Added AI created module implementation.

README.md

@@ -1,3 +1,47 @@
 # Azure RM Simple IAM module
 
-This module create IAM role assignments for a given scope and principal. It can also assign RBAC Admininator role with conditions to assignable roles.
+This module creates Azure RBAC role assignments for a given scope and principal.
+
+It also optionally assigns the **Role Based Access Control Administrator** role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.
+
+The constrained RBAC Administrator assignment is created only when `delegable_roles` is non-empty.
+
+## Usage
+
+```hcl
+module "iam" {
+  source = "../modules/simple-iam"
+
+  scope        = data.azurerm_subscription.current.id
+  principal_id = azuread_service_principal.sp.object_id
+
+  roles = [
+    "Contributor",
+  ]
+
+  delegable_roles = [
+    "Storage Blob Data Contributor",
+    "Key Vault Secrets Officer",
+    "Key Vault Certificates Officer",
+  ]
+
+  # Optional
+  principal_type                   = "ServicePrincipal"
+  skip_service_principal_aad_check = true
+}
+```
+
+## Inputs
+
+- `scope` (string): Scope ID at which to assign roles.
+- `principal_id` (string): Object ID of the principal.
+- `roles` (list(string)): Unconditional role definition names to assign.
+- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
+- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
+- `skip_service_principal_aad_check` (bool): Passed to `azurerm_role_assignment.skip_service_principal_aad_check`.
+
+## Outputs
+
+- `role_assignment_ids` (map(string))
+- `rbac_admin_role_assignment_id` (string|null)
+- `rbac_admin_condition` (string|null)