slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
terraform-azurerm-simple-iam/main.tf

129 lines
3.8 KiB
HCL
Raw Permalink Blame History

locals {
allowed_role_definition_ids_list = join(", ", [
for name in var.delegable_roles :
basename(data.azurerm_role_definition.delegable[name].id)
])
restricted_role_definition_ids_list = join(", ", [
for name in var.restricted_roles :
basename(data.azurerm_role_definition.restricted[name].id)
])
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_write_clause_roles = join(
"\nAND\n",
compact([
length(var.delegable_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
length(var.restricted_roles) > 0 ? "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
])
)
rbac_admin_delete_clause_roles = join(
"\nAND\n",
compact([
length(var.delegable_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}" : "",
length(var.restricted_roles) > 0 ? "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {${local.restricted_role_definition_ids_list}}" : "",
])
)
rbac_admin_write_clause = (
var.delegable_roles_to_sp_only ?
<<-EOT
(
${local.rbac_admin_write_clause_roles}
)
AND
(
${local.rbac_admin_write_constraint_principal_type}
)
EOT
:
local.rbac_admin_write_clause_roles
)
rbac_admin_delete_clause = (
var.delegable_roles_to_sp_only ?
<<-EOT
(
${local.rbac_admin_delete_clause_roles}
)
AND
(
${local.rbac_admin_delete_constraint_principal_type}
)
EOT
:
local.rbac_admin_delete_clause_roles
)
rbac_admin_condition = <<-EOT
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
${trimspace(local.rbac_admin_write_clause)}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
${trimspace(local.rbac_admin_delete_clause)}
)
)
EOT
}
data "azurerm_role_definition" "rbac_admin" {
for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
name = "Role Based Access Control Administrator"
scope = var.scope
}
data "azurerm_role_definition" "delegable" {
for_each = toset(var.delegable_roles)
name = each.value
scope = var.scope
}
data "azurerm_role_definition" "restricted" {
for_each = toset(var.restricted_roles)
name = each.value
scope = var.scope
}
resource "azurerm_role_assignment" "role" {
for_each = toset(var.roles)
scope = var.scope
role_definition_name = each.value
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true
}
resource "azurerm_role_assignment" "rbac_admin" {
for_each = length(var.delegable_roles) > 0 || length(var.restricted_roles) > 0 ? { this = true } : {}
scope = var.scope
role_definition_id = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true
condition_version = "2.0"
condition = local.rbac_admin_condition
}
Reference in New Issue View Git Blame Copy Permalink