Reverted multiple-scope due to complexity introduced. Added ability to restrict assignments to ServicePrincipal only.

2026-02-23 21:16:04 +01:00
parent b20b9c4494
commit 84faa4d027
4 changed files with 33 additions and 65 deletions
--- a/main.tf
+++ b/main.tf
@@ -1,45 +1,12 @@
 locals {
-  lookup_scope = var.scopes[0]
-
  allowed_role_definition_ids_list = join(", ", [
    for name in var.delegable_roles :
-    basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
+    basename(data.azurerm_role_definition.delegable[name].id)
  ])

-  role_assignments = {
-    for entry in flatten([
-      for scope in var.scopes : [
-        for role in var.roles : {
-          key   = "${scope}:${role}"
-          scope = scope
-          role  = role
-        }
-      ]
-    ]) :
-    entry.key => {
-      scope = entry.scope
-      role  = entry.role
-    }
-  }
-
-  rbac_admin_write_constraint_role_definition_ids = "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
-  rbac_admin_delete_constraint_role_definition_ids = "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
-
-  rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
+  rbac_admin_write_constraint_principal_type  = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
  rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"

-  rbac_admin_write_constraint = (
-    var.delegable_roles_to_sp_only ?
-    "(${local.rbac_admin_write_constraint_role_definition_ids} AND ${local.rbac_admin_write_constraint_principal_type})" :
-    "(${local.rbac_admin_write_constraint_role_definition_ids})"
-  )
-
-  rbac_admin_delete_constraint = (
-    var.delegable_roles_to_sp_only ?
-    "(${local.rbac_admin_delete_constraint_role_definition_ids} AND ${local.rbac_admin_delete_constraint_principal_type})" :
-    "(${local.rbac_admin_delete_constraint_role_definition_ids})"
-  )
-
  rbac_admin_condition = <<-EOT
  (
    (
@@ -47,7 +14,10 @@ locals {
    )
    OR
    (
-      ${local.rbac_admin_write_constraint}
+      (
+        @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
+      )
+      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_write_constraint_principal_type})" : ""}
    )
  )
  AND
@@ -57,7 +27,10 @@ locals {
    )
    OR
    (
-      ${local.rbac_admin_delete_constraint}
+      (
+        @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
+      )
+      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_delete_constraint_principal_type})" : ""}
    )
  )
  EOT
@@ -67,23 +40,22 @@ data "azurerm_role_definition" "rbac_admin" {
  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}

  name  = "Role Based Access Control Administrator"
-  scope = local.lookup_scope
+  scope = var.scope
 }

-data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
-
+data "azurerm_role_definition" "delegable" {
  for_each = toset(var.delegable_roles)

  name  = each.value
-  scope = local.lookup_scope
+  scope = var.scope
 }

 resource "azurerm_role_assignment" "role" {

-  for_each = local.role_assignments
+  for_each = toset(var.roles)

-  scope                            = each.value.scope
-  role_definition_name             = each.value.role
+  scope                            = var.scope
+  role_definition_name             = each.value
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true
@@ -91,9 +63,9 @@ resource "azurerm_role_assignment" "role" {

 resource "azurerm_role_assignment" "rbac_admin" {

-  for_each = length(var.delegable_roles) > 0 ? toset(var.scopes) : toset([])
+  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}

-  scope                            = each.value
+  scope                            = var.scope
  role_definition_id               = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type