Adds IAM roles for the Managed Identity Module

This adds the ability to pass in a list of roles to be assigned to the
managed identity user.

terraform/modules/managed_identity/main.tf

@@ -8,4 +8,13 @@ resource "azurerm_user_assigned_identity" "identity" {
   location            = azurerm_resource_group.identity.location
 
   name = "${var.name}-${var.environment}-${var.identity}"
-}
+}
+
+data "azurerm_subscription" "primary" {}
+
+resource "azurerm_role_assignment" "roles" {
+  count                = length(var.roles)
+  scope                = data.azurerm_subscription.primary.id
+  role_definition_name = var.roles[count.index]
+  principal_id         = azurerm_user_assigned_identity.identity.principal_id
+}

terraform/modules/managed_identity/variables.tf

@@ -22,3 +22,8 @@ variable "identity" {
   type        = string
   description = "Name of the managed identity to create"
 }
+
+variable "roles" {
+  type        = list
+  description = "List of roles by name"
+}

terraform/providers/dev/identities.tf

@@ -5,4 +5,6 @@ module "keyvault_reader_identity" {
   environment = var.environment
   region      = var.region
   identity    = "${var.name}-${var.environment}-vault-reader"
+  roles       = ["Reader", "Managed Identity Operator"]
+
 }