
Reputation: 711

Create Role assignment dynamically in Terraform from input

I am trying to create multiple role assignments using a typical variable given below where "permission {}" is a new variable I would like to introduce in the form of a type map, so I can perform multiple role assignments.

My TFVARS file

azure_vnets= {
  prod= [
      cidr = [""]
      vnet_name = "vnet1"
      dns  = [""]
      rg   = "myrg1"
      permission = {
      Contributor =  ["xxxxxxxxxxxx", "xxxxxxxxxxxxx"],
      Reader = ["xxxxxxxxxxx", "xxxxxxxxxx"]
      location = "eastus"
      cidr = [""]
      vnet_name = "vnet2"
      dns  = [""]
      rg   = "myrg2"
      permission = {
      Contributor =  ["xxxxxxxxxxxx", "xxxxxxxxxxxxx"],
      Reader = ["xxxxxxxxxxx", "xxxxxxxxxx"]
      location = "westeurope"
  nonprod = [
      cidr = [""]
      vnet_name = "vnet1"
      dns  = [""]
      rg   = "nonprodrg"
      location = "eastus"
      permission = {
      Contributor =  ["xxxxxxxxxxxx", "xxxxxxxxxxxxx"],
      Reader = ["xxxxxxxxxxx", "xxxxxxxxxx"]
      cidr = [""]
      vnet_name = "nonprod-vnet2"
      dns  = [""]
      sub  = "nonProd"
      rg   = "mynonprodrg"
      permission = {
      Contributor =  ["xxxxxxxxxxxx", "xxxxxxxxxxxxx"],
      Reader = ["xxxxxxxxxxx", "xxxxxxxxxx"]
      location = "westeurope"

My resource creation file I have a local defined here which helps me use the above variable in a for_each loop given below in the role assignment creation. I would like to know how to get the Rolename as Key and ObjectID as value in the below for_each role_assignment creation from the above TFvar variable

locals {
  flat_azure_vnets = merge([
      for env_name, env_vn_list in var.azure_vnets:
           for idx, env_vn in env_vn_list:
             "${env_name}-${idx}" => env_vn

resource "azurerm_role_assignment" "role_assignment" {
    for_each = { for k, v in local.flat_azure_vnets  : k => v }
    scope                =
    role_definition_name =
    principal_id         = each.key

Upvotes: 0

Views: 2712

Answers (2)

Ansuman Bal
Ansuman Bal

Reputation: 11431

You can use the below example which I have tested in my environment:

provider "azurerm"{
locals {
  flat_azure_vnets = merge([
      for env_name, env_vn_list in var.azure_vnets:
           for idx, env_vn in env_vn_list:
             "${env_name}-${idx}" => env_vn
    flat_rbac = {for i,r in local.flat_azure_vnets : "role-${i}"=>"${r.permission}"}


variable "azure_vnets" {}

output "rbac" {
  value = local.flat_rbac
module "Contributor_roleAssignment" {
  for_each = zipmap(keys(local.flat_rbac), values(local.flat_rbac)[*].Contributor)
  source   = "./modules/roleAssignment"

  role_definition_name = "Contributor"
  scope_id             = "/subscriptions/948d4068-cee2-492b-8f82-e00a844e059b/resourceGroups/ansumantest"
  principal_ids        = each.value

module "Reader_roleAssignment" {
  for_each = zipmap(keys(local.flat_rbac), values(local.flat_rbac)[*].Reader)
  source   = "./modules/roleAssignment"

  role_definition_name = "Reader"
  scope_id             = "/subscriptions/948d4068-cee2-492b-8f82-e00a844e059b/resourceGroups/ansumantest"
  principal_ids        = each.value

Role assignment module i.e. "./modules/roleAssignment"

locals {
    principals = toset(var.principal_ids)

resource "azurerm_role_assignment" "role_assignment" {
    for_each = local.principals
    scope                = var.scope_id
    role_definition_name = var.role_definition_name
    principal_id         = each.key
} :

variable "role_definition_name" {
    type        = any
    description = "The name of the Role to assign to the chosen Scope."

variable "scope_id" {
  type        = string
  description = "The Id of the scope where the role should be assigned."

variable "principal_ids" {
  type        = list(string)
  description = "The ID of the principal that is to be assigned the role at the given scope. Can be User, Group or SPN."


enter image description here

enter image description here

enter image description here enter image description here

Upvotes: 1


Reputation: 238687

To iterate over your new permission attribute, you have to further flatten your flat_azure_vnets. So you can introduce flat_azure_vnets2:

locals {
  flat_azure_vnets = merge([
      for env_name, env_vn_list in var.azure_vnets:
           for idx, env_vn in env_vn_list:
             "${env_name}-${idx}" => env_vn

  flat_azure_vnets2 = merge([
      for key, env in local.flat_azure_vnets:
           for cidx, contrinutor in env["permission"]["Contributor"]:
             "${key}-${cidx}" => merge(
                   env, {
                       "contrinutor" = contrinutor,
                       "reader" = env["permission"]["Reader"][cidx]

which produces flat_azure_vnets2 in the form of (notice new contrinutor and reader attributes):

test = {
  "nonprod-0-0" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxx"
    "dns" = [
    "location" = "eastus"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxxx"
    "rg" = "nonprodrg"
    "vnet_name" = "vnet1"
  "nonprod-0-1" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxxx"
    "dns" = [
    "location" = "eastus"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxx"
    "rg" = "nonprodrg"
    "vnet_name" = "vnet1"
  "nonprod-1-0" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxx"
    "dns" = [
    "location" = "westeurope"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxxx"
    "rg" = "mynonprodrg"
    "sub" = "nonProd"
    "vnet_name" = "nonprod-vnet2"
  "nonprod-1-1" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxxx"
    "dns" = [
    "location" = "westeurope"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxx"
    "rg" = "mynonprodrg"
    "sub" = "nonProd"
    "vnet_name" = "nonprod-vnet2"
  "prod-0-0" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxx"
    "dns" = [
    "location" = "eastus"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxxx"
    "rg" = "myrg1"
    "vnet_name" = "vnet1"
  "prod-0-1" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxxx"
    "dns" = [
    "location" = "eastus"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxx"
    "rg" = "myrg1"
    "vnet_name" = "vnet1"
  "prod-1-0" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxx"
    "dns" = [
    "location" = "westeurope"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxxx"
    "rg" = "myrg2"
    "vnet_name" = "vnet2"
  "prod-1-1" = {
    "cidr" = [
    "contrinutor" = "xxxxxxxxxxxxx"
    "dns" = [
    "location" = "westeurope"
    "permission" = {
      "Contributor" = [
      "Reader" = [
    "reader" = "xxxxxxxxxx"
    "rg" = "myrg2"
    "vnet_name" = "vnet2"

Upvotes: 1

Related Questions