slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reverted multiple-scope due to complexity introduced. Added ability to restrict assignments to ServicePrincipal only.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-23 21:16:04 +01:00
parent b20b9c4494
commit 84faa4d027
4 changed files with 33 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -12,7 +12,7 @@ The constrained RBAC Administrator assignment is created only when `delegable_ro
module "iam" {
source = "../modules/simple-iam"
scopes = [data.azurerm_subscription.current.id]
scope = data.azurerm_subscription.current.id
principal_id = azuread_service_principal.sp.object_id
roles = [
@@ -32,9 +32,9 @@ module "iam" {
## Inputs
- `scopes` (list(string)): Scope IDs at which to assign roles.
- `scope` (string): Scope ID at which to assign roles.
- `principal_id` (string): Object ID of the principal.
- `roles` (list(string)): Unconditional role definition names to assign at each scope in `scopes`.
- `roles` (list(string)): Unconditional role definition names to assign.
- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
- `delegable_roles_to_sp_only` (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.
@@ -42,5 +42,5 @@ module "iam" {
## Outputs
- `role_assignment_ids` (map(string))
- `rbac_admin_role_assignment_id` (map(string))
- `rbac_admin_role_assignment_id` (string|null)
- `rbac_admin_condition` (string|null)