Add support for adding role assignments to the keyvault

schubergphilis · Jan 29, 2025 · 9d80603 · 9d80603
1 parent 59fa898
commit 9d80603
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -36,6 +36,15 @@ resource "azurerm_role_assignment" "this" {
   principal_id         = data.azurerm_client_config.current.object_id
 }
 
+resource "azurerm_role_assignment" "additional" {
+  for_each = var.key_vault_role_assignments
+
+  scope                = azurerm_key_vault.this.id
+  role_definition_name = each.value.role_definition_name
+  principal_id         = each.value.principal_id
+  description          = each.value.description
+}
+
 resource "azurerm_key_vault_key" "cmkrsa" {
   count = var.key_vault.cmk_keys_create ? 1 : 0
 

diff --git a/variables.tf b/variables.tf
@@ -125,3 +125,24 @@ variable "tags" {
   description = "A mapping of tags to assign to the resources."
   type        = map(string)
 }
+
+variable "role_assignments" {
+  type = map(object({
+    role_definition_name = string
+    principal_id         = string
+    description         = optional(string, null)
+    condition          = optional(string, null)
+    condition_version  = optional(string, null)
+  }))
+  default     = {}
+  description = <<ROLE_ASSIGNMENTS
+This map describes the role assignments to create for the Key Vault.
+
+Each entry in the map supports the following arguments:
+- `role_definition_name` - (Required) The name of the role definition to assign
+- `principal_id` - (Required) The ID of the principal to assign the role to
+- `description` - (Optional) Description of the role assignment
+
+Example:
+ROLE_ASSIGNMENTS
+}