Remove unnecessary input.
This commit is contained in:
@@ -27,7 +27,6 @@ module "iam" {
|
||||
|
||||
# Optional
|
||||
principal_type = "ServicePrincipal"
|
||||
skip_service_principal_aad_check = true
|
||||
}
|
||||
```
|
||||
|
||||
@@ -38,7 +37,6 @@ module "iam" {
|
||||
- `roles` (list(string)): Unconditional role definition names to assign.
|
||||
- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
|
||||
- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
|
||||
- `skip_service_principal_aad_check` (bool): Passed to `azurerm_role_assignment.skip_service_principal_aad_check`.
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
14
main.tf
14
main.tf
@@ -1,5 +1,4 @@
|
||||
locals {
|
||||
|
||||
allowed_role_definition_ids_list = join(", ", [
|
||||
for name in var.delegable_roles :
|
||||
basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
|
||||
@@ -28,6 +27,13 @@ locals {
|
||||
EOT
|
||||
}
|
||||
|
||||
data "azurerm_role_definition" "rbac_admin" {
|
||||
count = length(var.delegable_roles) > 0 ? 1 : 0
|
||||
|
||||
name = "Role Based Access Control Administrator"
|
||||
scope = var.scope
|
||||
}
|
||||
|
||||
data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
|
||||
|
||||
for_each = toset(var.delegable_roles)
|
||||
@@ -44,7 +50,7 @@ resource "azurerm_role_assignment" "role" {
|
||||
role_definition_name = each.value
|
||||
principal_id = var.principal_id
|
||||
principal_type = var.principal_type
|
||||
skip_service_principal_aad_check = var.skip_service_principal_aad_check
|
||||
skip_service_principal_aad_check = true
|
||||
}
|
||||
|
||||
resource "azurerm_role_assignment" "rbac_admin" {
|
||||
@@ -52,10 +58,10 @@ resource "azurerm_role_assignment" "rbac_admin" {
|
||||
count = length(var.delegable_roles) > 0 ? 1 : 0
|
||||
|
||||
scope = var.scope
|
||||
role_definition_name = "Role Based Access Control Administrator"
|
||||
role_definition_id = data.azurerm_role_definition.rbac_admin[0].id # Role Based Access Control Administrator
|
||||
principal_id = var.principal_id
|
||||
principal_type = var.principal_type
|
||||
skip_service_principal_aad_check = var.skip_service_principal_aad_check
|
||||
skip_service_principal_aad_check = true
|
||||
|
||||
condition_version = "2.0"
|
||||
condition = local.rbac_admin_condition
|
||||
|
||||
@@ -35,9 +35,3 @@ variable "principal_type" {
|
||||
default = "ServicePrincipal"
|
||||
description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)."
|
||||
}
|
||||
|
||||
variable "skip_service_principal_aad_check" {
|
||||
type = bool
|
||||
default = true
|
||||
description = "Whether to skip the Azure AD check for service principals."
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user