Azure RM Simple IAM module

This module creates Azure RBAC role assignments for a given scope and principal.

It also optionally assigns the Role Based Access Control Administrator role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.

The constrained RBAC Administrator assignment is created only when delegable_roles is non-empty.

Usage

module "iam" {
  source = "../modules/simple-iam"

  scopes       = [data.azurerm_subscription.current.id]
  principal_id = azuread_service_principal.sp.object_id

  roles = [
    "Contributor",
  ]

  delegable_roles = [
    "Storage Blob Data Contributor",
    "Key Vault Secrets Officer",
    "Key Vault Certificates Officer",
  ]

  # Optional
  principal_type                   = "ServicePrincipal"
}

Inputs

• scopes (list(string)): Scope IDs at which to assign roles.
• principal_id (string): Object ID of the principal.
• roles (list(string)): Unconditional role definition names to assign at each scope in scopes.
• delegable_roles (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
• principal_type (string): Passed to azurerm_role_assignment.principal_type.
• delegable_roles_to_sp_only (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.

Outputs

• role_assignment_ids (map(string))
• rbac_admin_role_assignment_id (map(string))
• rbac_admin_condition (string|null)