From a1ee9185b90ecb1c58daf4c040f0e2229e5fee7c Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Sat, 20 Apr 2024 14:20:35 +0200 Subject: [PATCH 1/2] Create multiple role assignments --- .../create-service-connection/main.tf | 15 ++++++++++++++- .../create-service-connection/variables.tf | 8 +++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/terraform/azure-devops/create-service-connection/main.tf b/terraform/azure-devops/create-service-connection/main.tf index 0852f6b..524e0b6 100644 --- a/terraform/azure-devops/create-service-connection/main.tf +++ b/terraform/azure-devops/create-service-connection/main.tf @@ -85,12 +85,25 @@ module azure_access { azurerm = azurerm.target } source = "./modules/azure-access" - create_role_assignment = !var.azdo_creates_identity + create_role_assignment = !var.azdo_creates_identity && var.azure_role != null && var.azure_role != "" identity_object_id = local.principal_id resource_id = local.azure_scope role = var.azure_role } +module azure_role_assignments { + providers = { + azurerm = azurerm.target + } + source = "./modules/azure-access" + create_role_assignment = !var.azdo_creates_identity + identity_object_id = local.principal_id + resource_id = each.value.scope + role = each.value.role + + for_each = { for ra in var.azure_role_assignments : format("%s-%s", ra.scope, ra.role) => ra } +} + module service_connection { source = "./modules/service-connection" application_id = local.application_id diff --git a/terraform/azure-devops/create-service-connection/variables.tf b/terraform/azure-devops/create-service-connection/variables.tf index 0870ae7..11ca697 100644 --- a/terraform/azure-devops/create-service-connection/variables.tf +++ b/terraform/azure-devops/create-service-connection/variables.tf @@ -21,7 +21,13 @@ variable azure_scope { variable azure_role { default = "Contributor" - nullable = false + nullable = true +} + +variable azure_role_assignments { + default = [] + nullable = true + type = set(object({scope=string, role=string})) } variable create_federation { From cf3ff97d74b013878be095ca8230d2c8f9537817 Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Sat, 20 Apr 2024 14:50:38 +0200 Subject: [PATCH 2/2] --- terraform/azure-devops/create-service-connection/main.tf | 3 ++- terraform/azure-devops/create-service-connection/variables.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/azure-devops/create-service-connection/main.tf b/terraform/azure-devops/create-service-connection/main.tf index 524e0b6..9df0869 100644 --- a/terraform/azure-devops/create-service-connection/main.tf +++ b/terraform/azure-devops/create-service-connection/main.tf @@ -85,7 +85,8 @@ module azure_access { azurerm = azurerm.target } source = "./modules/azure-access" - create_role_assignment = !var.azdo_creates_identity && var.azure_role != null && var.azure_role != "" + # create_role_assignment = !var.azdo_creates_identity + create_role_assignment = true identity_object_id = local.principal_id resource_id = local.azure_scope role = var.azure_role diff --git a/terraform/azure-devops/create-service-connection/variables.tf b/terraform/azure-devops/create-service-connection/variables.tf index 11ca697..455a5f9 100644 --- a/terraform/azure-devops/create-service-connection/variables.tf +++ b/terraform/azure-devops/create-service-connection/variables.tf @@ -21,7 +21,7 @@ variable azure_scope { variable azure_role { default = "Contributor" - nullable = true + nullable = false } variable azure_role_assignments {