Merge pull request #2 from codycodes/updates-per-feedback

Updates Per Roger's Feedback

Author: codycodes

README.md

@@ -22,16 +22,7 @@
 
 ### Basic Usage
 
-```hcl
-module "ms365_hass_calendar" {
-  source  = "codycodes/ms365-hass/azuread"
-  version = "~>1.0"
-
-  selected_service = "calendar"
-}
-```
-
-Please see the [examples](./examples) folder for more configurations, or take a look at the [variables](./variables.tf) page to see the inputs supported by this module.
+Please see the [examples](./examples) folder for a configuration example (that calls this module), take a look at the a fancy rendering of the inputs [on the module's Terraform Registry page](https://registry.terraform.io/modules/codycodes/ms365-hass/azuread/latest?tab=inputs) or peep the [variables](./variables.tf) page directly to see the inputs supported by this module.
 
 ### Setup
 

main.tf

@@ -57,6 +57,10 @@ locals {
 
 data "azuread_client_config" "current" {}
 
+locals {
+  assigned_permissions = var.preassign_permissions ? concat(local.permissions.general, local.permissions[var.selected_service]) : []
+}
+
 resource "azuread_application" "m365_integration" {
   display_name     = "Home Assistant MS365 ${var.selected_service} Integration"
   description      = "Created via Terraform"
@@ -65,13 +69,18 @@ resource "azuread_application" "m365_integration" {
   api {
     requested_access_token_version = 2 # required for some sign_in_audience & recommended due to backwards compat w/v1
   }
-  required_resource_access {
-    resource_app_id = "00000003-0000-0000-c000-000000000000" # microsoft graph
-    dynamic "resource_access" {
-      for_each = var.custom_permissions == null ? concat(local.permissions.general, local.permissions[var.selected_service]) : tolist(var.custom_permissions)
-      content {
-        id   = resource_access.value
-        type = "Scope"
+  dynamic "required_resource_access" {
+    for_each = length(local.assigned_permissions) > 0 ? [1] : []
+
+    content {
+      resource_app_id = "00000003-0000-0000-c000-000000000000" # microsoft graph
+      dynamic "resource_access" {
+        for_each = local.assigned_permissions
+
+        content {
+          id   = resource_access.value
+          type = "Scope"
+        }
       }
     }
   }

variables.tf

@@ -38,10 +38,10 @@ variable "rotation_window_days" {
   default     = 365
 }
 
-variable "custom_permissions" {
-  type        = set(string)
-  description = "Custom permissions to use instead of local.permissions"
-  default     = null
+variable "preassign_permissions" {
+  type        = bool
+  description = "Determines whether permissions for the app should be pre-assigned (greatest privilege) or assigned at auth-time (least privilege)"
+  default     = false
 }
 
 variable "owners" {