New resource `azuread_privileged_access_group_assignment_schedule_req…

…uest`
hashicorp · Feb 29, 2024 · 3e91d6c · 3e91d6c
1 parent 79f6519
commit 3e91d6c
Show file tree

Hide file tree

Showing 5 changed files with 143 additions and 17 deletions.
diff --git a/docs/resources/privileged_access_group_assignment_schedule_request.md b/docs/resources/privileged_access_group_assignment_schedule_request.md
@@ -0,0 +1,70 @@
+---
+subcategory: "Identity Governance"
+---
+
+# Resource: azuread_privileged_access_group_assignment_schedule_request
+
+Manages an active assignment to a privileged access group.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires the `PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup` Microsoft Graph API permissions.
+
+When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance.
+
+## Example Usage
+
+```terraform
+resource "azuread_group" "example" {
+  display_name     = "group-name"
+  security_enabled = true
+}
+
+resource "azuread_user" "member" {
+  user_principal_name = "[email protected]"
+  display_name        = "J. Doe"
+  mail_nickname       = "jdoe"
+  password            = "SecretP@sswd99!"
+}
+
+resource "azuread_privileged_access_group_assignment_schedule_request" "example" {
+  group_id        = azuread_group.pim.id
+  principal_id    = azuread_user.member.id
+  assignment_type = "member"
+  duration        = "P30D"
+  justification   = "as requested"
+}
+```
+
+## Argument Reference
+
+- `group_id` (Required) The Object ID of the Azure AD group to which the principal will be assigned.
+- `principal_id` (Required) The Object ID of the principal to be assigned to the above group. Can be either a user or a group.
+- `assignment_type` (Required) The type of assignment to the group. Can be either `member` or `owner`.
+- `justification` (Optional) The justification for this assignment. May be required by the role policy.
+- `ticket_number` (Optional) The ticket number in the ticket system approving this assignment. May be required by the role policy.
+- `ticket_system` (Optional) The ticket system containing the ticket number approving this assignment. May be required by the role policy.
+- `start_date` (Optional) The date from which this assignment is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If not provided, the assignment is immediately valid.
+- `expiration_date` (Optional) The date that this assignment expires, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z).
+- `duration` (Optional) The duration that this assignment is valid for, formatted as an ISO8601 duration (e.g. P30D for 30 days, PT3H for three hours).
+- `permanent_assignment` (Optional) Is this assigment permanently valid.
+
+At least one of `expiration_date`, `duration`, or `permanent_assignment` must be supplied. The role policy may limit the maximum duration which can be supplied.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` (String) The ID of this request.
+- `status` (String) The provisioning status of this request.
+- `target_schedule_id` (String) The ID of this schedule created by this request.
+
+## Import
+
+An assignment schedule can be imported using the ID, e.g.
+
+```shell
+terraform import azuread_privileged_access_group_assignment_schedule_request.example 00000000-0000-0000-0000-000000000000
+```
diff --git a/internal/provider/services.go b/internal/provider/services.go
@@ -29,6 +29,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration {
 		applications.Registration{},
 		directoryroles.Registration{},
 		domains.Registration{},
+		identitygovernance.Registration{},
 		serviceprincipals.Registration{},
 	}
 }

diff --git a/internal/services/identitygovernance/client/client.go b/internal/services/identitygovernance/client/client.go
@@ -9,14 +9,15 @@ import (
 )
 
 type Client struct {
-	AccessPackageAssignmentPolicyClient       *msgraph.AccessPackageAssignmentPolicyClient
-	AccessPackageCatalogClient                *msgraph.AccessPackageCatalogClient
-	AccessPackageCatalogRoleAssignmentsClient *msgraph.EntitlementRoleAssignmentsClient
-	AccessPackageCatalogRoleClient            *msgraph.EntitlementRoleDefinitionsClient
-	AccessPackageClient                       *msgraph.AccessPackageClient
-	AccessPackageResourceClient               *msgraph.AccessPackageResourceClient
-	AccessPackageResourceRequestClient        *msgraph.AccessPackageResourceRequestClient
-	AccessPackageResourceRoleScopeClient      *msgraph.AccessPackageResourceRoleScopeClient
+	AccessPackageAssignmentPolicyClient                   *msgraph.AccessPackageAssignmentPolicyClient
+	AccessPackageCatalogClient                            *msgraph.AccessPackageCatalogClient
+	AccessPackageCatalogRoleAssignmentsClient             *msgraph.EntitlementRoleAssignmentsClient
+	AccessPackageCatalogRoleClient                        *msgraph.EntitlementRoleDefinitionsClient
+	AccessPackageClient                                   *msgraph.AccessPackageClient
+	AccessPackageResourceClient                           *msgraph.AccessPackageResourceClient
+	AccessPackageResourceRequestClient                    *msgraph.AccessPackageResourceRequestClient
+	AccessPackageResourceRoleScopeClient                  *msgraph.AccessPackageResourceRoleScopeClient
+	PrivilegedAccessGroupAssignmentScheduleRequestsClient *msgraph.PrivilegedAccessGroupAssignmentScheduleRequestsClient
 }
 
 func NewClient(o *common.ClientOptions) *Client {
@@ -54,14 +55,18 @@ func NewClient(o *common.ClientOptions) *Client {
 	o.ConfigureClient(&accessPackageResourceRoleScopeClient.BaseClient)
 	accessPackageResourceRoleScopeClient.BaseClient.ApiVersion = msgraph.VersionBeta
 
+	privilegedAccessGroupAssignmentScheduleRequestsClient := msgraph.NewPrivilegedAccessGroupAssignmentScheduleRequestsClient()
+	o.ConfigureClient(&privilegedAccessGroupAssignmentScheduleRequestsClient.BaseClient)
+
 	return &Client{
-		AccessPackageAssignmentPolicyClient:       accessPackageAssignmentPolicyClient,
-		AccessPackageCatalogClient:                accessPackageCatalogClient,
-		AccessPackageCatalogRoleAssignmentsClient: accessPackageCatalogRoleAssignmentsClient,
-		AccessPackageCatalogRoleClient:            accessPackageCatalogRoleClient,
-		AccessPackageClient:                       accessPackageClient,
-		AccessPackageResourceClient:               accessPackageResourceClient,
-		AccessPackageResourceRequestClient:        accessPackageResourceRequestClient,
-		AccessPackageResourceRoleScopeClient:      accessPackageResourceRoleScopeClient,
+		AccessPackageAssignmentPolicyClient:                   accessPackageAssignmentPolicyClient,
+		AccessPackageCatalogClient:                            accessPackageCatalogClient,
+		AccessPackageCatalogRoleAssignmentsClient:             accessPackageCatalogRoleAssignmentsClient,
+		AccessPackageCatalogRoleClient:                        accessPackageCatalogRoleClient,
+		AccessPackageClient:                                   accessPackageClient,
+		AccessPackageResourceClient:                           accessPackageResourceClient,
+		AccessPackageResourceRequestClient:                    accessPackageResourceRequestClient,
+		AccessPackageResourceRoleScopeClient:                  accessPackageResourceRoleScopeClient,
+		PrivilegedAccessGroupAssignmentScheduleRequestsClient: privilegedAccessGroupAssignmentScheduleRequestsClient,
 	}
 }
diff --git a/.../services/identitygovernance/parse/privileged_access_group_assignment_schedule_request.go b/.../services/identitygovernance/parse/privileged_access_group_assignment_schedule_request.go
@@ -0,0 +1,35 @@
+package parse
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-provider-azuread/internal/tf/validation"
+)
+
+type PrivilegedAccessGroupAssignmentScheduleRequestId struct {
+	RequestId string
+}
+
+func NewPrivilegedAccessGroupAssignmentScheduleRequestID(requestId string) *PrivilegedAccessGroupAssignmentScheduleRequestId {
+	return &PrivilegedAccessGroupAssignmentScheduleRequestId{
+		RequestId: requestId,
+	}
+}
+
+func ParsePrivilegedAccessGroupAssignmentScheduleRequestID(idString string) (*PrivilegedAccessGroupAssignmentScheduleRequestId, error) {
+	if _, err := validation.IsUUID(idString, "RequestId"); len(err) > 0 {
+		return nil, fmt.Errorf("parsing RequestId: %+v", err)
+	}
+
+	return &PrivilegedAccessGroupAssignmentScheduleRequestId{
+		RequestId: idString,
+	}, nil
+}
+
+func (id *PrivilegedAccessGroupAssignmentScheduleRequestId) ID() string {
+	return id.RequestId
+}
+
+func (id *PrivilegedAccessGroupAssignmentScheduleRequestId) String() string {
+	return fmt.Sprintf("Privileged Access Group Assigment Schedule Request ID: %q", id.RequestId)
+}
diff --git a/internal/services/identitygovernance/registration.go b/internal/services/identitygovernance/registration.go
@@ -3,7 +3,10 @@
 
 package identitygovernance
 
-import "github.com/hashicorp/terraform-provider-azuread/internal/tf/pluginsdk"
+import (
+	"github.com/hashicorp/terraform-provider-azuread/internal/sdk"
+	"github.com/hashicorp/terraform-provider-azuread/internal/tf/pluginsdk"
+)
 
 type Registration struct{}
 
@@ -44,3 +47,15 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 		"azuread_access_package_resource_package_association": accessPackageResourcePackageAssociationResource(),
 	}
 }
+
+// DataSources returns the typed DataSources supported by this service
+func (r Registration) DataSources() []sdk.DataSource {
+	return []sdk.DataSource{}
+}
+
+// Resources returns the typed Resources supported by this service
+func (r Registration) Resources() []sdk.Resource {
+	return []sdk.Resource{
+		PrivilegedAccessGroupAssignmentScheduleRequestResource{},
+	}
+}