_admin_condition" { data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
for_each = toset(var.delegable_roles) for_each = toset(var.delegable_roles)
@@ -44,7 +50,7 @@ resource "azurerm_role_assignment" "role" {
role_definition_name = each.value role_definition_name = each.value
principal_id = var.principal_id principal_id = var.principal_id
principal_type = var.principal_type principal_type = var.principal_type
skip_service_principal_aad_check = var.skip_service_principal_aad_check skip_service_principal_aad_check = true
} }
resource "azurerm_role_assignment" "rbac_admin" { resource "azurerm_role_assignment" "rbac_admin" {
@@ -52,10 +58,10 @@ resource "azurerm_role_assignment" "rbac_admin" {
count = length(var.delegable_roles) > 0 ? 1 : 0 count = length(var.delegable_roles) > 0 ? 1 : 0
scope = var.scope scope = var.scope
role_definition_name = "Role Based Access Control Administrator" role_definition_id = data.azurerm_role_definition.rbac_admin[0].id # Role Based Access Control Administrator
principal_id = var.principal_id principal_id = var.principal_id
principal_type = var.principal_type principal_type = var.principal_type
skip_service_principal_aad_check = var.skip_service_principal_aad_check skip_service_principal_aad_check = true
condition_version = "2.0" condition_version = "2.0"
condition = local.rbac_admin_condition condition = local.rbac_admin_condition

6
variables.tf
View File

@@ -35,9 +35,3 @@ variable "principal_type" {
default = "ServicePrincipal" default = "ServicePrincipal"
description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)." description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)."
} }
variable "skip_service_principal_aad_check" {
type = bool
default = true
description = "Whether to skip the Azure AD check for service principals."
}