slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance examples and documentation for role assignments, adding scenarios for multiple principals and role constraints

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-27 19:30:42 +01:00
parent 6b6615b7d3
commit b7594f4a5f
8 changed files with 366 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
examples/scenario-1.tf Normal file
View File

@@ -0,0 +1,48 @@
# Scenario: Multiple principals with different role assignments at the same scope
variable "principals" {
type = map(object({
principal_name = string
principal_type = string
roles = list(string)
delegable_roles = optional(list(string))
restricted_roles = optional(list(string))
}))
default = {
principal1 = {
principal_name = "sp-principal1"
principal_type = "User"
roles = ["Reader"]
}
principal2 = {
principal_name = "sg-admins"
principal_type = "Group"
roles = ["Contributor"]
}
principal3 = {
principal_name = "john.doe@example.com"
principal_type = "User"
roles = ["Owner"]
restricted_roles = [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
}
}
}
module "simple_iam" {
source = "../modules/terraform-azurerm-simple-iam"
scope = data.azurerm_subscription.current.id
principal_id = each.value.principal_id
principal_type = each.value.principal_type
roles = each.value.roles
delegable_roles = try(each.value.delegable_roles, [])
restricted_roles = try(each.value.restricted_roles, [])
for_each = var.principals
}

30
examples/scenario-1.tfvars.json Normal file
View File

@@ -0,0 +1,30 @@
{
"principals": {
"principal1": {
"principal_name": "sp-principal1",
"principal_type": "User",
"roles": [
"Reader"
]
},
"principal2": {
"principal_name": "sg-admins",
"principal_type": "Group",
"roles": [
"Contributor"
]
},
"principal3": {
"principal_name": "john.doe@example.com",
"principal_type": "User",
"roles": [
"Owner"
],
"restricted_roles": [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
}
}
}

48
examples/scenario-2.tf Normal file
View File

@@ -0,0 +1,48 @@
# Scenario: A single principal with unconditional roles at different scopes.
variable "principal" {
type = object({
principal_name = string
principal_id = string
principal_type = string
})
default = {
principal_name = "sp-platform-ops"
principal_id = "00000000-0000-0000-0000-000000000001"
principal_type = "ServicePrincipal"
}
}
variable "role_assignments" {
type = map(object({
scope = string
roles = list(string)
}))
default = {
subscription = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
roles = ["Reader"]
}
rg_platform = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-platform"
roles = ["Contributor"]
}
rg_security = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
roles = ["Log Analytics Contributor", "Monitoring Reader"]
}
}
}
module "simple_iam" {
source = "../modules/terraform-azurerm-simple-iam"
scope = each.value.scope
principal_id = var.principal.principal_id
principal_type = var.principal.principal_type
roles = each.value.roles
for_each = var.role_assignments
}

28
examples/scenario-2.tfvars.json Normal file
View File

@@ -0,0 +1,28 @@
{
"principal": {
"principal_name": "sp-platform-ops",
"principal_id": "00000000-0000-0000-0000-000000000001",
"principal_type": "ServicePrincipal"
},
"role_assignments": {
"subscription": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"roles": [
"Reader"
]
},
"rg_platform": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-platform",
"roles": [
"Contributor"
]
},
"rg_security": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security",
"roles": [
"Log Analytics Contributor",
"Monitoring Reader"
]
}
}
}

100
examples/scenario-3.tf Normal file
View File

@@ -0,0 +1,100 @@
# Scenario: Multiple principals given roles at multiple scopes.
variable "principals" {
type = map(object({
principal_name = string
principal_id = string
principal_type = string
role_assignments = map(object({
scope = string
roles = list(string)
delegable_roles = optional(list(string))
restricted_roles = optional(list(string))
}))
}))
default = {
principal1 = {
principal_name = "sp-app-ops"
principal_id = "00000000-0000-0000-0000-000000000011"
principal_type = "ServicePrincipal"
role_assignments = {
subscription = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
roles = ["Reader"]
delegable_roles = [
"Reader",
"Contributor"
]
}
rg_app = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-app"
roles = ["Contributor"]
delegable_roles = [
"Reader",
"Contributor"
]
}
}
}
principal2 = {
principal_name = "sg-security-reviewers"
principal_id = "00000000-0000-0000-0000-000000000022"
principal_type = "Group"
role_assignments = {
rg_security = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
roles = ["Owner"]
restricted_roles = [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
}
rg_logs = {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-logs"
roles = ["Role Based Access Control Administrator"]
restricted_roles = [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
}
}
}
}
}
locals {
role_assignments = {
for item in flatten([
for principal_key, principal in var.principals : [
for assignment_key, assignment in principal.role_assignments : {
key = "${principal_key}_${assignment_key}"
value = {
scope = assignment.scope
roles = assignment.roles
principal_id = principal.principal_id
principal_type = principal.principal_type
delegable_roles = try(assignment.delegable_roles, [])
restricted_roles = try(assignment.restricted_roles, [])
}
}
]
]) : item.key => item.value
}
}
module "simple_iam" {
source = "../modules/terraform-azurerm-simple-iam"
scope = each.value.scope
principal_id = each.value.principal_id
principal_type = each.value.principal_type
roles = each.value.roles
delegable_roles = each.value.delegable_roles
restricted_roles = each.value.restricted_roles
for_each = local.role_assignments
}

60
examples/scenario-3.tfvars.json Normal file
View File

@@ -0,0 +1,60 @@
{
"principals": {
"principal1": {
"principal_name": "sp-app-ops",
"principal_id": "00000000-0000-0000-0000-000000000011",
"principal_type": "ServicePrincipal",
"role_assignments": {
"subscription": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"roles": [
"Reader"
],
"delegable_roles": [
"Reader",
"Contributor"
]
},
"rg_app": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-app",
"roles": [
"Contributor"
],
"delegable_roles": [
"Reader",
"Contributor"
]
}
}
},
"principal2": {
"principal_name": "sg-security-reviewers",
"principal_id": "00000000-0000-0000-0000-000000000022",
"principal_type": "Group",
"role_assignments": {
"rg_security": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security",
"roles": [
"Owner"
],
"restricted_roles": [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
},
"rg_logs": {
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-logs",
"roles": [
"Role Based Access Control Administrator"
],
"restricted_roles": [
"Owner",
"User Access Administrator",
"Role Based Access Control Administrator"
]
}
}
}
}
}