# Azure RM Simple IAM module

This module creates Azure RBAC role assignments for a given scope and principal.

It also optionally assigns the **Role Based Access Control Administrator** role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.

The constrained RBAC Administrator assignment is created only when `delegable_roles` is non-empty.

## Usage

```hcl
module "iam" {
  source = "../modules/simple-iam"

  scope        = data.azurerm_subscription.current.id
  principal_id = azuread_service_principal.sp.object_id

  roles = [
    "Contributor",
  ]

  delegable_roles = [
    "Storage Blob Data Contributor",
    "Key Vault Secrets Officer",
    "Key Vault Certificates Officer",
  ]

  # Optional
  principal_type                   = "ServicePrincipal"
}
```

## Inputs

- `scope` (string): Scope ID at which to assign roles.
- `principal_id` (string): Object ID of the principal.
- `roles` (list(string)): Unconditional role definition names to assign.
- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
- `delegable_roles_to_sp_only` (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.

## Outputs

- `role_assignment_ids` (map(string))
- `rbac_admin_role_assignment_id` (string|null)
- `rbac_admin_condition` (string|null)