Enhance examples and documentation for role assignments, adding scenarios for multiple principals and role constraints

2026-02-27 19:30:42 +01:00
parent 6b6615b7d3
commit b7594f4a5f
8 changed files with 366 additions and 12 deletions
--- a/examples/scenario-3.tf
+++ b/examples/scenario-3.tf
@@ -0,0 +1,100 @@
+# Scenario: Multiple principals given roles at multiple scopes.
+
+variable "principals" {
+  type = map(object({
+    principal_name = string
+    principal_id   = string
+    principal_type = string
+    role_assignments = map(object({
+      scope            = string
+      roles            = list(string)
+      delegable_roles  = optional(list(string))
+      restricted_roles = optional(list(string))
+    }))
+  }))
+
+  default = {
+    principal1 = {
+      principal_name = "sp-app-ops"
+      principal_id   = "00000000-0000-0000-0000-000000000011"
+      principal_type = "ServicePrincipal"
+      role_assignments = {
+        subscription = {
+          scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
+          roles = ["Reader"]
+          delegable_roles = [
+            "Reader",
+            "Contributor"
+          ]
+        }
+        rg_app = {
+          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-app"
+          roles = ["Contributor"]
+          delegable_roles = [
+            "Reader",
+            "Contributor"
+          ]
+        }
+      }
+    }
+
+    principal2 = {
+      principal_name = "sg-security-reviewers"
+      principal_id   = "00000000-0000-0000-0000-000000000022"
+      principal_type = "Group"
+      role_assignments = {
+        rg_security = {
+          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
+          roles = ["Owner"]
+          restricted_roles = [
+            "Owner",
+            "User Access Administrator",
+            "Role Based Access Control Administrator"
+          ]
+        }
+        rg_logs = {
+          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-logs"
+          roles = ["Role Based Access Control Administrator"]
+          restricted_roles = [
+            "Owner",
+            "User Access Administrator",
+            "Role Based Access Control Administrator"
+          ]
+        }
+      }
+    }
+  }
+}
+
+locals {
+  role_assignments = {
+    for item in flatten([
+      for principal_key, principal in var.principals : [
+        for assignment_key, assignment in principal.role_assignments : {
+          key = "${principal_key}_${assignment_key}"
+          value = {
+            scope            = assignment.scope
+            roles            = assignment.roles
+            principal_id     = principal.principal_id
+            principal_type   = principal.principal_type
+            delegable_roles  = try(assignment.delegable_roles, [])
+            restricted_roles = try(assignment.restricted_roles, [])
+          }
+        }
+      ]
+    ]) : item.key => item.value
+  }
+}
+
+module "simple_iam" {
+  source = "../modules/terraform-azurerm-simple-iam"
+
+  scope            = each.value.scope
+  principal_id     = each.value.principal_id
+  principal_type   = each.value.principal_type
+  roles            = each.value.roles
+  delegable_roles  = each.value.delegable_roles
+  restricted_roles = each.value.restricted_roles
+
+  for_each = local.role_assignments
+}