Merge pull request #1796 from sschne/f/aad-application-app-roles

Add app_roles for azuread_application
aztfmod · Sep 29, 2023 · 808b971 · 808b971
2 parents 39bfa32 + 053ae97
commit 808b971
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/.github/workflows/standalone-scenarios-azuread.json b/.github/workflows/standalone-scenarios-azuread.json
@@ -11,6 +11,7 @@
     "azuread/104-azuread-group-membership",
     "azuread/105-azuread-application-with-optional-claims",
     "azuread/106-azuread-application-with-api-scopes",
+    "azuread/108-azuread-application-with-app-roles",
     "azuread/201-groups-and-roles"
   ]
 }
diff --git a/examples/azuread/108-azuread-application-with-app-roles/configuration.tfvars b/examples/azuread/108-azuread-application-with-app-roles/configuration.tfvars
@@ -0,0 +1,28 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+  random_length = 5
+}
+
+azuread_applications = {
+  test_client = {
+    useprefix        = true
+    application_name = "test-client"
+    app_roles = {
+      admin = {
+        allowed_member_types = ["User"]
+        description          = "Admin"
+        display_name         = "Admin"
+        value                = "Admin"
+      }
+      viewer = {
+        allowed_member_types = ["User"]
+        description          = "Viewer"
+        display_name         = "Viewer"
+        value                = "Viewer"
+      }
+    }
+  }
+}
diff --git a/modules/azuread/applications_v1/azuread_application.tf b/modules/azuread/applications_v1/azuread_application.tf
@@ -47,6 +47,19 @@ resource "azuread_application" "app" {
     }
   }
 
+  dynamic "app_role" {
+    for_each = try(var.settings.app_roles, [])
+
+    content {
+      allowed_member_types = app_role.value.allowed_member_types
+      description          = app_role.value.description
+      display_name         = app_role.value.display_name
+      enabled              = try(app_role.value.enabled, null)
+      id                   = try(app_role.value.id, random_uuid.app_role_id[app_role.key].id)
+      value                = try(app_role.value.value, null)
+    }
+  }
+
   dynamic "required_resource_access" {
     for_each = var.azuread_api_permissions
 
@@ -111,3 +124,10 @@ resource "azuread_application" "app" {
     }
   }
 }
+
+resource "random_uuid" "app_role_id" {
+  for_each = {
+    for key, value in try(var.settings.app_roles, {}) : key => value
+    if try(value.id, null) == null
+  }
+}