A Terraform module that will help you create role assignment for the role Role Based Access Control Administrator. This role allows you to manage Azure RBAC roles and assignments. It can be easy to set up in the Azure portal but rather hard to configure the same in Terraform. This module will help you to do that.
For more information on the role, please visit the Azure Documentation
module "rbac_admin" {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
role_id_to_assign = "acdd72a7-3385-48ef-bd42-f606fba81ae7" # Reader
object_id_to_be_added_to_rbac_admin_role = "00000000-0000-0000-0000-000000000000" # Object ID of the user to be added
principal_type = "User"
constrain_roles = true
}
module "rbac_admin" {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
role_id_to_assign = "acdd72a7-3385-48ef-bd42-f606fba81ae7" # Reader
object_id_to_be_added_to_rbac_admin_role = "00000000-0000-0000-0000-000000000000" # Object ID of the group to be added
principal_type = "Group"
user_type = true
group_type = true
constrain_roles_and_principal_types = true
}
module "rbac_admin" {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
role_id_to_assign = "acdd72a7-3385-48ef-bd42-f606fba81ae7" # Reader
object_id_to_be_added_to_rbac_admin_role = "00000000-0000-0000-0000-000000000000" # Object ID of the user to be added
principal_type = "User"
constrain_roles_and_principals = true
object_ids_that_can_given_the_role = ["00000000-0000-0000-0000-000000000000", "00000000-0000-0000-0000-000000000001"]
}
module "rbac_admin" {
scope = "/subscriptions/00000000-0000-0000-0000-000000000000"
role_id_to_assign = "acdd72a7-3385-48ef-bd42-f606fba81ae7" # Reader
object_id_to_be_added_to_rbac_admin_role = "00000000-0000-0000-0000-000000000000" # Object ID of the user to be added
principal_type = "User"
enable_custom_condition = true
custom_condition = ""
}
Name | Version |
---|---|
terraform | ~>1.0 |
azapi | ~>1.0 |
Name | Version |
---|---|
azapi | 1.12.0 |
No modules.
Name | Type |
---|---|
azapi_resource.rbac_admin | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
object_id_to_be_added_to_rbac_admin_role | The object ID of the user, group, or service principal you want to assign the role Role Based Access Control Administrator to. | string |
n/a | yes |
scope | The scope of the resource. This can be a subscription, resource group, or resource. Most common is an subscription. Example: /subscriptions/00000000-0000-0000-0000-000000000000 | string |
n/a | yes |
constrain_roles | If you want to constrain the role assignment to only be able to assign the role, set this to true | bool |
false |
no |
constrain_roles_and_principal_types | If you want to constrain the role assignment to only be able to assign the role to a specific principal type, set this to true | bool |
false |
no |
constrain_roles_and_principals | If you want to constrain the role assignment to only be able to assign the role to a specific principal, set this to true | bool |
false |
no |
custom_condition | Only used when enable_custom_condition is set to true. The custom condition for the role assignment. | string |
"" |
no |
description | The description of the role assignment. This is just used as meta data and is not required. Example: This role assignment is for... | string |
"" |
no |
enable_custom_condition | If you want to enable a custom condition for the role assignment, set this to true | bool |
false |
no |
group_type | Only in use when constrain_roles_and_principal_types is set to true. If you want to assign the role to a group, set this to true | bool |
false |
no |
object_ids_that_can_be_given_the_role | Only used when constrain_roles_and_principals is set to true. The object IDs of the users, groups, or service principals that will be given the chosen role. This is a list of object IDs. Example: ["00000000-0000-0000-0000-000000000000", "00000000-0000-0000-0000-000000000001"] | list(string) |
[] |
no |
principal_type | The type of principal you want to assign the role Role Based Access Control Administrator to. This can be User, Group, or ServicePrincipal | string |
"User" |
no |
role_id_to_assign | The role definition ID to assign. This is the ID of the role you want the users to be able to assign to others. This could be Storage Blob Data Contributor, Virtual Machine Contributor, etc. | string |
"" |
no |
service_principal_type | Only in use when constrain_roles_and_principal_types is set to true. If you want to assign the role to a service principal, set this to true | bool |
false |
no |
user_type | Only in use when constrain_roles_and_principal_types is set to true. If you want to assign the role to a user, set this to true | bool |
false |
no |
No outputs.