diff --git a/terraform/azure-devops/create-service-connection/main.tf b/terraform/azure-devops/create-service-connection/main.tf index 0852f6b..9df0869 100644 --- a/terraform/azure-devops/create-service-connection/main.tf +++ b/terraform/azure-devops/create-service-connection/main.tf @@ -85,12 +85,26 @@ module azure_access { azurerm = azurerm.target } source = "./modules/azure-access" - create_role_assignment = !var.azdo_creates_identity + # create_role_assignment = !var.azdo_creates_identity + create_role_assignment = true identity_object_id = local.principal_id resource_id = local.azure_scope role = var.azure_role } +module azure_role_assignments { + providers = { + azurerm = azurerm.target + } + source = "./modules/azure-access" + create_role_assignment = !var.azdo_creates_identity + identity_object_id = local.principal_id + resource_id = each.value.scope + role = each.value.role + + for_each = { for ra in var.azure_role_assignments : format("%s-%s", ra.scope, ra.role) => ra } +} + module service_connection { source = "./modules/service-connection" application_id = local.application_id diff --git a/terraform/azure-devops/create-service-connection/variables.tf b/terraform/azure-devops/create-service-connection/variables.tf index 0870ae7..455a5f9 100644 --- a/terraform/azure-devops/create-service-connection/variables.tf +++ b/terraform/azure-devops/create-service-connection/variables.tf @@ -24,6 +24,12 @@ variable azure_role { nullable = false } +variable azure_role_assignments { + default = [] + nullable = true + type = set(object({scope=string, role=string})) +} + variable create_federation { description = "Use workload identity federation instead of a App Registration secret" default = true