Gives Import success message but the role assignment is not imported.
module role_assignment
main.tf
resource “azurerm_role_assignment” “attach” {
count = var.role_assignment ? 1 : 0
name = var.role_assignment_name
scope = var.role_assignment_scope
role_definition_id = var.role_definition_id
principal_id = var.role_assignment_principal_id
role_definition_name = var.role_assignment_role_definition
}
variable.tf
variable “role_assignment_name” {
type = string
description = “(Optional) A unique UUID/GUID for this Role Assignment”
default = null
}
variable “role_assignment_scope” {
type = string
description = “(Required) The scope at which the Role Assignment applies to, such as /subscriptions/xxxxx-xxxx-xxx-xxxx-xxxxx, /subscriptions/xxxx-xxx-xxxx-xxxx-xxxx/resourceGroups/myGroup”
}
variable “role_definition_id” {
type = string
description = “(Optional) The Scoped-ID of the Role Definition”
default = null
}
variable “role_assignment_principal_id” {
type = string
description = “(Required) The ID of the Principal (User, Group or Service Principal) to assign the Role Definition”
}
variable “role_assignment_role_definition” {
type = string
description = “(Optional) The name of a built-in Role. Changing this forces a new resource to be created”
default = null
}
Root folder
main.tf
module “custom_role_assignment” {
for_each = var.role_assignment
source = “…/modules/role_assignment”
role_assignment_scope = each.value.role_assignment_scope
role_definition_id = each.value.role_definition_id
role_assignment_principal_id = each.value.role_assignment_principal_type == “group” ? each.value.role_assignment_group_principal_id : (each.value.role_assignment_principal_type == “sp” ? each.value.role_assignment_sp_principal_id : each.value.role_assignment_mi_principal_id)
role_assignment = each.value.role_assignment
}
variables.tf
variable “role_assignment” {
type = map(object({
role_assignment_scope = string
role_assignment_principal_type = string #possible values are “group, sp, and mi”
role_assignment_group_principal_id = string
role_assignment_sp_principal_id = string
role_assignment_mi_principal_id = string
role_assignment = string
role_assignment_builtin_role = bool
role_definition_id = string
}))
}
role_assignment = {
“developer_role_assignment” = {
role_assignment = “1”
#role_assignment_role_name = “Processing Developer”
role_assignment_principal_type = “group”
role_assignment_group_principal_id = “xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx”
role_assignment_mi_principal_id = “”
role_assignment_sp_principal_id = “”
role_assignment_scope = “/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx”
role_assignment_builtin_role = false
role_definition_id = “/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxx|/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx”
}
}