feat(condition): use better abac condition

jshiwamV · jshiwamV · commit 891feb6cb640 · 2025-11-03T21:04:41.000+05:30
diff --git a/.github/setup/azure/main.tf b/.github/setup/azure/main.tf
@@ -177,7 +177,7 @@ resource "azurerm_role_assignment" "github_actions_rbac_admin" {
     (
       (!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) 
       OR 
-      (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {
+      (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAllOfAllValues:GuidNotEquals {
         ${data.azurerm_role_definition.owner.id}, 
         ${data.azurerm_role_definition.user_access_administrator.id}, 
         ${data.azurerm_role_definition.rbac_administrator.id}
@@ -187,7 +187,7 @@ resource "azurerm_role_assignment" "github_actions_rbac_admin" {
     (
       (!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) 
       OR 
-      (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {
+      (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAllOfAllValues:GuidNotEquals {
         ${data.azurerm_role_definition.owner.id}, 
         ${data.azurerm_role_definition.user_access_administrator.id}, 
         ${data.azurerm_role_definition.rbac_administrator.id}
