Enhance the module to allow multiple scope assignments.

variables.tf

@@ -1,6 +1,15 @@
-variable "scope" {
-  type        = string
-  description = "Scope ID at which to assign roles (subscription, resource group, resource, etc.)."
+variable "scopes" {
+  type        = list(string)
+  description = "Scope IDs at which to assign roles (subscription, resource group, resource, etc.)."
+
+  validation {
+    condition = (
+      length(var.scopes) > 0 &&
+      alltrue([for scope in var.scopes : scope != null && trimspace(scope) != ""]) &&
+      length(distinct(var.scopes)) == length(var.scopes)
+    )
+    error_message = "scopes must be a non-empty list of unique, non-empty strings."
+  }
 }
 
 variable "principal_id" {
@@ -11,7 +20,7 @@ variable "principal_id" {
 variable "roles" {
   type        = list(string)
   default     = []
-  description = "Unconditional role definition names to assign to principal_id at scope."
+  description = "Unconditional role definition names to assign to principal_id at each scope in scopes."
 
   validation {
     condition     = length(distinct(var.roles)) == length(var.roles)
@@ -35,3 +44,9 @@ variable "principal_type" {
   default     = "ServicePrincipal"
   description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)."
 }
+
+variable "delegable_roles_to_sp_only" {
+  type        = bool
+  default     = false
+  description = "When true, the RBAC Admin conditional delegation allows roleAssignments write/delete only when the target principal type is ServicePrincipal."
+}