slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
terraform-azurerm-simple-iam/README.md

5.0 KiB
Raw Permalink Blame History

Azure RM Simple IAM module

This module creates a set of Azure RBAC role assignments for a given scope and principal. To use it, the granting principal must have the Owner, User Access Administrator or Role Based Access Control Administrator role at the scope.

It also optionally assigns the Role Based Access Control Administrator role with an ABAC condition that limits role assignments write/delete using allow-list (delegable_roles) and/or deny-list (restricted_roles) role constraints.

The constrained RBAC Administrator assignment is created when delegable_roles or restricted_roles is non-empty.

Usage

module "iam" {
  # This is only an example, use the actual path to the module or an URL
  source = "./modules/terraform-azurerm-simple-iam"

  scope          = data.azurerm_subscription.current.id
  principal_id   = azuread_service_principal.sp.object_id
  principal_type = "ServicePrincipal"

  roles = [
    "Contributor",
  ]

  delegable_roles = [
    "Storage Blob Data Contributor",
    "Key Vault Secrets Officer",
    "Key Vault Certificates Officer",
  ]

  restricted_roles = [
    "Owner",
    "User Access Administrator",
    "Role Based Access Control Administrator"
  ]

  # Optional
  delegable_roles_to_sp_only = true
}

Note: The above example is for demonstration of every input variable. restricted_roles and delegable_roles will not make sense to use together in most scenarios.

Scenarios

Assging roles to user and group principals

This is a common scenario when you want to assign roles to users and groups in Azure AD. Infrastructure users will not need any delegation permissions, so the delegable_roles and restricted_roles lists can be left empty. The module will only create the unconditional role assignments.

Best practice: Assign the Reader role at broad scope and add job function roles at more narrow scopes. Work with the end users to identify the right roles and scopes for their needs. Avoid assigning high privilege roles like Owner or User Access Administrator. On production environments, use even more restrictive roles and scopes, for example by avoiding generic roles like Contributor.

Assigning roles to devops engineers

Devops engineers often need permissions to create resources and assign roles to service principals and managed identities. They often request Owner role for convenience, but this is not a recommended practice for any environment other than lab/sandbox.

Best practice: Assign the unconditional Contributor role and use restricted roles to stop them from assigning Owner, User Access Administrator and Role Based Access Control Administrator roles to any principal on relaxed environments. On production environments, use only Job Function roles and delegable roles limited to the specific needs of the project, for example Storage Blob Data Contributor and Key Vault Secrets Officer roles. Additionally limit their ability to assign roles to service principals only, so they will be able to configure Managed Identities and Service Principals for their applications, but not assign any roles to themselves or others.

Assigning roles to managed identities and service principals

Managed identities and service principals are often used by applications to access other resources and IaC pipelines to create and manage resources.

Best practice: Application dedicated identities should have only the permissions they need at the narrowest scope possible. IaC pipelines should have permissions to assign only the roles for services that are being deployed. For example, a pipeline deploying a web application that needs to access a storage account and a key vault should have the Storage Blob Data Contributor, Key Vault Secrets User and Key Vault Certificates User delegable roles.

Examples

The examples folder contains example usage of the module for different scenarios. The examples are not meant to be deployed as-is, but rather to provide guidance on how to use the module in different ways.

  1. Multiple principals with different role assignments at the same scope.
  2. A single principal with unconditional roles at different scopes.
  3. Multiple principals given roles at multiple scopes.

Inputs

  • scope (string): Scope ID at which to assign roles.
  • principal_id (string): Object ID of the principal.
  • principal_type (string): Passed to azurerm_role_assignment.principal_type.
  • roles (list(string)): Unconditional role definition names to assign.
  • delegable_roles (list(string)): Role definition names allowed by the constrained RBAC Admin condition.
  • restricted_roles (list(string)): Role definition names denied by the constrained RBAC Admin condition.
  • delegable_roles_to_sp_only (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.

Outputs

  • role_assignment_ids (map(string))
  • rbac_admin_role_assignment_id (string|null)
  • rbac_admin_condition (string|null)
Reference in New Issue View Git Blame Copy Permalink