Added support for ABAC restricted roles.

main.tf

@@ -4,9 +4,60 @@ locals {
     basename(data.azurerm_role_definition.delegable[name].id)
   ])
 
+  restricted_role_definition_ids_list = join(", ", [
+    for name in var.restricted_roles :
+    basename(data.azurerm_role_definition.restricted[name].id)
+  ])
+
   rbac_admin_write_constraint_principal_type  = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
   rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
 
+  rbac_admin_write_clause_roles = join(
+    "\nAND\n",
+    compact([
+      length(var.delegable_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
+      length(var.restricted_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
+    ])
+  )
+
+  rbac_admin_delete_clause_roles = join(
+    "\nAND\n",
+    compact([
+      length(var.delegable_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
+      length(var.restricted_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
+    ])
+  )
+
+  rbac_admin_write_clause = (
+    var.delegable_roles_to_sp_only ?
+    <<-EOT
+    (
+      ${local.rbac_admin_write_clause_roles}
+    )
+    AND
+    (
+      ${local.rbac_admin_write_constraint_principal_type}
+    )
+    EOT
+    :
+    local.rbac_admin_write_clause_roles
+  )
+
+  rbac_admin_delete_clause = (
+    var.delegable_roles_to_sp_only ?
+    <<-EOT
+    (
+      ${local.rbac_admin_delete_clause_roles}
+    )
+    AND
+    (
+      ${local.rbac_admin_delete_constraint_principal_type}
+    )
+    EOT
+    :
+    local.rbac_admin_delete_clause_roles
+  )
+
   rbac_admin_condition = <<-EOT
   (
     (
@@ -14,10 +65,7 @@ locals {
     )
     OR
     (
-      (
+      ${trimspace(local.rbac_admin_write_clause)}
-        @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
-      )
-      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_write_constraint_principal_type})" : ""}
     )
   )
   AND
@@ -27,17 +75,14 @@ locals {
     )
     OR
     (
-      (
+      ${trimspace(local.rbac_admin_delete_clause)}
-        @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
-      )
-      ${var.delegable_roles_to_sp_only ? "AND\n      (${local.rbac_admin_delete_constraint_principal_type})" : ""}
     )
   )
   EOT
 }
 
 data "azurerm_role_definition" "rbac_admin" {
-  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
+  for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
 
   name  = "Role Based Access Control Administrator"
   scope = var.scope
@@ -50,6 +95,13 @@ data "azurerm_role_definition" "delegable" {
   scope = var.scope
 }
 
+data "azurerm_role_definition" "restricted" {
+  for_each = toset(var.restricted_roles)
+
+  name  = each.value
+  scope = var.scope
+}
+
 resource "azurerm_role_assignment" "role" {
 
   for_each = toset(var.roles)
@@ -63,7 +115,7 @@ resource "azurerm_role_assignment" "role" {
 
 resource "azurerm_role_assignment" "rbac_admin" {
 
-  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
+  for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
 
   scope                            = var.scope
   role_definition_id               = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator

variables.tf

@@ -27,7 +27,7 @@ variable "roles" {
 variable "delegable_roles" {
   type        = list(string)
   default     = []
-  description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition. When empty, RBAC Administrator assignment is not created."
+  description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition."
 
   validation {
     condition     = length(distinct(var.delegable_roles)) == length(var.delegable_roles)
@@ -35,6 +35,17 @@ variable "delegable_roles" {
   }
 }
 
+variable "restricted_roles" {
+  type = list(string)
+  default = []
+  description = "Role definitions names that RBAC Administrator is not allowed to assign/delete via ABAC condition."
+
+  validation {
+    condition = length(distinct(var.restricted_roles)) == length(var.restricted_roles)
+    error_message = "restricted_roles must not contain duplicates."
+  }
+}
+
 variable "principal_type" {
   type        = string
   default     = "ServicePrincipal"