49 lines
1.2 KiB
HCL
49 lines
1.2 KiB
HCL
# Scenario: Multiple principals with different role assignments at the same scope
|
|
|
|
variable "principals" {
|
|
type = map(object({
|
|
principal_name = string
|
|
principal_type = string
|
|
roles = list(string)
|
|
delegable_roles = optional(list(string))
|
|
restricted_roles = optional(list(string))
|
|
}))
|
|
|
|
default = {
|
|
principal1 = {
|
|
principal_name = "sp-principal1"
|
|
principal_type = "User"
|
|
roles = ["Reader"]
|
|
}
|
|
principal2 = {
|
|
principal_name = "sg-admins"
|
|
principal_type = "Group"
|
|
roles = ["Contributor"]
|
|
}
|
|
principal3 = {
|
|
principal_name = "john.doe@example.com"
|
|
principal_type = "User"
|
|
roles = ["Owner"]
|
|
restricted_roles = [
|
|
"Owner",
|
|
"User Access Administrator",
|
|
"Role Based Access Control Administrator"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
module "simple_iam" {
|
|
source = "../modules/terraform-azurerm-simple-iam"
|
|
|
|
scope = data.azurerm_subscription.current.id
|
|
principal_id = each.value.principal_id
|
|
principal_type = each.value.principal_type
|
|
roles = each.value.roles
|
|
|
|
delegable_roles = try(each.value.delegable_roles, [])
|
|
restricted_roles = try(each.value.restricted_roles, [])
|
|
|
|
for_each = var.principals
|
|
}
|