63 lines
1.7 KiB
HCL
63 lines
1.7 KiB
HCL
locals {
|
|
|
|
allowed_role_definition_ids_list = join(", ", [
|
|
for name in var.delegable_roles :
|
|
basename(data.azurerm_role_definition.allowed_for_rbac_admin_condition[name].id)
|
|
])
|
|
|
|
rbac_admin_condition = <<-EOT
|
|
(
|
|
(
|
|
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
|
|
)
|
|
OR
|
|
(
|
|
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
|
|
)
|
|
)
|
|
AND
|
|
(
|
|
(
|
|
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
|
|
)
|
|
OR
|
|
(
|
|
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${local.allowed_role_definition_ids_list}}
|
|
)
|
|
)
|
|
EOT
|
|
}
|
|
|
|
data "azurerm_role_definition" "allowed_for_rbac_admin_condition" {
|
|
|
|
for_each = toset(var.delegable_roles)
|
|
|
|
name = each.value
|
|
scope = var.scope
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "role" {
|
|
|
|
for_each = toset(var.roles)
|
|
|
|
scope = var.scope
|
|
role_definition_name = each.value
|
|
principal_id = var.principal_id
|
|
principal_type = var.principal_type
|
|
skip_service_principal_aad_check = var.skip_service_principal_aad_check
|
|
}
|
|
|
|
resource "azurerm_role_assignment" "rbac_admin" {
|
|
|
|
count = length(var.delegable_roles) > 0 ? 1 : 0
|
|
|
|
scope = var.scope
|
|
role_definition_name = "Role Based Access Control Administrator"
|
|
principal_id = var.principal_id
|
|
principal_type = var.principal_type
|
|
skip_service_principal_aad_check = var.skip_service_principal_aad_check
|
|
|
|
condition_version = "2.0"
|
|
condition = local.rbac_admin_condition
|
|
}
|