switch from pim enabled to azuread_role_assignable

qbeyond · Aug 9, 2023 · 018a81f · 018a81f
1 parent d091ff6
commit 018a81f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -26,7 +26,7 @@ module "alz_rbac" {
 
   custom_groups = {
     "AMG_ALZ_OWNER" = {
-      pim_enabled = true
+      azuread_role_assignable = true
       role_assignments = {
         "Owner" = ["mg:alz"]
       }

diff --git a/main.tf b/main.tf
@@ -5,7 +5,7 @@ resource "azuread_group" "custom_groups" {
   display_name       = each.key
   description        = "Automatically generated by terraform"
   security_enabled   = true
-  assignable_to_role = tobool(each.value.pim_enabled)
+  assignable_to_role = tobool(each.value.azuread_role_assignable)
 }
 
 resource "azurerm_role_assignment" "custom_groups" {
@@ -21,7 +21,7 @@ resource "azuread_group" "subscription_owners" {
   display_name       = "SUB_${each.key}_OWNER"
   description        = "Automatically generated by terraform. Grants Owner permissions on ${each.key} subscription."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "subscription_owners" {
   for_each             = var.subscriptions
@@ -35,7 +35,7 @@ resource "azuread_group" "subscription_contributors" {
   display_name       = "SUB_${each.key}_CONTRIBUTOR"
   description        = "Automatically generated by terraform. Grants Contributor permissions on ${each.key} subscription."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "subscription_contributors" {
   for_each             = var.subscriptions
@@ -63,7 +63,7 @@ resource "azuread_group" "management_owners" {
   display_name       = "AMG_${each.key}_OWNER"
   description        = "Automatically generated by terraform. Grants Owner permissions on ${each.value.display_name} management group."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "management_owners" {
   for_each             = var.management_groups
@@ -77,7 +77,7 @@ resource "azuread_group" "management_contributors" {
   display_name       = "AMG_${each.key}_CONTRIBUTOR"
   description        = "Automatically generated by terraform. Grants Contributor permissions on ${each.value.display_name} management group."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "management_contributors" {
   for_each             = var.management_groups

diff --git a/variables.tf b/variables.tf
@@ -20,13 +20,13 @@ variable "management_groups" {
 
 variable "custom_groups" {
   type = map(object({
-    pim_enabled      = optional(bool)
+    azuread_role_assignable = optional(bool)
     role_assignments = map(list(string))
   }))
   description = <<-DOC
   ```
   "<group_name>" = {
-    pim_enabled         = optional(string)    (if you want the role assignment to be pimmable) 
+    azuread_role_assignable = optional(string)    (if you want to assign Azure AD roles to the group) 
     role_assignments = {
       "<role_assignment>" = [                 (must be a role_definition_name or role_definition_id from azure)
         "<scope>"                             (every element must be a scope: "mg:<mg_id>", "sub:<subscription_id>", "root" for Tenant Root Group or a full scope ID)