remove redundant extra role assignments

jaredfholgate · jaredfholgate · commit c81362c50afc · 2026-01-28T19:01:54.000Z
diff --git a/alz/local/main.tf b/alz/local/main.tf
@@ -34,7 +34,6 @@ module "azure" {
   use_private_networking                               = false
   custom_role_definitions                              = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : (var.iac_type == "bicep" ? local.custom_role_definitions_bicep : local.custom_role_definitions_bicep_classic)
   role_assignments                                     = var.iac_type == "terraform" ? var.role_assignments_terraform : (var.iac_type == "bicep" ? var.role_assignments_bicep : var.role_assignments_bicep_classic)
-  additional_role_assignment_principal_ids             = var.grant_permissions_to_current_user ? { current_user = data.azurerm_client_config.current.object_id } : {}
   storage_account_blob_soft_delete_enabled             = var.storage_account_blob_soft_delete_enabled
   storage_account_blob_soft_delete_retention_days      = var.storage_account_blob_soft_delete_retention_days
   storage_account_blob_versioning_enabled              = var.storage_account_blob_versioning_enabled
diff --git a/alz/local/variables.tf b/alz/local/variables.tf
@@ -188,17 +188,6 @@ variable "postfix_number" {
   default     = 1
 }
 
-variable "grant_permissions_to_current_user" {
-  description = <<-EOT
-    **(Optional, default: `true`)** Whether to grant permissions to the current Azure CLI user.
-
-    When true, assigns permissions to the currently authenticated user in addition to the managed identities.
-    Useful for local development and testing.
-  EOT
-  type        = bool
-  default     = true
-}
-
 variable "additional_files" {
   description = <<-EOT
     **(Optional, default: `[]`)** Additional files to include in the deployment.
diff --git a/modules/azure/role_assignments.tf b/modules/azure/role_assignments.tf
@@ -7,28 +7,8 @@ locals {
     principal_id                       = azurerm_user_assigned_identity.alz[value.user_assigned_managed_identity_key].principal_id
   } }
 
-  additional_role_assignments = { for assignment in flatten([
-    for key, value in var.role_assignments : [
-      for princial_key, principal_value in var.additional_role_assignment_principal_ids : {
-        composite_key                      = "${value.scope}-${coalesce(value.custom_role_definition_key, value.built_in_role_definition_name)}-${princial_key}"
-        user_assigned_managed_identity_key = "${value.scope}-${coalesce(value.custom_role_definition_key, value.built_in_role_definition_name)}-${princial_key}"
-        built_in_role_definition_name      = value.built_in_role_definition_name
-        custom_role_definition_key         = value.custom_role_definition_key
-        scope                              = value.scope
-        principal_id                       = principal_value
-      }
-    ]]) : assignment.composite_key => {
-    user_assigned_managed_identity_key = assignment.user_assigned_managed_identity_key
-    built_in_role_definition_name      = assignment.built_in_role_definition_name
-    custom_role_definition_key         = assignment.custom_role_definition_key
-    scope                              = assignment.scope
-    principal_id                       = assignment.principal_id
-  } }
-
-  combined_role_assignments = merge(local.role_assignments, local.additional_role_assignments)
-
   subscription_role_assignments = { for assignment in flatten([
-    for key, value in local.combined_role_assignments : [
+    for key, value in local.role_assignments : [
       for subscription_id, subscription in data.azurerm_subscription.alz : {
         key                  = "${value.user_assigned_managed_identity_key}-${coalesce(value.custom_role_definition_key, value.built_in_role_definition_name)}-${subscription_id}"
         scope                = subscription.id
@@ -45,7 +25,7 @@ locals {
   } }
 
   management_group_role_assignments = {
-    for key, value in local.combined_role_assignments : key => {
+    for key, value in local.role_assignments : key => {
       scope                = var.intermediate_root_management_group_creation_enabled ? azapi_resource.intermediate_root_management_group[0].id : data.azurerm_management_group.alz.id
       role_definition_id   = value.built_in_role_definition_name == null ? azurerm_role_definition.alz[value.custom_role_definition_key].role_definition_resource_id : null
       role_definition_name = value.built_in_role_definition_name
diff --git a/modules/azure/storage.tf b/modules/azure/storage.tf
@@ -64,10 +64,3 @@ resource "azurerm_role_assignment" "alz_storage_container" {
   role_definition_name = "Storage Blob Data Owner"
   principal_id         = azurerm_user_assigned_identity.alz[each.key].principal_id
 }
-
-resource "azurerm_role_assignment" "alz_storage_container_additional" {
-  for_each             = var.create_storage_account ? var.additional_role_assignment_principal_ids : {}
-  scope                = azapi_resource.storage_account_container[0].id
-  role_definition_name = "Storage Blob Data Owner"
-  principal_id         = each.value
-}
diff --git a/modules/azure/variables.tf b/modules/azure/variables.tf
@@ -610,18 +610,6 @@ variable "role_assignments" {
   }))
 }
 
-variable "additional_role_assignment_principal_ids" {
-  description = <<-EOT
-    **(Optional, default: `{}`)** Additional Azure AD principal IDs to grant the same role assignments.
-
-    Map of principal IDs (users, groups, service principals) to grant the same role assignments
-    as the managed identities. Useful for granting permissions to human operators or existing
-    service principals for troubleshooting or manual operations.
-  EOT
-  type        = map(string)
-  default     = {}
-}
-
 variable "tenant_role_assignment_enabled" {
   description = <<-EOT
     **(Optional, default: `false`)** Enable tenant-level role assignment for managed identities.
