Skip to content

Instantly share code, notes, and snippets.

@mdmsua

mdmsua/abac.tf

Created August 11, 2024 08:53
Show Gist options
  • Save mdmsua/c5c250df817c7ca3897269aab9c094b4 to your computer and use it in GitHub Desktop.
Save mdmsua/c5c250df817c7ca3897269aab9c094b4 to your computer and use it in GitHub Desktop.
Download ZIP
ABAC
Raw
abac.tf
data "azurerm_role_definition" "acr_pull" {
name = "AcrPull"
}
resource "azurerm_role_assignment" "role_based_access_control_administrator" {
role_definition_name = "Role Based Access Control Administrator"
principal_id = azuread_service_principal.main.object_id
scope = var.container_registry_id
condition_version = "2.0"
condition = <<-EOT
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${basename(data.azurerm_role_definition.acr_pull.role_definition_id)}}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${basename(data.azurerm_role_definition.acr_pull.role_definition_id)}}
)
)
EOT
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment