variable "role_assignments" { type = map(object({ role_definition_id_or_name = string principal_id = string description = optional(string, null) skip_service_principal_aad_check = optional(bool, false) condition = optional(string, null) condition_version = optional(string, null) delegated_managed_identity_resource_id = optional(string, null) principal_type = optional(string, null) })) default = {} nullable = false description = <<DESCRIPTION A map of role assignments to create. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. - `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal. - `principal_id` - The ID of the principal to assign the role to. - `description` - (Optional) The description of the role assignment. - `skip_service_principal_aad_check` - (Optional) No effect when using AzAPI. - `condition` - (Optional) The condition which will be used to scope the role assignment. - `condition_version` - (Optional) The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'. - `delegated_managed_identity_resource_id` - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario. - `principal_type` - (Optional) The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute. DESCRIPTION } variable "role_assignment_definition_scope" { type = string description = <<DESCRIPTION The scope at which the role assignments should be created. Used to look up role definitions by role name. Must be specified when `role_assignments` are defined. DESCRIPTION default = null validation { condition = length(var.role_assignments) > 0 ? var.role_assignment_definition_scope != null : true error_message = "The role_assignment_definition_scope variable must be set when role_assignments are defined." } } variable "role_assignment_definition_lookup_enabled" { type = bool description = <<DESCRIPTION A control to disable the lookup of role definitions when creating role assignments. If you disable this then all role assignments must be supplied with a `role_definition_id_or_name` that is a valid role definition ID. DESCRIPTION default = true }