Enhance examples and documentation for role assignments, adding scenarios for multiple principals and role constraints

2026-02-27 19:30:42 +01:00
parent 6b6615b7d3
commit b7594f4a5f
8 changed files with 366 additions and 12 deletions
--- a/examples/scenario-2.tf
+++ b/examples/scenario-2.tf
@@ -0,0 +1,48 @@
+# Scenario: A single principal with unconditional roles at different scopes.
+
+variable "principal" {
+  type = object({
+    principal_name = string
+    principal_id   = string
+    principal_type = string
+  })
+
+  default = {
+    principal_name = "sp-platform-ops"
+    principal_id   = "00000000-0000-0000-0000-000000000001"
+    principal_type = "ServicePrincipal"
+  }
+}
+
+variable "role_assignments" {
+  type = map(object({
+    scope = string
+    roles = list(string)
+  }))
+
+  default = {
+    subscription = {
+      scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
+      roles = ["Reader"]
+    }
+    rg_platform = {
+      scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-platform"
+      roles = ["Contributor"]
+    }
+    rg_security = {
+      scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
+      roles = ["Log Analytics Contributor", "Monitoring Reader"]
+    }
+  }
+}
+
+module "simple_iam" {
+  source = "../modules/terraform-azurerm-simple-iam"
+
+  scope          = each.value.scope
+  principal_id   = var.principal.principal_id
+  principal_type = var.principal.principal_type
+  roles          = each.value.roles
+
+  for_each = var.role_assignments
+}