# Scenario: Multiple principals given roles at multiple scopes.

variable "principals" {
  type = map(object({
    principal_name = string
    principal_id   = string
    principal_type = string
    role_assignments = map(object({
      scope            = string
      roles            = list(string)
      delegable_roles  = optional(list(string))
      restricted_roles = optional(list(string))
    }))
  }))

  default = {
    principal1 = {
      principal_name = "sp-app-ops"
      principal_id   = "00000000-0000-0000-0000-000000000011"
      principal_type = "ServicePrincipal"
      role_assignments = {
        subscription = {
          scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
          roles = ["Reader"]
          delegable_roles = [
            "Reader",
            "Contributor"
          ]
        }
        rg_app = {
          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-app"
          roles = ["Contributor"]
          delegable_roles = [
            "Reader",
            "Contributor"
          ]
        }
      }
    }

    principal2 = {
      principal_name = "sg-security-reviewers"
      principal_id   = "00000000-0000-0000-0000-000000000022"
      principal_type = "Group"
      role_assignments = {
        rg_security = {
          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-security"
          roles = ["Owner"]
          restricted_roles = [
            "Owner",
            "User Access Administrator",
            "Role Based Access Control Administrator"
          ]
        }
        rg_logs = {
          scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-logs"
          roles = ["Role Based Access Control Administrator"]
          restricted_roles = [
            "Owner",
            "User Access Administrator",
            "Role Based Access Control Administrator"
          ]
        }
      }
    }
  }
}

locals {
  role_assignments = {
    for item in flatten([
      for principal_key, principal in var.principals : [
        for assignment_key, assignment in principal.role_assignments : {
          key = "${principal_key}_${assignment_key}"
          value = {
            scope            = assignment.scope
            roles            = assignment.roles
            principal_id     = principal.principal_id
            principal_type   = principal.principal_type
            delegable_roles  = try(assignment.delegable_roles, [])
            restricted_roles = try(assignment.restricted_roles, [])
          }
        }
      ]
    ]) : item.key => item.value
  }
}

module "simple_iam" {
  source = "../modules/terraform-azurerm-simple-iam"

  scope            = each.value.scope
  principal_id     = each.value.principal_id
  principal_type   = each.value.principal_type
  roles            = each.value.roles
  delegable_roles  = each.value.delegable_roles
  restricted_roles = each.value.restricted_roles

  for_each = local.role_assignments
}