Merge pull request #4 from qbeyond/feature/separate-pim-from-role-ass…

…ignability Feature/separate pim from role assignability
qbeyond · Aug 9, 2023 · a01681a · a01681a
2 parents 3dbb847 + 901a189
commit a01681a
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,18 @@
+# Changelog
+All notable changes to this module will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.0.0] - 2023-08-09
+
+### Added
+ - Changelog
+
+### Changed
+ - renamed optional property "pim_enabled" to "azuread_role_assignable", since it is no longer a requirement for a pim enabled group 
+ - set parameter "assignable_to_role" to false in contributor and owner groups 
+
+### Removed
+
+### Fixed
diff --git a/README.md b/README.md
@@ -47,7 +47,7 @@ module "alz_rbac" {
 
   custom_groups = {
     "AMG_ALZ_OWNER" = {
-      pim_enabled = true
+      azuread_role_assignable = true
       role_assignments = {
         "Owner" = ["mg:alz"]
       }
@@ -67,7 +67,7 @@ module "alz_rbac" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_custom_groups"></a> [custom\_groups](#input\_custom\_groups) | <pre>"<group_name>" = {<br>    pim_enabled         = optional(string)    (if you want the role assignment to be pimmable) <br>    role_assignments = {<br>      "<role_assignment>" = [                 (must be a role_definition_name or role_definition_id from azure)<br>        "<scope>"                             (every element must be a scope: "mg:<mg_id>", "sub:<subscription_id>", "root" for Tenant Root Group or a full scope ID)<br>      ]<br>    }<br>}</pre> | <pre>map(object({<br>    pim_enabled      = optional(bool)<br>    role_assignments = map(list(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_custom_groups"></a> [custom\_groups](#input\_custom\_groups) | <pre>"<group_name>" = {<br>    azuread_role_assignable = optional(string)    (if you want to assign Azure AD roles to the group) <br>    role_assignments = {<br>      "<role_assignment>" = [                 (must be a role_definition_name or role_definition_id from azure)<br>        "<scope>"                             (every element must be a scope: "mg:<mg_id>", "sub:<subscription_id>", "root" for Tenant Root Group or a full scope ID)<br>      ]<br>    }<br>}</pre> | <pre>map(object({<br>    azuread_role_assignable = optional(bool)<br>    role_assignments = map(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_management_groups"></a> [management\_groups](#input\_management\_groups) | <pre>"<management_group_id>" = {                 (this variable is reusing the structure of the management groups for custom_landing_zones from the caf module )<br>    displayName = "<management_group_name>"<br>  }</pre> | <pre>map(object({<br>    display_name = string<br>  }))</pre> | `{}` | no |
 | <a name="input_subscriptions"></a> [subscriptions](#input\_subscriptions) | Mapping of subscription names to subscription IDs. | `map(string)` | `{}` | no |
 ## Outputs

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -26,7 +26,7 @@ module "alz_rbac" {
 
   custom_groups = {
     "AMG_ALZ_OWNER" = {
-      pim_enabled = true
+      azuread_role_assignable = true
       role_assignments = {
         "Owner" = ["mg:alz"]
       }

diff --git a/main.tf b/main.tf
@@ -5,7 +5,7 @@ resource "azuread_group" "custom_groups" {
   display_name       = each.key
   description        = "Automatically generated by terraform"
   security_enabled   = true
-  assignable_to_role = tobool(each.value.pim_enabled)
+  assignable_to_role = tobool(each.value.azuread_role_assignable)
 }
 
 resource "azurerm_role_assignment" "custom_groups" {
@@ -21,7 +21,7 @@ resource "azuread_group" "subscription_owners" {
   display_name       = "SUB_${each.key}_OWNER"
   description        = "Automatically generated by terraform. Grants Owner permissions on ${each.key} subscription."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "subscription_owners" {
   for_each             = var.subscriptions
@@ -35,7 +35,7 @@ resource "azuread_group" "subscription_contributors" {
   display_name       = "SUB_${each.key}_CONTRIBUTOR"
   description        = "Automatically generated by terraform. Grants Contributor permissions on ${each.key} subscription."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "subscription_contributors" {
   for_each             = var.subscriptions
@@ -63,7 +63,7 @@ resource "azuread_group" "management_owners" {
   display_name       = "AMG_${each.key}_OWNER"
   description        = "Automatically generated by terraform. Grants Owner permissions on ${each.value.display_name} management group."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "management_owners" {
   for_each             = var.management_groups
@@ -77,7 +77,7 @@ resource "azuread_group" "management_contributors" {
   display_name       = "AMG_${each.key}_CONTRIBUTOR"
   description        = "Automatically generated by terraform. Grants Contributor permissions on ${each.value.display_name} management group."
   security_enabled   = true
-  assignable_to_role = true
+  assignable_to_role = false
 }
 resource "azurerm_role_assignment" "management_contributors" {
   for_each             = var.management_groups

diff --git a/variables.tf b/variables.tf
@@ -20,13 +20,13 @@ variable "management_groups" {
 
 variable "custom_groups" {
   type = map(object({
-    pim_enabled      = optional(bool)
+    azuread_role_assignable = optional(bool)
     role_assignments = map(list(string))
   }))
   description = <<-DOC
   ```
   "<group_name>" = {
-    pim_enabled         = optional(string)    (if you want the role assignment to be pimmable) 
+    azuread_role_assignable = optional(string)    (if you want to assign Azure AD roles to the group) 
     role_assignments = {
       "<role_assignment>" = [                 (must be a role_definition_name or role_definition_id from azure)
         "<scope>"                             (every element must be a scope: "mg:<mg_id>", "sub:<subscription_id>", "root" for Tenant Root Group or a full scope ID)