New resource: azuread_app_role_assignment

hashicorp · Sep 21, 2021 · 3d0c6d3 · 3d0c6d3
1 parent a713198
commit 3d0c6d3
Show file tree

Hide file tree

Showing 10 changed files with 780 additions and 8 deletions.
diff --git a/.teamcity/components/project.kt b/.teamcity/components/project.kt
@@ -5,6 +5,7 @@ const val providerName = "azuread"
 
 var services = mapOf(
         "applications" to "Applications",
+        "approleassignments" to "App Role Assignments",
         "conditionalaccess" to "Conditional Access",
         "directoryroles" to "Directory Roles",
         "domains" to "Domains",

diff --git a/docs/resources/app_role_assignment.md b/docs/resources/app_role_assignment.md
@@ -0,0 +1,174 @@
+---
+subcategory: "App Role Assignments"
+---
+
+# Resource: azuread_app_role_assignment
+
+Manages an app role assignment for a group, user or service principal. Can be used to grant admin consent for application permissions.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires one of the following application roles: `AppRoleAssignment.ReadWrite.All` and `Application.Read.All`, or `AppRoleAssignment.ReadWrite.All` and `Directory.Read.All`, or `Application.ReadWrite.All`, or `Directory.ReadWrite.All`
+
+When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator`
+
+## Example Usage
+
+*App role assignment for accessing Microsoft Graph*
+
+```terraform
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing   = true
+}
+
+resource "azuread_application" "example" {
+  display_name = "example"
+
+  required_resource_access {
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+
+    resource_access {
+      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+      type = "Role"
+    }
+
+    resource_access {
+      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite"]
+      type = "Scope"
+    }
+  }
+}
+
+resource "azuread_service_principal" "example" {
+  application_id = azuread_application.example.application_id
+}
+
+resource "azuread_app_role_assignment" "example" {
+  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+  principal_object_id = azuread_service_principal.example.object_id
+  resource_object_id  = azuread_service_principal.msgraph.object_id
+}
+```
+
+*App role assignment for internal application*
+
+```terraform
+resource "azuread_application" "internal" {
+  display_name = "internal"
+
+  app_role {
+    allowed_member_types = ["Application"]
+    description          = "Apps can query the database"
+    display_name         = "Query"
+    enabled              = true
+    id                   = "00000000-0000-0000-0000-111111111111"
+    value                = "Query.All"
+  }
+}
+
+resource "azuread_service_principal" "internal" {
+  application_id = azuread_application.internal.application_id
+}
+
+resource "azuread_application" "example" {
+  display_name = "example"
+
+  required_resource_access {
+    resource_app_id = azuread_application.internal.application_id
+
+    resource_access {
+      id   = azuread_service_principal.internal.app_role_ids["Query.All"]
+      type = "Role"
+    }
+  }
+}
+
+resource "azuread_service_principal" "example" {
+  application_id = azuread_application.example.application_id
+}
+
+resource "azuread_app_role_assignment" "example" {
+  app_role_id         = azuread_service_principal.internal.app_role_ids["Query.All"]
+  principal_object_id = azuread_service_principal.example.object_id
+  resource_object_id  = azuread_service_principal.internal.object_id
+}
+```
+
+*Assign a user and group to an internal application*
+
+```terraform
+data "azuread_domains" "example" {
+  only_initial = true
+}
+
+resource "azuread_application" "internal" {
+  display_name = "internal"
+
+  app_role {
+    allowed_member_types = ["Application", "User"]
+    description          = "Admins can perform all task actions"
+    display_name         = "Admin"
+    enabled              = true
+    id                   = "00000000-0000-0000-0000-222222222222"
+    value                = "Admin.All"
+  }
+}
+
+resource "azuread_service_principal" "internal" {
+  application_id = azuread_application.internal.application_id
+}
+
+resource "azuread_group" "example" {
+  display_name     = "example"
+  security_enabled = true
+}
+
+resource "azuread_app_role_assignment" "example" {
+  app_role_id         = azuread_service_principal.internal.app_role_ids["Admin.All"]
+  principal_object_id = azuread_group.example.object_id
+  resource_object_id  = azuread_service_principal.internal.object_id
+}
+
+resource "azuread_user" "example" {
+  display_name        = "D. Duck"
+  password            = "SecretP@sswd99!"
+  user_principal_name = "d.duck@${data.azuread_domains.example.domains.0.domain_name}"
+}
+
+resource "azuread_app_role_assignment" "example" {
+  app_role_id         = azuread_service_principal.internal.app_role_ids["Admin.All"]
+  principal_object_id = azuread_user.example.object_id
+  resource_object_id  = azuread_service_principal.internal.object_id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `app_role_id` - (Required) The ID of the app role to be assigned. Changing this forces a new resource to be created.
+* `principal_object_id` - (Required) The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
+* `resource_object_id` - (Required) The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `principal_display_name` - The display name of the principal to which the app role is assigned.
+* `principal_type` - The object type of the principal to which the app role is assigned.
+* `resource_display_name` - The display name of the application representing the resource.
+
+## Import
+
+App role assignments can be imported using the object ID of the service principal representing the resource and the ID of the app role assignment (note: _not_ the ID of the app role), e.g.
+
+```shell
+terraform import azuread_app_role_assignment.example 00000000-0000-0000-0000-000000000000/appRoleAssignment/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
+```
+
+-> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format `{ResourcePrincipalID}/appRoleAssignment/{AppRoleAssignmentID}`.
diff --git a/internal/clients/client.go b/internal/clients/client.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/terraform-provider-azuread/internal/common"
 	applications "github.com/hashicorp/terraform-provider-azuread/internal/services/applications/client"
+	approleassignments "github.com/hashicorp/terraform-provider-azuread/internal/services/approleassignments/client"
 	conditionalaccess "github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess/client"
 	directoryroles "github.com/hashicorp/terraform-provider-azuread/internal/services/directoryroles/client"
 	domains "github.com/hashicorp/terraform-provider-azuread/internal/services/domains/client"
@@ -29,20 +30,22 @@ type Client struct {
 
 	StopContext context.Context
 
-	Applications      *applications.Client
-	ConditionalAccess *conditionalaccess.Client
-	DirectoryRoles    *directoryroles.Client
-	Domains           *domains.Client
-	Groups            *groups.Client
-	Invitations       *invitations.Client
-	ServicePrincipals *serviceprincipals.Client
-	Users             *users.Client
+	Applications       *applications.Client
+	AppRoleAssignments *approleassignments.Client
+	ConditionalAccess  *conditionalaccess.Client
+	DirectoryRoles     *directoryroles.Client
+	Domains            *domains.Client
+	Groups             *groups.Client
+	Invitations        *invitations.Client
+	ServicePrincipals  *serviceprincipals.Client
+	Users              *users.Client
 }
 
 func (client *Client) build(ctx context.Context, o *common.ClientOptions) error {
 	client.StopContext = ctx
 
 	client.Applications = applications.NewClient(o)
+	client.AppRoleAssignments = approleassignments.NewClient(o)
 	client.Domains = domains.NewClient(o)
 	client.ConditionalAccess = conditionalaccess.NewClient(o)
 	client.DirectoryRoles = directoryroles.NewClient(o)

diff --git a/internal/provider/services.go b/internal/provider/services.go
@@ -2,6 +2,7 @@ package provider
 
 import (
 	"github.com/hashicorp/terraform-provider-azuread/internal/services/applications"
+	"github.com/hashicorp/terraform-provider-azuread/internal/services/approleassignments"
 	"github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess"
 	"github.com/hashicorp/terraform-provider-azuread/internal/services/directoryroles"
 	"github.com/hashicorp/terraform-provider-azuread/internal/services/domains"
@@ -14,6 +15,7 @@ import (
 func SupportedServices() []ServiceRegistration {
 	return []ServiceRegistration{
 		applications.Registration{},
+		approleassignments.Registration{},
 		conditionalaccess.Registration{},
 		directoryroles.Registration{},
 		domains.Registration{},