60 lines
1.9 KiB
HCL
60 lines
1.9 KiB
HCL
variable "scope" {
|
|
type = string
|
|
description = "Scope ID at which to assign roles (subscription, resource group, resource, etc.)."
|
|
|
|
validation {
|
|
condition = var.scope != null && trimspace(var.scope) != ""
|
|
error_message = "scope must be a non-empty string."
|
|
}
|
|
}
|
|
|
|
variable "principal_id" {
|
|
type = string
|
|
description = "Object ID of the principal (service principal, user, group, managed identity)."
|
|
}
|
|
|
|
variable "roles" {
|
|
type = list(string)
|
|
default = []
|
|
description = "Unconditional role definition names to assign to principal_id at scope."
|
|
|
|
validation {
|
|
condition = length(distinct(var.roles)) == length(var.roles)
|
|
error_message = "roles must not contain duplicates."
|
|
}
|
|
}
|
|
|
|
variable "delegable_roles" {
|
|
type = list(string)
|
|
default = []
|
|
description = "Role definition names that RBAC Administrator is allowed to assign/delete via ABAC condition."
|
|
|
|
validation {
|
|
condition = length(distinct(var.delegable_roles)) == length(var.delegable_roles)
|
|
error_message = "delegable_roles must not contain duplicates."
|
|
}
|
|
}
|
|
|
|
variable "restricted_roles" {
|
|
type = list(string)
|
|
default = []
|
|
description = "Role definitions names that RBAC Administrator is not allowed to assign/delete via ABAC condition."
|
|
|
|
validation {
|
|
condition = length(distinct(var.restricted_roles)) == length(var.restricted_roles)
|
|
error_message = "restricted_roles must not contain duplicates."
|
|
}
|
|
}
|
|
|
|
variable "principal_type" {
|
|
type = string
|
|
default = "ServicePrincipal"
|
|
description = "Value for azurerm_role_assignment.principal_type (e.g., ServicePrincipal, User, Group)."
|
|
}
|
|
|
|
variable "delegable_roles_to_sp_only" {
|
|
type = bool
|
|
default = false
|
|
description = "When true, the RBAC Admin conditional delegation allows roleAssignments write/delete only when the target principal type is ServicePrincipal."
|
|
}
|