slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7 Commits 2 Branches 0 Tags
6b6615b7d375f95422959e64c516a2bfe70d5e73
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Azure RM Simple IAM module

This module creates Azure RBAC role assignments for a given scope and principal.

It also optionally assigns the Role Based Access Control Administrator role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.

The constrained RBAC Administrator assignment is created only when delegable_roles is non-empty.

Usage

module "iam" {
  source = "../modules/simple-iam"

  scope        = data.azurerm_subscription.current.id
  principal_id = azuread_service_principal.sp.object_id

  roles = [
    "Contributor",
  ]

  delegable_roles = [
    "Storage Blob Data Contributor",
    "Key Vault Secrets Officer",
    "Key Vault Certificates Officer",
  ]

  # Optional
  principal_type                   = "ServicePrincipal"
}

Inputs

  • scope (string): Scope ID at which to assign roles.
  • principal_id (string): Object ID of the principal.
  • roles (list(string)): Unconditional role definition names to assign.
  • delegable_roles (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
  • principal_type (string): Passed to azurerm_role_assignment.principal_type.
  • delegable_roles_to_sp_only (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.

Outputs

  • role_assignment_ids (map(string))
  • rbac_admin_role_assignment_id (string|null)
  • rbac_admin_condition (string|null)
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 47 KiB
Languages
HCL 100%