Azure RM Simple IAM module

This module creates Azure RBAC role assignments for a given scope and principal.

It also optionally assigns the Role Based Access Control Administrator role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.

The constrained RBAC Administrator assignment is created only when delegable_roles is non-empty.

Usage

module "iam" {
  source = "../modules/simple-iam"

  scope        = data.azurerm_subscription.current.id
  principal_id = azuread_service_principal.sp.object_id

  roles = [
    "Contributor",
  ]

  delegable_roles = [
    "Storage Blob Data Contributor",
    "Key Vault Secrets Officer",
    "Key Vault Certificates Officer",
  ]

  # Optional
  principal_type                   = "ServicePrincipal"
}

Inputs

• scope (string): Scope ID at which to assign roles.
• principal_id (string): Object ID of the principal.
• roles (list(string)): Unconditional role definition names to assign.
• delegable_roles (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
• principal_type (string): Passed to azurerm_role_assignment.principal_type.

Outputs

• role_assignment_ids (map(string))
• rbac_admin_role_assignment_id (string|null)
• rbac_admin_condition (string|null)