47 lines
1.5 KiB
Markdown
47 lines
1.5 KiB
Markdown
# Azure RM Simple IAM module
|
|
|
|
This module creates Azure RBAC role assignments for a given scope and principal.
|
|
|
|
It also optionally assigns the **Role Based Access Control Administrator** role with an ABAC condition that limits roleAssignments write/delete to a selected set of delegable roles.
|
|
|
|
The constrained RBAC Administrator assignment is created only when `delegable_roles` is non-empty.
|
|
|
|
## Usage
|
|
|
|
```hcl
|
|
module "iam" {
|
|
source = "../modules/simple-iam"
|
|
|
|
scopes = [data.azurerm_subscription.current.id]
|
|
principal_id = azuread_service_principal.sp.object_id
|
|
|
|
roles = [
|
|
"Contributor",
|
|
]
|
|
|
|
delegable_roles = [
|
|
"Storage Blob Data Contributor",
|
|
"Key Vault Secrets Officer",
|
|
"Key Vault Certificates Officer",
|
|
]
|
|
|
|
# Optional
|
|
principal_type = "ServicePrincipal"
|
|
}
|
|
```
|
|
|
|
## Inputs
|
|
|
|
- `scopes` (list(string)): Scope IDs at which to assign roles.
|
|
- `principal_id` (string): Object ID of the principal.
|
|
- `roles` (list(string)): Unconditional role definition names to assign at each scope in `scopes`.
|
|
- `delegable_roles` (list(string)): Role definition names allowed by the constrained RBAC Admin condition. When empty, RBAC Admin is not assigned.
|
|
- `principal_type` (string): Passed to `azurerm_role_assignment.principal_type`.
|
|
- `delegable_roles_to_sp_only` (bool): When true, RBAC Admin delegation can only assign/delete roles to principals of type ServicePrincipal.
|
|
|
|
## Outputs
|
|
|
|
- `role_assignment_ids` (map(string))
|
|
- `rbac_admin_role_assignment_id` (map(string))
|
|
- `rbac_admin_condition` (string|null)
|