slawek/terraform-azurerm-simple-iam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84faa4d027a6c1f25a9d0e14fade50fadcc2f2e6
terraform-azurerm-simple-iam/main.tf

77 lines
2.4 KiB
HCL
Raw Blame History

locals {
allowed_role_definition_ids_list = join(", ", [
for name in var.delegable_roles :
basename(data.azurerm_role_definition.delegable[name].id)
])
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
rbac_admin_condition = <<-EOT
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_write_constraint_principal_type})" : ""}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
)
${var.delegable_roles_to_sp_only ? "AND\n (${local.rbac_admin_delete_constraint_principal_type})" : ""}
)
)
EOT
}
data "azurerm_role_definition" "rbac_admin" {
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
name = "Role Based Access Control Administrator"
scope = var.scope
}
data "azurerm_role_definition" "delegable" {
for_each = toset(var.delegable_roles)
name = each.value
scope = var.scope
}
resource "azurerm_role_assignment" "role" {
for_each = toset(var.roles)
scope = var.scope
role_definition_name = each.value
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true
}
resource "azurerm_role_assignment" "rbac_admin" {
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
scope = var.scope
role_definition_id = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
principal_id = var.principal_id
principal_type = var.principal_type
skip_service_principal_aad_check = true
condition_version = "2.0"
condition = local.rbac_admin_condition
}
Reference in New Issue View Git Blame Copy Permalink