add switch on whether to create role assignments for hci rp (#31)

Co-authored-by: Zidong Lu <[email protected]>
Azure · Nov 21, 2024 · 6f1687f · 6f1687f
1 parent 4e721ff
commit 6f1687f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -383,6 +383,14 @@ Type: `string`
 
 Default: `"Express"`
 
+### <a name="input_create_hci_rp_role_assignments"></a> [create\_hci\_rp\_role\_assignments](#input\_create\_hci\_rp\_role\_assignments)
+
+Description: Indicates whether to create role assignments for the HCI resource provider service principal.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_create_key_vault"></a> [create\_key\_vault](#input\_create\_key\_vault)
 
 Description: Set to true to create the key vault, or false to skip it

diff --git a/locals.tf b/locals.tf
@@ -154,9 +154,9 @@ locals {
   roles = {
     KVSU = "Key Vault Secrets User",
   }
-  rp_roles = {
+  rp_roles = var.create_hci_rp_role_assignments ? {
     ACMRM = "Azure Connected Machine Resource Manager",
-  }
+  } : {}
   secrets_location = var.secrets_location == "" ? local.key_vault.vault_uri : var.secrets_location
   seperate_intents = [{
     name                               = var.compute_intent_name,

diff --git a/variables.tf b/variables.tf
@@ -256,6 +256,12 @@ variable "configuration_mode" {
   description = "The configuration mode for the storage."
 }
 
+variable "create_hci_rp_role_assignments" {
+  type        = bool
+  default     = false
+  description = "Indicates whether to create role assignments for the HCI resource provider service principal."
+}
+
 variable "create_key_vault" {
   type        = bool
   default     = true