locals {
  lookup_scope = var.scopes[0]

  allowed_role_definition_ids_list = join(", ", [
    for name in var.delegable_roles :
    basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
  ])

  role_assignments = {
    for entry in flatten([
      for scope in var.scopes : [
        for role in var.roles : {
          key   = "${scope}:${role}"
          scope = scope
          role  = role
        }
      ]
    ]) :
    entry.key => {
      scope = entry.scope
      role  = entry.role
    }
  }

  rbac_admin_write_constraint_role_definition_ids = "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
  rbac_admin_delete_constraint_role_definition_ids = "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"

  rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
  rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"

  rbac_admin_write_constraint = (
    var.delegable_roles_to_sp_only ?
    "(${local.rbac_admin_write_constraint_role_definition_ids} AND ${local.rbac_admin_write_constraint_principal_type})" :
    "(${local.rbac_admin_write_constraint_role_definition_ids})"
  )

  rbac_admin_delete_constraint = (
    var.delegable_roles_to_sp_only ?
    "(${local.rbac_admin_delete_constraint_role_definition_ids} AND ${local.rbac_admin_delete_constraint_principal_type})" :
    "(${local.rbac_admin_delete_constraint_role_definition_ids})"
  )

  rbac_admin_condition = <<-EOT
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
    )
    OR
    (
      ${local.rbac_admin_write_constraint}
    )
  )
  AND
  (
    (
      !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
    )
    OR
    (
      ${local.rbac_admin_delete_constraint}
    )
  )
  EOT
}

data "azurerm_role_definition" "rbac_admin" {
  for_each = length(var.delegable_roles) > 0 ? { this = true } : {}

  name  = "Role Based Access Control Administrator"
  scope = local.lookup_scope
}

data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {

  for_each = toset(var.delegable_roles)

  name  = each.value
  scope = local.lookup_scope
}

resource "azurerm_role_assignment" "role" {

  for_each = local.role_assignments

  scope                            = each.value.scope
  role_definition_name             = each.value.role
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true
}

resource "azurerm_role_assignment" "rbac_admin" {

  for_each = length(var.delegable_roles) > 0 ? toset(var.scopes) : toset([])

  scope                            = each.value
  role_definition_id               = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
  principal_id                     = var.principal_id
  principal_type                   = var.principal_type
  skip_service_principal_aad_check = true

  condition_version = "2.0"
  condition         = local.rbac_admin_condition
}