Skip to content

TheSoftwareHouse/terraform-azurerm-role-assignment

Repository files navigation

terraform-role-assignment

Assign roles to users, groups and service principals

This Terraform module assigns BUILT IN roles to users, groups and service principals.

Usage

NOTE: Assigning the same role to the same user, group or service principal multiple times will merge it, so when you do:

module "role_assignments" {
  source = "retoxx-dev/role-assignment/azurerm"

  role_assignments = [
    {
      user_principal_names = ["user1@contoso.com"]
      role_names           = ["Reader", "Web Plan Contributor"]
      scope                = azurerm_resource_group.this.id
    },
    {
      user_principal_names = ["user1@contoso.com", "user2@contoso.com"]
      role_names           = ["Reader", "Owner"]
      scope                = azurerm_resource_group.this.id
    }
  ]
}

The role Reader will be assigned to user1@contoso.com only once.

Assign roles to users

module "role_assignments" {
  source = "retoxx-dev/role-assignment/azurerm"

  role_assignments = [
    {
      user_principal_names = ["user1@contoso.com", "user2@contoso.com"]
      role_names           = ["Reader", "Web Plan Contributor"]
      scope                = azurerm_resource_group.this.id
    }
  ]
}

Assign roles to groups

module "role_assignments" {
  source = "retoxx-dev/role-assignment/azurerm"

  role_assignments = [
    {
      group_names = ["group1", "group2", "group3"]
      role_names  = ["Reader", "Web Plan Contributor"]
      scope       = azurerm_resource_group.this.id
    }
  ]
}

Assign roles to service principals

module "role_assignments" {
  source = "retoxx-dev/role-assignment/azurerm"

  role_assignments = [
    {
      sp_names   = ["spname1", "spname2", "spname3"]
      role_names = ["Reader", "Web Plan Contributor"]
      scope      = azurerm_resource_group.this.id
    }
  ]
}

Assign roles to service principals but with principal ids

module "role_assignments" {
  source = "retoxx-dev/role-assignment/azurerm"

  role_assignments = [
    {
      principal_ids   = ["00000000-0000-0000-0000-000000000000"]
      role_names      = ["Reader", "Web Plan Contributor"]
      scope           = azurerm_resource_group.this.id
    }
  ]
}

Requirements

Name Version
terraform >= 1.3.1
azuread >=2.37
azurerm >=3.33

Providers

Name Version
azuread >=2.37
azurerm >=3.33

Modules

No modules.

Resources

Name Type
azurerm_role_assignment.groups resource
azurerm_role_assignment.principal_ids resource
azurerm_role_assignment.service_principals resource
azurerm_role_assignment.users resource
azuread_group.group_objects data source
azuread_service_principal.sp_objects data source
azuread_user.user_objects data source

Inputs

Name Description Type Default Required
role_assignments The role assignments to create
list(object({
user_principal_names = optional(list(string), [])
group_names = optional(list(string), [])
sp_names = optional(list(string), [])
principal_ids = optional(list(string), [])
role_names = list(string)
scope = string
}))
n/a yes

Outputs

No outputs.