groups claim for oauth2 azuread applications (#1650)

dfds · Dec 10, 2024 · baadddd · baadddd
1 parent 0169c29
commit baadddd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/_sub/security/azure-app-registration/main.tf b/_sub/security/azure-app-registration/main.tf
@@ -25,6 +25,9 @@ resource "azuread_application" "app" {
       required_resource_access,
     ]
   }
+
+  group_membership_claims = var.groups_claim
+
 }
 
 resource "azuread_service_principal" "sp" {

diff --git a/_sub/security/azure-app-registration/vars.tf b/_sub/security/azure-app-registration/vars.tf
@@ -54,4 +54,17 @@ variable "api_permissions" {
   scopes is a list of scopes to assign to the application. Example: ["email"]
   Important note: If the permissions require admin consent, then you can use the azure-app-delegated-permissions-grant module to grant those permissions.
   EOF
+}
+
+variable "groups_claim" {
+  type        = list(string)
+  default     = ["None"]
+  description = <<EOF
+  The groups claim issued in a user or OAuth 2.0 access token that the application expects.
+  Possible values are: "None", "SecurityGroup", "All", "DirectoryRole", "ApplicationGroup".
+  EOF
+  validation {
+    error_message = "One of the following values must be used: None, SecurityGroup, All, DirectoryRole, ApplicationGroup"
+    condition     = alltrue([for value in var.groups_claim : contains(["None", "SecurityGroup", "All", "DirectoryRole", "ApplicationGroup"], value)])
+  }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,6 +25,9 @@ resource "azuread_application" "app" { @@
           required_resource_access,
         ]
       }
+      group_membership_claims = var.groups_claim
     }
     resource "azuread_service_principal" "sp" {
@@ Expand Down @@