variable "scope" {
  type        = string
  description = "Scope ID at which to assign roles (subscription, resource group, resource, etc.)."

  validation {
    condition     = var.scope != null && trimspace(var.scope) != ""
    error_message = "scope must be a non-empty string."
  }
}

variable "principal_id" {
  type        = string
  description = "Object ID of the principal (service principal, user, group, managed identity)."
}

variable "roles" {
  type        = list(string)
  default     = []
  description = "Unconditional role definition names to assign to principal_id at scope."

  validation {
    condition     = length(distinct(var.roles)) == length(var.roles)
    error_message = "roles must not contain duplicates."
  }
}

variable "delegable_roles" {
  type        = list(string)
  default     = []
  description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition. When empty, RBAC Administrator assignment is not created."

  validation {
    condition     = length(distinct(var.delegable_roles)) == length(var.delegable_roles)
    error_message = "delegable_roles must not contain duplicates."
  }
}

variable "principal_type" {
  type        = string
  default     = "ServicePrincipal"
  description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)."
}

variable "delegable_roles_to_sp_only" {
  type        = bool
  default     = false
  description = "When true, the RBAC Admin conditional delegation allows roleAssignments write/delete only when the target principal type is ServicePrincipal."
}