# Scenario: A single principal with unconditional roles at different scopes.

variable "principal" {
  type = object({
    principal_name = string
    principal_id   = string
    principal_type = string
  })

  default = {
    principal_name = "sp-platform-ops"
    principal_id   = "00000000-0000-0000-0000-000000000001"
    principal_type = "ServicePrincipal"
  }
}

variable "role_assignments" {
  type = map(object({
    scope = string
    roles = list(string)
  }))

  default = {
    subscription = {
      scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
      roles = ["Reader"]
    }
    rg_platform = {
      scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-platform"
      roles = ["Contributor"]
    }
    rg_security = {
      scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
      roles = ["Log Analytics Contributor", "Monitoring Reader"]
    }
  }
}

module "simple_iam" {
  source = "../modules/terraform-azurerm-simple-iam"

  scope          = each.value.scope
  principal_id   = var.principal.principal_id
  principal_type = var.principal.principal_type
  roles          = each.value.roles

  for_each = var.role_assignments
}