Merge pull request #1327 from oWretch/f/pim-groups

Add support for PIM Group management

.github/labeler-issue-triage.yaml

@@ -25,16 +25,16 @@ feature/domains:
   - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_domains((.|\n)*)###'
 
 feature/groups:
-  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_group((.|\n)*)###'
+  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(group\W+|group_member\W+|groups\W+)((.|\n)*)###'
 
 feature/identity-governance:
-  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_access_package((.|\n)*)###'
+  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(access_package|privileged_access_group_)((.|\n)*)###'
 
 feature/invitations:
   - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_invitation((.|\n)*)###'
 
 feature/policies:
-  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(authentication_strength_policy|claims_mapping_policy)((.|\n)*)###'
+  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(authentication_strength_policy|claims_mapping_policy|group_role_management_policy)((.|\n)*)###'
 
 feature/service-principals:
   - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(client_config|service_principal|synchronization_)((.|\n)*)###'

docs/data-sources/group_role_management_policy.md

@@ -0,0 +1,42 @@
+---
+subcategory: "Policies"
+---
+
+# Data Source: azuread_group_role_management_policy
+
+Use this data source to retrieve a role policy for an Azure AD group.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires the `RoleManagementPolicy.Read.AzureADGroup` Microsoft Graph API permissions.
+
+When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance.
+
+## Example Usage
+
+```terraform
+resource "azuread_group" "example" {
+  display_name     = "group-name"
+  security_enabled = true
+}
+
+data "azuread_group_role_management_policy" "owners_policy" {
+  group_id = azuread_group.example.id
+  role_id  = "owner"
+}
+```
+
+## Argument Reference
+
+* `group_id` - (Required) The ID of the Azure AD group for which the policy applies.
+* `role_id` - (Required) The type of assignment this policy coveres. Can be either `member` or `owner`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `description` - (String) The description of this policy.
+* `display_name` - (String) The display name of this policy.
+* `id` - (String) The ID of this policy.

docs/resources/group_role_management_policy.md

@@ -0,0 +1,152 @@
+---
+subcategory: "Policies"
+---
+
+# Resource: azuread_group_role_management_policy
+
+Manage a role policy for an Azure AD group.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires the `RoleManagementPolicy.ReadWrite.AzureADGroup` Microsoft Graph API permissions.
+
+When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance.
+
+## Example Usage
+
+```terraform
+resource "azuread_group" "example" {
+  display_name     = "group-name"
+  security_enabled = true
+}
+
+resource "azuread_user" "member" {
+  user_principal_name = "[email protected]"
+  display_name        = "J. Doe"
+  mail_nickname       = "jdoe"
+  password            = "SecretP@sswd99!"
+}
+
+resource "azuread_group_role_management_policy" "example" {
+  group_id        = azuread_group.example.id
+  assignment_type = "member"
+
+  active_assignment_rules {
+    expire_after = "P365D"
+  }
+
+  eligible_assignment_rules {
+    expiration_required = false
+  }
+
+  notification_rules {
+    eligible_assignments {
+      approver_notifications {
+        notification_level = "Critical"
+        default_recipients = false
+        additional_recipients = [
+          "[email protected]",
+          "[email protected]",
+        ]
+      }
+    }
+  }
+}
+```
+
+## Argument Reference
+
+- `activation_rules` - (Optional) An `activation_rules` block as defined below.
+- `active_assignment_rules` - (Optional) An `active_assignment_rules` block as defined below.
+- `eligible_assignment_rules` - (Optional) An `eligible_assignment_rules` block as defined below.
+- `group_id` - (Required) The ID of the Azure AD group for which the policy applies.
+- `notification_rules` - (Optional) A `notification_rules` block as defined below.
+- `role_id` - (Required) The type of assignment this policy coveres. Can be either `member` or `owner`.
+
+---
+
+An `activation_rules` block supports the following:
+
+- `approval_stage` - (Optional) An `approval_stage` block as defined below.
+- `maximum_duration` - (Optional) The maximum length of time an activated role can be valid, in an IS)8601 Duration format (e.g. `PT8H`). Valid range is `PT30M` to `PT23H30M`, in 30 minute increments, or `PT1D`.
+- `require_approval` - (Optional) Is approval required for activation. If `true` an `approval_stage` block must be provided.
+- `require_justification` - (Optional) Is a justification required during activation of the role.
+- `require_multifactor_authentication` - (Optional) Is multi-factor authentication required to activate the role. Conflicts with `required_conditional_access_authentication_context`.
+- `require_ticket_info` - (Optional) Is ticket information requrired during activation of the role.
+- `required_conditional_access_authentication_context` - (Optional) The Entra ID Conditional Access context that must be present for activation. Conflicts with `require_multifactor_authentication`.
+
+---
+
+An `active_assignment_rules` block supports the following:
+
+- `expiration_required` - (Optional) Must an assignment have an expiry date. `false` allows permanent assignment.
+- `expire_after` - (Optional) The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`.
+- `require_justification` - (Optional) Is a justification required to create new assignments.
+- `require_multifactor_authentication` - (Optional) Is multi-factor authentication required to create new assignments.
+- `require_ticket_info` - (Optional) Is ticket information required to create new assignments.
+
+One of `expiration_required` or `expire_after` must be provided.
+
+---
+
+An `approval_stage` block supports the following:
+
+- One or more `primary_approver` blocks as defined below.
+
+---
+
+An `eligible_assignment_rules` block supports the following:
+
+- `expiration_required`- Must an assignment have an expiry date. `false` allows permanent assignment.
+- `expire_after` - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`.
+
+One of `expiration_required` or `expire_after` must be provided.
+
+---
+
+A `notification_rules` block supports the following:
+
+- `active_assignments` - (Optional) A `notification_target` block as defined below to configure notfications on active role assignments.
+- `eligible_activations` - (Optional) A `notification_target` block as defined below for configuring notifications on activation of eligible role.
+- `eligible_assignments` - (Optional) A `notification_target` block as defined below to configure notification on eligible role assignments.
+
+At least one `notification_target` block must be provided.
+
+---
+
+A `notification_settings` block supports the following:
+
+- `additional_recipients` - (Optional) A list of additional email addresses that will receive these notifications.
+- `default_recipients` - (Required) Should the default recipients receive these notifications.
+- `notification_level` - (Required) What level of notifications should be sent. Options are `All` or `Critical`.
+
+---
+
+A `notification_target` block supports the following:
+
+- `admin_notifications` - (Optional) A `notification_settings` block as defined above.
+- `approver_notifications` - (Optional) A `notification_settings` block as defined above.
+- `assignee_notifications` - (Optional) A `notification_settings` block as defined above.
+
+At least one `notification_settings` block must be provided.
+
+---
+
+A `primary_approver` block supports the following:
+
+- `object_id` - (Required) The ID of the object which will act as an approver.
+- `type` - (Required) The type of object acting as an approver. Possible options are `singleUser` and `groupMembers`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `description` - (String) The description of this policy.
+- `display_name` - (String) The display name of this policy.
+- `id` - (String) The ID of this policy.
+
+## Import
+
+Because these policies are created automatically by Entra ID, they will auto-import on first use.

docs/resources/privileged_access_group_assignment_schedule.md

@@ -0,0 +1,70 @@
+---
+subcategory: "Identity Governance"
+---
+
+# Resource: azuread_privileged_access_group_assignment_schedule
+
+Manages an active assignment to a privileged access group.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires the `PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup` Microsoft Graph API permissions.
+
+When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance.
+
+## Example Usage
+
+```terraform
+resource "azuread_group" "example" {
+  display_name     = "group-name"
+  security_enabled = true
+}
+
+resource "azuread_user" "member" {
+  user_principal_name = "[email protected]"
+  display_name        = "J. Doe"
+  mail_nickname       = "jdoe"
+  password            = "SecretP@sswd99!"
+}
+
+resource "azuread_privileged_access_group_assignment_schedule" "example" {
+  group_id        = azuread_group.pim.id
+  principal_id    = azuread_user.member.id
+  assignment_type = "member"
+  duration        = "P30D"
+  justification   = "as requested"
+}
+```
+
+## Argument Reference
+
+- `group_id` (Required) The Object ID of the Azure AD group to which the principal will be assigned.
+- `principal_id` (Required) The Object ID of the principal to be assigned to the above group. Can be either a user or a group.
+- `assignment_type` (Required) The type of assignment to the group. Can be either `member` or `owner`.
+- `justification` (Optional) The justification for this assignment. May be required by the role policy.
+- `ticket_number` (Optional) The ticket number in the ticket system approving this assignment. May be required by the role policy.
+- `ticket_system` (Optional) The ticket system containing the ticket number approving this assignment. May be required by the role policy.
+- `start_date` (Optional) The date from which this assignment is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If not provided, the assignment is immediately valid.
+- `expiration_date` (Optional) The date that this assignment expires, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z).
+- `duration` (Optional) The duration that this assignment is valid for, formatted as an ISO8601 duration (e.g. P30D for 30 days, PT3H for three hours).
+- `permanent_assignment` (Optional) Is this assigment permanently valid.
+
+At least one of `expiration_date`, `duration`, or `permanent_assignment` must be supplied. The role policy may limit the maximum duration which can be supplied.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` - (String) The ID of this request.
+- `status` - (String) The provisioning status of this request.
+- `target_schedule_id` - (String) The ID of this schedule created by this request.
+
+## Import
+
+An assignment schedule can be imported using the schedule ID, e.g.
+
+```shell
+terraform import azuread_privileged_access_group_assignment_schedule.example 00000000-0000-0000-0000-000000000000_member_00000000-0000-0000-0000-000000000000
+```

docs/resources/privileged_access_group_eligibility_schedule.md

@@ -0,0 +1,70 @@
+---
+subcategory: "Identity Governance"
+---
+
+# Resource: azuread_privileged_access_group_eligibility_schedule
+
+Manages an eligible assignment to a privileged access group.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires the `PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup` Microsoft Graph API permissions.
+
+When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance.
+
+## Example Usage
+
+```terraform
+resource "azuread_group" "example" {
+  display_name     = "group-name"
+  security_enabled = true
+}
+
+resource "azuread_user" "member" {
+  user_principal_name = "[email protected]"
+  display_name        = "J. Doe"
+  mail_nickname       = "jdoe"
+  password            = "SecretP@sswd99!"
+}
+
+resource "azuread_privileged_access_group_eligibility_schedule" "example" {
+  group_id        = azuread_group.pim.id
+  principal_id    = azuread_user.member.id
+  assignment_type = "member"
+  duration        = "P30D"
+  justification   = "as requested"
+}
+```
+
+## Argument Reference
+
+- `group_id` (Required) The Object ID of the Azure AD group to which the principal will be assigned.
+- `principal_id` (Required) The Object ID of the principal to be assigned to the above group. Can be either a user or a group.
+- `assignment_type` (Required) The type of assignment to the group. Can be either `member` or `owner`.
+- `justification` (Optional) The justification for this assignment. May be required by the role policy.
+- `ticket_number` (Optional) The ticket number in the ticket system approving this assignment. May be required by the role policy.
+- `ticket_system` (Optional) The ticket system containing the ticket number approving this assignment. May be required by the role policy.
+- `start_date` (Optional) The date from which this assignment is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If not provided, the assignment is immediately valid.
+- `expiration_date` (Optional) The date that this assignment expires, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z).
+- `duration` (Optional) The duration that this assignment is valid for, formatted as an ISO8601 duration (e.g. P30D for 30 days, PT3H for three hours).
+- `permanent_assignment` (Optional) Is this assigment permanently valid.
+
+At least one of `expiration_date`, `duration`, or `permanent_assignment` must be supplied. The role policy may limit the maximum duration which can be supplied.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` - (String) The ID of this request.
+- `status` - (String) The provisioning status of this request.
+- `target_schedule_id` - (String) The ID of this schedule created by this request.
+
+## Import
+
+An assignment schedule can be imported using the schedule ID, e.g.
+
+```shell
+terraform import azuread_privileged_access_group_eligibility_schedule.example 00000000-0000-0000-0000-000000000000_member_00000000-0000-0000-0000-000000000000
+```

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0
 	github.com/hashicorp/terraform-plugin-testing v1.5.1
-	github.com/manicminer/hamilton v0.66.0
+	github.com/manicminer/hamilton v0.67.0
 	golang.org/x/text v0.14.0
 )
 

go.sum

@@ -111,8 +111,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/manicminer/hamilton v0.66.0 h1:pJPlaf32wMZBCArX1U5QC0YqR3vnJoc4crTuigLy0og=
-github.com/manicminer/hamilton v0.66.0/go.mod h1:u80g9rPtJpCG7EC0iayttt8UfeAp6jknClixgZGE950=
+github.com/manicminer/hamilton v0.67.0 h1:hG3tPunQCGcgP2Nx0+lwW+Swu9MXOs4JGospakK79pY=
+github.com/manicminer/hamilton v0.67.0/go.mod h1:u80g9rPtJpCG7EC0iayttt8UfeAp6jknClixgZGE950=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=

internal/provider/services.go

@@ -29,6 +29,8 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration {
 		applications.Registration{},
 		directoryroles.Registration{},
 		domains.Registration{},
+		policies.Registration{},
+		identitygovernance.Registration{},
 		serviceprincipals.Registration{},
 	}
 }