105 lines
3.3 KiB
HCL
105 lines
3.3 KiB
HCL
locals {
|
|
lookup_scope = var.scopes[0]
|
|
|
|
allowed_role_definition_ids_list = join(", ", [
|
|
for name in var.delegable_roles :
|
|
basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
|
|
])
|
|
|
|
role_assignments = {
|
|
for entry in flatten([
|
|
for scope in var.scopes : [
|
|
for role in var.roles : {
|
|
key = "${scope}:${role}"
|
|
scope = scope
|
|
role = role
|
|
}
|
|
]
|
|
]) :
|
|
entry.key => {
|
|
scope = entry.scope
|
|
role = entry.role
|
|
}
|
|
}
|
|
|
|
rbac_admin_write_constraint_role_definition_ids = "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
|
|
rbac_admin_delete_constraint_role_definition_ids = "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}"
|
|
|
|
rbac_admin_write_constraint_principal_type = "@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
|
|
rbac_admin_delete_constraint_principal_type = "@Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEquals {'ServicePrincipal'}"
|
|
|
|
rbac_admin_write_constraint = (
|
|
var.delegable_roles_to_sp_only ?
|
|
"(${local.rbac_admin_write_constraint_role_definition_ids} AND ${local.rbac_admin_write_constraint_principal_type})" :
|
|
"(${local.rbac_admin_write_constraint_role_definition_ids})"
|
|
)
|
|
|
|
rbac_admin_delete_constraint = (
|
|
var.delegable_roles_to_sp_only ?
|
|
"(${local.rbac_admin_delete_constraint_role_definition_ids} AND ${local.rbac_admin_delete_constraint_principal_type})" :
|
|
"(${local.rbac_admin_delete_constraint_role_definition_ids})"
|
|
)
|
|
|
|
rbac_admin_condition = <<-EOT
|
|
(
|
|
(
|
|
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
|
|
)
|
|
OR
|
|
(
|
|
${local.rbac_admin_write_constraint}
|
|
)
|
|
)
|
|
AND
|
|
(
|
|
(
|
|
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
|
|
)
|
|
OR
|
|
(
|
|
${local.rbac_admin_delete_constraint}
|
|
)
|
|
)
|
|
EOT
|
|
}
|
|
|
|
data "azurerm_role_definition" "rbac_admin" {
|
|
for_each = length(var.delegable_roles) > 0 ? { this = true } : {}
|
|
|
|
name = "Role Based Access Control Administrator"
|
|
scope = local.lookup_scope
|
|
}
|
|
|
|
data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
|
|
|
|
for_each = toset(var.delegable_roles)
|
|
|
|
name = each.value
|
|
scope = local.lookup_scope
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "role" {
|
|
|
|
for_each = local.role_assignments
|
|
|
|
scope = each.value.scope
|
|
role_definition_name = each.value.role
|
|
principal_id = var.principal_id
|
|
principal_type = var.principal_type
|
|
skip_service_principal_aad_check = true
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "rbac_admin" {
|
|
|
|
for_each = length(var.delegable_roles) > 0 ? toset(var.scopes) : toset([])
|
|
|
|
scope = each.value
|
|
role_definition_id = data.azurerm_role_definition.rbac_admin["this"].id # Role Based Access Control Administrator
|
|
principal_id = var.principal_id
|
|
principal_type = var.principal_type
|
|
skip_service_principal_aad_check = true
|
|
|
|
condition_version = "2.0"
|
|
condition = local.rbac_admin_condition
|
|
}
|