resource "azurerm_role_definition" "custom" {
  for_each = { for role in var.roles : role.name => role if role.create_role }

  name        = each.value.name
  description = each.value.description
  scope       = each.value.definition_scope

  dynamic "permissions" {
    for_each = each.value.permissions
    content {
      actions          = lookup(permissions.value, "actions", [])
      not_actions      = lookup(permissions.value, "not_actions", [])
      data_actions     = lookup(permissions.value, "data_actions", [])
      not_data_actions = lookup(permissions.value, "not_data_actions", [])
    }
  }
}

resource "azurerm_role_assignment" "custom" {
  for_each = { for role in var.roles : role.name => role if lookup(role, "assign", true) }

  scope                = each.value.assignment_scope
  role_definition_name = azurerm_role_definition.custom[each.key].name
  principal_id         = each.value.principal_id
}

Requirements

No requirements.

Providers

Name	Version
azurerm	n/a

Modules

No modules.

Resources

Name	Type
azurerm_role_assignment.custom	resource
azurerm_role_definition.custom	resource

Inputs

Name	Description	Type	Default	Required
roles	The roles to be created and optionally assigned	list(object({ create_role = bool assign = optional(bool) name = string description = string definition_scope = string principal_id = string permissions = list(object({ actions = list(string) not_actions = optional(list(string)) data_actions = optional(list(string)) not_data_actions = optional(list(string)) })) assignment_scope = string built_in_role_id = optional(string) }))	[]	no

Outputs

Name	Description
role_assignments	Map of created custom role assignments.
role_definitions	Map of created custom role definitions.