Compare commits
2 Commits
84faa4d027
...
6b6615b7d3
| Author | SHA1 | Date | |
|---|---|---|---|
| 6b6615b7d3 | |||
| 04de6345d8 |
72
main.tf
72
main.tf
@@ -4,9 +4,60 @@ locals {
|
||||
basename(data.azurerm_role_definition.delegable[name].id)
|
||||
])
|
||||
|
||||
restricted_role_definition_ids_list = join(", ", [
|
||||
for name in var.restricted_roles :
|
||||
basename(data.azurerm_role_definition.restricted[name].id)
|
||||
])
|
||||
|
||||
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
|
||||
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
|
||||
|
||||
rbac_admin_write_clause_roles = join(
|
||||
"\nAND\n",
|
||||
compact([
|
||||
length(var.delegable_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
|
||||
length(var.restricted_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
|
||||
])
|
||||
)
|
||||
|
||||
rbac_admin_delete_clause_roles = join(
|
||||
"\nAND\n",
|
||||
compact([
|
||||
length(var.delegable_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
|
||||
length(var.restricted_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
|
||||
])
|
||||
)
|
||||
|
||||
rbac_admin_write_clause = (
|
||||
var.delegable_roles_to_sp_only ?
|
||||
<<-EOT
|
||||
(
|
||||
${local.rbac_admin_write_clause_roles}
|
||||
)
|
||||
AND
|
||||
(
|
||||
${local.rbac_admin_write_constraint_principal_type}
|
||||
)
|
||||
EOT
|
||||
:
|
||||
local.rbac_admin_write_clause_roles
|
||||
)
|
||||
|
||||
rbac_admin_delete_clause = (
|
||||
var.delegable_roles_to_sp_only ?
|
||||
<<-EOT
|
||||
(
|
||||
${local.rbac_admin_delete_clause_roles}
|
||||
)
|
||||
AND
|
||||
(
|
||||
${local.rbac_admin_delete_constraint_principal_type}
|
||||
)
|
||||
EOT
|
||||
:
|
||||
local.rbac_admin_delete_clause_roles
|
||||
)
|
||||
|
||||
rbac_admin_condition = <<-EOT
|
||||
(
|
||||
(
|
||||
@@ -14,10 +65,7 @@ locals {
|
||||
)
|
||||
OR
|
||||
(
|
||||
(
|
||||
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
|
||||
)
|
||||
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_write_constraint_principal_type})" : ""}
|
||||
${trimspace(local.rbac_admin_write_clause)}
|
||||
)
|
||||
)
|
||||
AND
|
||||
@@ -27,17 +75,14 @@ locals {
|
||||
)
|
||||
OR
|
||||
(
|
||||
(
|
||||
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
|
||||
)
|
||||
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_delete_constraint_principal_type})" : ""}
|
||||
${trimspace(local.rbac_admin_delete_clause)}
|
||||
)
|
||||
)
|
||||
EOT
|
||||
}
|
||||
|
||||
data "azurerm_role_definition" "rbac_admin" {
|
||||
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
|
||||
for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
|
||||
|
||||
name = "Role Based Access Control Administrator"
|
||||
scope = var.scope
|
||||
@@ -50,6 +95,13 @@ data "azurerm_role_definition" "delegable" {
|
||||
scope = var.scope
|
||||
}
|
||||
|
||||
data "azurerm_role_definition" "restricted" {
|
||||
for_each = toset(var.restricted_roles)
|
||||
|
||||
name = each.value
|
||||
scope = var.scope
|
||||
}
|
||||
|
||||
resource "azurerm_role_assignment" "role" {
|
||||
|
||||
for_each = toset(var.roles)
|
||||
@@ -63,7 +115,7 @@ resource "azurerm_role_assignment" "role" {
|
||||
|
||||
resource "azurerm_role_assignment" "rbac_admin" {
|
||||
|
||||
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
|
||||
for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
|
||||
|
||||
scope = var.scope
|
||||
role_definition_id = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
|
||||
|
||||
13
variables.tf
13
variables.tf
@@ -27,7 +27,7 @@ variable "roles" {
|
||||
variable "delegable_roles" {
|
||||
type = list(string)
|
||||
default = []
|
||||
description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition. When empty, RBAC Administrator assignment is not created."
|
||||
description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition."
|
||||
|
||||
validation {
|
||||
condition = length(distinct(var.delegable_roles)) == length(var.delegable_roles)
|
||||
@@ -35,6 +35,17 @@ variable "delegable_roles" {
|
||||
}
|
||||
}
|
||||
|
||||
variable "restricted_roles" {
|
||||
type = list(string)
|
||||
default = []
|
||||
description = "Role definitions names that RBAC Administrator is not allowed to assign/delete via ABAC condition."
|
||||
|
||||
validation {
|
||||
condition = length(distinct(var.restricted_roles)) == length(var.restricted_roles)
|
||||
error_message = "restricted_roles must not contain duplicates."
|
||||
}
|
||||
}
|
||||
|
||||
variable "principal_type" {
|
||||
type = string
|
||||
default = "ServicePrincipal"
|
||||
|
||||
Reference in New Issue
Block a user