slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance the module to allow multiple scope assignments.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-23 21:05:08 +01:00
parent 7c641d5e5c
commit b20b9c4494
4 changed files with 77 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
main.tf
View File

@@ -1,9 +1,45 @@
locals {
lookup_scope = var.scopes[0]
allowed_role_definition_ids_list = join(", ", [
for name in var.delegable_roles :
basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
])
role_assignments = {
for entry in flatten([
for scope in var.scopes : [
for role in var.roles : {
key = "${scope}:${role}"
scope = scope
role = role
}
]
]) :
entry.key => {
scope = entry.scope
role = entry.role
}
}
rbac_admin_write_constraint_role_definition_ids = "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
rbac_admin_delete_constraint_role_definition_ids = "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_write_constraint = (
var.delegable_roles_to_sp_only ?
"(${local.rbac_admin_write_constraint_role_definition_ids} AND ${local.rbac_admin_write_constraint_principal_type})" :
"(${local.rbac_admin_write_constraint_role_definition_ids})"
)
rbac_admin_delete_constraint = (
var.delegable_roles_to_sp_only ?
"(${local.rbac_admin_delete_constraint_role_definition_ids} AND ${local.rbac_admin_delete_constraint_principal_type})" :
"(${local.rbac_admin_delete_constraint_role_definition_ids})"
)
rbac_admin_condition = <<-EOT
(
(
@@ -11,7 +47,7 @@ locals {
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
${local.rbac_admin_write_constraint}
)
)
AND
@@ -21,17 +57,17 @@ locals {
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
${local.rbac_admin_delete_constraint}
)
)
EOT
}
data "azurerm_role_definition" "rbac_admin" {
count = length(var.delegable_roles) > 0 ? 1 : 0
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
name = "Role Based Access Control Administrator"
scope = var.scope
scope = local.lookup_scope
}
data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
@@ -39,15 +75,15 @@ data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
for_each = toset(var.delegable_roles)
name = each.value
scope = var.scope
scope = local.lookup_scope
}
resource "azurerm_role_assignment" "role" {
for_each = toset(var.roles)
for_each = local.role_assignments
scope = var.scope
role_definition_name = each.value
scope = each.value.scope
role_definition_name = each.value.role
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true
@@ -55,10 +91,10 @@ resource "azurerm_role_assignment" "role" {
resource "azurerm_role_assignment" "rbac_admin" {
count = length(var.delegable_roles) > 0 ? 1 : 0
for_each = length(var.delegable_roles) > 0 ? toset(var.scopes) : toset([])
scope = var.scope
role_definition_id = data.azurerm_role_definition.rbac_admin[0].id # Role Based Access Control Administrator
scope = each.value
role_definition_id = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true