Skip to content

Commit

Permalink
azuread_application & azuread_service_principal: export the `app_role…
Browse files Browse the repository at this point in the history
…s` property (#110)
  • Loading branch information
Joakim Bakke Hellum authored and katbyte committed Jun 13, 2019
1 parent 239b066 commit 59b095b
Show file tree
Hide file tree
Showing 8 changed files with 127 additions and 33 deletions.
6 changes: 6 additions & 0 deletions azuread/data_application.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ func dataApplication() *schema.Resource {
Computed: true,
},

"app_roles": graph.SchemaAppRoles(),

"required_resource_access": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -193,6 +195,10 @@ func dataApplicationRead(d *schema.ResourceData, meta interface{}) error {
d.Set("type", "webapp/api")
}

if err := d.Set("app_roles", graph.FlattenAppRoles(app.AppRoles)); err != nil {
return fmt.Errorf("Error setting `app_roles`: %+v", err)
}

if err := d.Set("group_membership_claims", app.GroupMembershipClaims); err != nil {
return fmt.Errorf("Error setting `group_membership_claims`: %+v", err)
}
Expand Down
1 change: 1 addition & 0 deletions azuread/data_application_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ func TestAccAzureADApplicationDataSource_byObjectId(t *testing.T) {
resource.TestCheckResourceAttr(dataSourceName, "reply_urls.#", "0"),
resource.TestCheckResourceAttr(dataSourceName, "required_resource_access.#", "0"),
resource.TestCheckResourceAttr(dataSourceName, "type", "webapp/api"),
resource.TestCheckResourceAttr(dataSourceName, "app_roles.#", "0"),
resource.TestCheckResourceAttr(dataSourceName, "oauth2_allow_implicit_flow", "false"),
resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctest%s", id))),
Expand Down
6 changes: 6 additions & 0 deletions azuread/data_service_principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ func dataServicePrincipal() *schema.Resource {
ConflictsWith: []string{"object_id", "display_name"},
},

"app_roles": graph.SchemaAppRoles(),

"oauth2_permissions": graph.SchemaOauth2Permissions(),
},
}
Expand Down Expand Up @@ -129,6 +131,10 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta
d.Set("display_name", sp.DisplayName)
d.Set("object_id", sp.ObjectID)

if err := d.Set("app_roles", graph.FlattenAppRoles(sp.AppRoles)); err != nil {
return fmt.Errorf("Error setting `app_roles`: %+v", err)
}

if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(sp.Oauth2Permissions)); err != nil {
return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err)
}
Expand Down
1 change: 1 addition & 0 deletions azuread/data_service_principal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) {
resource.TestCheckResourceAttrSet(dataSourceName, "application_id"),
resource.TestCheckResourceAttrSet(dataSourceName, "object_id"),
resource.TestCheckResourceAttrSet(dataSourceName, "display_name"),
resource.TestCheckResourceAttr(dataSourceName, "app_roles.#", "0"),
resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))),
),
Expand Down
76 changes: 76 additions & 0 deletions azuread/helpers/graph/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,50 @@ import (
"github.com/hashicorp/terraform/helper/schema"
)

func SchemaAppRoles() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Optional: true,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"id": {
Type: schema.TypeString,
Computed: true,
},

"allowed_member_types": {
Type: schema.TypeSet,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},

"description": {
Type: schema.TypeString,
Computed: true,
},

"display_name": {
Type: schema.TypeString,
Computed: true,
},

"is_enabled": {
Type: schema.TypeBool,
Computed: true,
},

"value": {
Type: schema.TypeString,
Computed: true,
},
},
},
}
}

func SchemaOauth2Permissions() *schema.Schema {
return &schema.Schema{
Type: schema.TypeList,
Expand Down Expand Up @@ -56,6 +100,38 @@ func SchemaOauth2Permissions() *schema.Schema {
}
}

func FlattenAppRoles(in *[]graphrbac.AppRole) []interface{} {
if in == nil {
return []interface{}{}
}

appRoles := make([]interface{}, 0)
for _, role := range *in {
appRole := make(map[string]interface{})
if role.ID != nil {
appRole["id"] = *role.ID
}
if role.AllowedMemberTypes != nil {
appRole["allowed_member_types"] = *role.AllowedMemberTypes
}
if role.Description != nil {
appRole["description"] = *role.Description
}
if role.DisplayName != nil {
appRole["display_name"] = *role.DisplayName
}
if role.IsEnabled != nil {
appRole["is_enabled"] = *role.IsEnabled
}
if role.Value != nil {
appRole["value"] = *role.Value
}
appRoles = append(appRoles, appRole)
}

return appRoles
}

func FlattenOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} {
if in == nil {
return []map[string]interface{}{}
Expand Down
34 changes: 1 addition & 33 deletions azuread/resource_application.go
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ func resourceApplicationRead(d *schema.ResourceData, meta interface{}) error {
return fmt.Errorf("Error setting `required_resource_access`: %+v", err)
}

if err := d.Set("app_role", flattenADApplicationAppRoles(app.AppRoles)); err != nil {
if err := d.Set("app_role", graph.FlattenAppRoles(app.AppRoles)); err != nil {
return fmt.Errorf("Error setting `app_role`: %+v", err)
}

Expand Down Expand Up @@ -553,35 +553,3 @@ func expandADApplicationAppRoles(i interface{}) *[]graphrbac.AppRole {

return &output
}

func flattenADApplicationAppRoles(in *[]graphrbac.AppRole) []interface{} {
if in == nil {
return []interface{}{}
}

appRoles := make([]interface{}, 0)
for _, role := range *in {
appRole := make(map[string]interface{})
if role.ID != nil {
appRole["id"] = *role.ID
}
if role.AllowedMemberTypes != nil {
appRole["allowed_member_types"] = *role.AllowedMemberTypes
}
if role.Description != nil {
appRole["description"] = *role.Description
}
if role.DisplayName != nil {
appRole["display_name"] = *role.DisplayName
}
if role.IsEnabled != nil {
appRole["is_enabled"] = *role.IsEnabled
}
if role.Value != nil {
appRole["value"] = *role.Value
}
appRoles = append(appRoles, appRole)
}

return appRoles
}
18 changes: 18 additions & 0 deletions website/docs/d/application.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ output "azure_ad_object_id" {

* `oauth2_permissions` - A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a `oauth2_permission` block as documented below.

* `app_roles` - A collection of `app_role` blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

---

`required_resource_access` block exports the following:
Expand Down Expand Up @@ -89,3 +91,19 @@ output "azure_ad_object_id" {
* `user_consent_display_name` - The display name of the user consent

* `value` - The name of this permission

---

`app_role` block exports the following:

* `id` - The unique identifier of the `app_role`.

* `allowed_member_types` - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: `User` and `Application`, or both.

* `description` - Permission help text that appears in the admin app assignment and consent experiences.

* `display_name` - Display name for the permission that appears in the admin consent and app assignment experiences.

* `is_enabled` - Determines if the app role is enabled.

* `value` - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.
18 changes: 18 additions & 0 deletions website/docs/d/service_principal.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ The following arguments are supported:

-> **NOTE:** At least one of `application_id`, `display_name` or `object_id` must be specified.

* `app_roles` - A collection of `app_role` blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below.

## Attributes Reference
Expand Down Expand Up @@ -76,3 +78,19 @@ The following attributes are exported:
* `user_consent_display_name` - The display name of the user consent

* `value` - The name of this permission

---

`app_role` block exports the following:

* `id` - The unique identifier of the `app_role`.

* `allowed_member_types` - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: `User` and `Application`, or both.

* `description` - Permission help text that appears in the admin app assignment and consent experiences.

* `display_name` - Display name for the permission that appears in the admin consent and app assignment experiences.

* `is_enabled` - Determines if the app role is enabled.

* `value` - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

0 comments on commit 59b095b

Please sign in to comment.