dfds · samidbb · Dec 2, 2024 · Nov 28, 2024 · Dec 2, 2024 · Dec 2, 2024
@@ -1 +1,16 @@
-data "azuread_client_config" "current" {}
+data "azuread_client_config" "current" {}
+
+data "azuread_application_published_app_ids" "well_known" {}
+
+data "azuread_service_principal" "msgraph" {
+  client_id = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"]
+}
+
+locals {
+  scope_ids = var.api_permissions != null ? [
+    for scope in var.api_permissions.scopes : data.azuread_service_principal.msgraph.oauth2_permission_scope_ids[scope]
+  ]: []
+  roles_ids = var.api_permissions != null ? [
+    for role in var.api_permissions.roles : data.azuread_service_principal.msgraph.app_role_ids[role]
+  ]: []
+}
@@ -19,6 +19,12 @@ resource "azuread_application" "app" {
       value                = app_role.value.value
     }
   }
+
+  lifecycle {
+    ignore_changes = [
+      required_resource_access,
+    ]
+  }
 }
 
 resource "azuread_service_principal" "sp" {
@@ -36,3 +42,13 @@ resource "random_password" "password" {
 resource "azuread_service_principal_password" "key" {
   service_principal_id = azuread_service_principal.sp.id
 }
+
+
+resource "azuread_application_api_access" "azure_app" {
+  count = length(local.scope_ids) > 0 || length(local.roles_ids) > 0 ? 1 : 0
+  application_id = "/applications/${azuread_application.app.object_id}"
+  api_client_id  = data.azuread_application_published_app_ids.well_known.result["MicrosoftGraph"]
+
+  role_ids = local.roles_ids
+  scope_ids = local.scope_ids
+}
@@ -6,6 +6,10 @@ output "client_id" {
   value = azuread_application.app.client_id
 }
 
+output "application_object_id" {
+  value = azuread_application.app.object_id
+}
+
 output "application_key" {
   value     = azuread_service_principal_password.key.value
   sensitive = true

@@ -40,4 +40,17 @@ variable "app_roles" {
   }))
   default     = []
   description = "A list of app roles to create for the application. Note: allowed_member_types must be a list containing only 'User' or 'Application'"
+}
+
+variable "api_permissions" {
+  type = object({
+    roles = optional(list(string), [])
+    scopes = optional(list(string), [])
+  })
+  default = null
+  description = <<EOF
+  A map of API permissions (Microsoft Graph) to assign to the application.
+  roles is a list of roles to assign to the application. Example: ["User.Read.All"]
+  scopes is a list of scopes to assign to the application. Example: ["email"]
+  EOF
 }
@@ -1,9 +1,7 @@
 
 resource "azuread_app_role_assignment" "this" {
-  for_each = { for x in var.role_assignments : x.app_role_id => x }
-
-
-  app_role_id  = each.value.app_role_id
-  principal_object_id = each.value.principal_id
-  resource_object_id  = each.value.resource_id
-}
+  count = length(var.role_assignments)
+  app_role_id = var.role_assignments[count.index].app_role_id
+  principal_object_id = var.role_assignments[count.index].principal_id
+  resource_object_id  = var.role_assignments[count.index].resource_id
+}