Merge pull request #439 from recognizegroup/feature/22184-add-role-va…

…lidation-into-api-policy Adding role validation into api policy AB#22184
recognizegroup · Dec 17, 2024 · 632020e · 632020e
2 parents 9dfaa56 + 1f82ced
commit 632020e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/modules/azure/api_management_api/main.tf b/modules/azure/api_management_api/main.tf
@@ -130,6 +130,11 @@ resource "azurerm_api_management_api_policy" "api_policy" {
         <claim name="iss" match="any">
           <value>${var.aad_settings.issuer}</value>
         </claim>
+        %{if var.role_assignment != null}
+          <claim name="roles" match="any">
+            <value>${var.role_assignment}</value>
+          </claim>
+        %{endif}
       </required-claims>
     </validate-jwt>
     %{if var.backend_type == "managed-identity"}

diff --git a/modules/azure/api_management_api/variables.tf b/modules/azure/api_management_api/variables.tf
@@ -222,3 +222,9 @@ variable "custom_backend_policy" {
   description = "Additional backend xml policies"
   default     = null
 }
+
+variable "role_assignment" {
+  type        = string
+  description = "Role to validate in the JWT token's 'roles' claim for access control."
+  default     = null
+}