aztfmod · shanoor · Jun 17, 2024 · Jul 2, 2024 · Jul 8, 2024 · Jul 8, 2024
diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -100,6 +100,7 @@
     "redis_cache/103-redis-private-endpoints",
     "role_mapping/100-simple-role-mapping",
     "role_mapping/101-function-app-managed-identity",
+    "role_mapping/103-abac",
     "search_service/100-search-service-both-apikeys-and-azuread",
     "search_service/101-search-service-only-api-keys",
     "search_service/102-search-service-only-azuread",

diff --git a/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars b/examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars
@@ -56,8 +56,8 @@ azuread_applications = {
           admin_consent_description  = "Allow to administer app2."
           admin_consent_display_name = "Administer app2"
           enabled                    = true
-          type  = "Admin"
-          value = "app2"
+          type                       = "Admin"
+          value                      = "app2"
         }
       ]
     }

diff --git a/examples/role_mapping/103-abac/configuration.tfvars b/examples/role_mapping/103-abac/configuration.tfvars
@@ -0,0 +1,69 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "francecentral"
+  }
+}
+
+resource_groups = {
+  test = {
+    name = "test"
+  }
+}
+
+storage_accounts = {
+  sa1 = {
+    name                     = "ada9a3027eec"
+    resource_group_key       = "test"
+    account_kind             = "BlobStorage"
+    account_tier             = "Standard"
+    account_replication_type = "LRS"
+
+    tags = {
+      environment = "dev"
+      team        = "IT"
+    }
+
+    containers = {
+      dev = {
+        name = "random"
+      }
+    }
+  }
+}
+
+managed_identities = {
+  msi01 = {
+    name               = "example-msi-rolemap-msi"
+    resource_group_key = "test"
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    storage_accounts = {
+      sa1 = {
+        "Storage Blob Data Contributor" = {
+          managed_identities = {
+            keys = [
+              {
+                key       = "msi01",
+                condition = <<EOT
+                  (
+                    (
+                      !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
+                    )
+                    OR
+                    (
+                      @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Malware Scanning scan result<$key_case_sensitive$>] StringEqualsIgnoreCase 'no threats found'
+                    )
+                  )
+                EOT
+              }
+            ]
+          },
+        },
+      }
+    }
+  }
+}
diff --git a/roles.tf b/roles.tf
@@ -24,6 +24,8 @@ resource "azurerm_role_assignment" "for" {
   role_definition_id   = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
   role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
   scope                = each.value.scope_lz_key == null ? local.services_roles[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id
+  condition_version    = try(each.value.condition, null) == null ? null : "2.0"
+  condition            = try(each.value.condition, null)
 }
 
 resource "azurerm_role_assignment" "for_deferred" {
@@ -36,6 +38,8 @@ resource "azurerm_role_assignment" "for_deferred" {
   role_definition_id   = each.value.mode == "custom_role_mapping" ? module.custom_roles[each.value.role_definition_name].role_definition_resource_id : null
   role_definition_name = each.value.mode == "built_in_role_mapping" ? each.value.role_definition_name : null
   scope                = each.value.scope_lz_key == null ? local.services_roles_deferred[each.value.scope_resource_key][var.current_landingzone_key][each.value.scope_key_resource].id : local.services_roles_deferred[each.value.scope_resource_key][each.value.scope_lz_key][each.value.scope_key_resource].id
+  condition_version    = try(each.value.condition, null) == null ? null : "2.0"
+  condition            = try(each.value.condition, null)
 }
 
 resource "time_sleep" "azurerm_role_assignment_for" {
@@ -230,16 +234,17 @@ locals {
                     scope_key_resource      = scope_key_resource
                     role_definition_name    = role_definition_name
                     object_id_resource_type = object_id_key
-                    object_id_key_resource  = object_id_key_resource #   "object_id_key_resource" = "aks_admins"
-                    object_id_lz_key        = try(object_resources.lz_key, null)
+                    object_id_key_resource  = try(object_id_key_resource.key, object_id_key_resource) #   "object_id_key_resource" = "aks_admins"
+                    object_id_lz_key        = try(object_id_key_resource.lz_key, object_resources.lz_key, null)
+                    condition               = try(object_id_key_resource.condition, null)
                   }
                 ]
               ] if role_definition_name != "lz_key"
             ]
           ]
         ]
       ]
-    ) : format("%s_%s_%s_%s", mapping.object_id_resource_type, mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), mapping.object_id_key_resource) => mapping
+    ) : format("%s_%s_%s_%s_%s", mapping.object_id_resource_type, mapping.scope_key_resource, replace(mapping.role_definition_name, " ", "_"), coalesce(mapping.object_id_lz_key, local.client_config.landingzone_key), mapping.object_id_key_resource) => mapping
   }
 }