Skip to content
/ terraform-azurerm-rbac Public

Module to create rbac assignments ands azuread security groups

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Noahnc/terraform-azurerm-rbac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
meta.tf
meta.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Azure RBAC-Policy

Module for assigning azure rbac role definitions. The module allows you to assign multiple role_definitions over multiple scopes to multiple principle_ids or a single security group. The module is therefore highly flexible and can be used to create lots of rbac rules at once.

Requirements

In order for the module to be able to create AzureAD security groups, the user used by azurerm needs the following permissions in AzureAD:

  • Group.ReadWrite.All
  • Directory.ReadWrite.All

Example

The following example creates a security group and assigns it the roles "Contributor" and "Reader" over the scope of a resource group:

module "example_rbac_security_group" {
  source  = "Noahnc/rbac/azurerm"
  version = "1.0.1"
  scopes = {
    rg = <ressource_group_id>
  }
  azuread_security_group = {
    name    = "test_rbac"
    member_upns = ["peter.muster@example.ch", "hans.muster@example.ch"]
  }
  role_definitions = ["Contributor", "Reader"]
}

The following example assigns the role "DNS Zone Contributor" to a managed identity over the scope of two subscriptions:

module "example_rbac_prinicpal_ids" {
  source  = "Noahnc/rbac/azurerm"
  version = "1.0.1"
  scopes = {
    subscription_1 = <subscription_id1>
    subscription_2 = <subscription_id2>
  }
  principal_ids = {
    managed_identity = <managged_identity_id>
  }
  role_definitions = ["DNS Zone Contributor", "Reader"]
}

It is also possible to assign roles to the security group created within another module block:

module "example_rbac_include_sub_group" {
  source  = "Noahnc/rbac/azurerm"
  version = "1.0.1"
  scopes = {
    subscription_1 = <subscription_id1>
  }
  azuread_security_group = {
    name    = "test_rbac_include"
    member_upns = ["peter.muster@example.ch", "hans.muster@example.ch"]
    member_object_ids = [module.example_rbac_security_group.azuread_security_group_object_id]
  }
  role_definitions = ["KeyVautl Administrator"]
}

The Input for Scopes and principal_ids can also be generated with for loops on the fly:

module "example_rbac_prinicpal_ids" {
  source  = "Noahnc/rbac/azurerm"
  version = "1.0.1"
  scopes = {for key, value in azurerm_subscription.main : value.name => value.id}
  principal_ids = {for key, value in azurerm_user_assigned_identity.main : value.name => value.principal_id}
  role_definitions = ["DNS Zone Contributor", "Reader"]
}

NOTE: The Key of the scopes and principal_ids map can be freely chosen, they are only used to generate unique terraform for_each keys.

About

Module to create rbac assignments ands azuread security groups

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v1.0.2 Latest
Sep 9, 2023
+ 2 releases

Packages

No packages published

Languages