# Scenario: Multiple principals with different role assignments at the same scope

variable "principals" {
  type = map(object({
    principal_name   = string
    principal_type   = string
    roles            = list(string)
    delegable_roles  = optional(list(string))
    restricted_roles = optional(list(string))
  }))

  default = {
    principal1 = {
      principal_name = "sp-principal1"
      principal_type = "User"
      roles          = ["Reader"]
    }
    principal2 = {
      principal_name = "sg-admins"
      principal_type = "Group"
      roles          = ["Contributor"]
    }
    principal3 = {
      principal_name = "john.doe@example.com"
      principal_type = "User"
      roles          = ["Owner"]
      restricted_roles = [
        "Owner",
        "User Access Administrator",
        "Role Based Access Control Administrator"
      ]
    }
  }
}

module "simple_iam" {
  source = "../modules/terraform-azurerm-simple-iam"

  scope          = data.azurerm_subscription.current.id
  principal_id   = each.value.principal_id
  principal_type = each.value.principal_type
  roles          = each.value.roles

  delegable_roles  = try(each.value.delegable_roles, [])
  restricted_roles = try(each.value.restricted_roles, [])

  for_each = var.principals
}