locals {
  allowed_role_definition_ids_list = join(", ", [
    for name in var.delegable_roles :
    basename(data.azurerm_role_definition.delegable[name].id)
  ])

  rbac_admin_write_constraint_principal_type  = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
  rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"

  rbac_admin_write_clause = (
    var.delegable_roles_to_sp_only ?
    <<-EOT
    (
      @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
    )
    AND
    (
      ${local.rbac_admin_write_constraint_principal_type}
    )
    EOT
    :
    "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
  )

  rbac_admin_delete_clause = (
    var.delegable_roles_to_sp_only ?
    <<-EOT
    (
      @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
    )
    AND
    (
      ${local.rbac_admin_delete_constraint_principal_type}
    )
    EOT
    :
    "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
  )

  rbac_admin_condition = <<-EOT
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
    )
    OR
    (
      ${trimspace(local.rbac_admin_write_clause)}
    )
  )
  AND
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
    )
    OR
    (
      ${trimspace(local.rbac_admin_delete_clause)}
    )
  )
  EOT
}

data "azurerm_role_definition" "rbac_admin" {
  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}

  name  = "Role Based Access Control Administrator"
  scope = var.scope
}

data "azurerm_role_definition" "delegable" {
  for_each = toset(var.delegable_roles)

  name  = each.value
  scope = var.scope
}

resource "azurerm_role_assignment" "role" {

  for_each = toset(var.roles)

  scope                            = var.scope
  role_definition_name             = each.value
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true
}

resource "azurerm_role_assignment" "rbac_admin" {

  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}

  scope                            = var.scope
  role_definition_id               = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true

  condition_version = "2.0"
  condition         = local.rbac_admin_condition
}