main.policy_role_assignments.tf

resource "terraform_data" "policy_role_assignments_dependencies" {
  input = sha256(jsonencode(var.dependencies.policy_role_assignments))
}

resource "azapi_resource" "policy_role_assignments" {
  for_each = local.policy_role_assignments

  type = "Microsoft.Authorization/roleAssignments@2022-04-01"
  body = {
    properties = {
      principalId      = each.value.principal_id
      roleDefinitionId = each.value.role_definition_id
      description      = "Created by ALZ Terraform provider. Assignment required for Azure Policy."
      principalType    = "ServicePrincipal"
    }
  }
  name      = each.key
  parent_id = each.value.scope
  replace_triggers_external_values = [
    each.value.principal_id,
    each.value.role_definition_id,
  ]
  retry = var.retries.policy_role_assignments.error_message_regex != null ? {
    error_message_regex  = var.retries.policy_role_assignments.error_message_regex
    interval_seconds     = lookup(var.retries.policy_role_assignments, "interval_seconds", null)
    max_interval_seconds = lookup(var.retries.policy_role_assignments, "max_interval_seconds", null)
    multiplier           = lookup(var.retries.policy_role_assignments, "multiplier", null)
    randomization_factor = lookup(var.retries.policy_role_assignments, "randomization_factor", null)
  } : null

  timeouts {
    create = var.timeouts.policy_role_assignment.create
    delete = var.timeouts.policy_role_assignment.delete
    read   = var.timeouts.policy_role_assignment.read
    update = var.timeouts.policy_role_assignment.update
  }

  depends_on = [terraform_data.policy_role_assignments_dependencies]

  lifecycle {
    # https://github.com/Azure/terraform-provider-azapi/issues/671
    ignore_changes = [output.properties.updatedOn]
  }
}