fix(variables): make clearer why 2 admin object ID types needed. misc text adjustments

_override.tf.sample

@@ -1,5 +1,5 @@
-# To deploy this project from a local machine, first remove
-# the `.sample` extension from this file before running the
+# To deploy this project from a local machine (without a Terraform backend),
+# first remove the `.sample` extension from this file before running the
 # `terraform init` command.
 #
 # For details see:

backends/backend.hcl.sample

@@ -1,6 +1,6 @@
 storage_account_name="STORAGE_ACCOUNT_NAME"
 container_name="STORAGE_CONTAINER_NAME"
 key="FILENAME.tfstate"
-# To authenticate to the Storage account, pick and uncomment one of the options below:
-# sas_token="?sv=2019-12-12…" # or account key
-# access_key="…" # or SAS token
+# To authenticate to the Storage account, pick and uncomment *one* of the options below:
+# sas_token="?sv=2019-12-12…" # use SAS token
+# access_key="…" # use Storage Account Access Key

local.auto.tfvars.example

@@ -4,4 +4,10 @@
 # Directory group that contains both you and the priviledged service
 # principle running infrastructure as code
 
+# Key Vault wants AAD Group object_id
 superadmins_aad_object_id = "<guid>"
+
+# but Azure AD only supports user and service principal objects - not groups.
+application_owners_ids = ["<guid>", "<guid>"]
+
+# See also ./modules/cicd-setup/README.md for details.

variables.tf

@@ -5,6 +5,7 @@ variable "superadmins_aad_object_id" {
   default     = ""
 }
 
+# Service Principal Owners
 variable "application_owners_ids" {
   type        = list(string)
   description = "A set of object IDs of principals that will be granted ownership of the application (service principal). Supported object types are users or service principals. It is best practice to specify one or more owners, incl. the principal used to execute Terraform"