locals {
  allowed_role_definition_ids_list = join(", ", [
    for name in var.delegable_roles :
    basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
  ])

  rbac_admin_condition = <<-EOT
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
    )
    OR
    (
      @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
    )
  )
  AND
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
    )
    OR
    (
      @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
    )
  )
  EOT
}

data "azurerm_role_definition" "rbac_admin" {
  count = length(var.delegable_roles) > 0 ? 1 : 0

  name  = "Role Based Access Control Administrator"
  scope = var.scope
}

data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {

  for_each = toset(var.delegable_roles)

  name  = each.value
  scope = var.scope
}

resource "azurerm_role_assignment" "role" {

  for_each = toset(var.roles)

  scope                            = var.scope
  role_definition_name             = each.value
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true
}

resource "azurerm_role_assignment" "rbac_admin" {

  count = length(var.delegable_roles) > 0 ? 1 : 0

  scope                            = var.scope
  role_definition_id               = data.azurerm_role_definition.rbac_admin[0].id # Role Based Access Control Administrator
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true

  condition_version = "2.0"
  condition         = local.rbac_admin_condition
}