From 11404a6e5b686290f4ff5c7650eb4a1f7811aff3 Mon Sep 17 00:00:00 2001
From: Rob Gil <dds@rem5.com>
Date: Tue, 7 Jan 2020 14:00:27 -0500
Subject: [PATCH] Adds IAM roles for the Managed Identity Module

This adds the ability to pass in a list of roles to be assigned to the
managed identity user.
---
 terraform/modules/managed_identity/main.tf      | 11 ++++++++++-
 terraform/modules/managed_identity/variables.tf |  5 +++++
 terraform/providers/dev/identities.tf           |  2 ++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/terraform/modules/managed_identity/main.tf b/terraform/modules/managed_identity/main.tf
index 84e186ce..2f186c87 100644
--- a/terraform/modules/managed_identity/main.tf
+++ b/terraform/modules/managed_identity/main.tf
@@ -8,4 +8,13 @@ resource "azurerm_user_assigned_identity" "identity" {
   location            = azurerm_resource_group.identity.location
 
   name = "${var.name}-${var.environment}-${var.identity}"
-}
\ No newline at end of file
+}
+
+data "azurerm_subscription" "primary" {}
+
+resource "azurerm_role_assignment" "roles" {
+  count                = length(var.roles)
+  scope                = data.azurerm_subscription.primary.id
+  role_definition_name = var.roles[count.index]
+  principal_id         = azurerm_user_assigned_identity.identity.principal_id
+}
diff --git a/terraform/modules/managed_identity/variables.tf b/terraform/modules/managed_identity/variables.tf
index f2a1a758..e5ffc99c 100644
--- a/terraform/modules/managed_identity/variables.tf
+++ b/terraform/modules/managed_identity/variables.tf
@@ -22,3 +22,8 @@ variable "identity" {
   type        = string
   description = "Name of the managed identity to create"
 }
+
+variable "roles" {
+  type        = list
+  description = "List of roles by name"
+}
diff --git a/terraform/providers/dev/identities.tf b/terraform/providers/dev/identities.tf
index 0def7ce6..5d8370cd 100644
--- a/terraform/providers/dev/identities.tf
+++ b/terraform/providers/dev/identities.tf
@@ -5,4 +5,6 @@ module "keyvault_reader_identity" {
   environment = var.environment
   region      = var.region
   identity    = "${var.name}-${var.environment}-vault-reader"
+  roles       = ["Reader", "Managed Identity Operator"]
+
 }