Provide support for approle outside of resource_service_principal as an independent resource

[gtmtech]

Much like the excellent work on #306 !

Description

I would also like the ability to perform app_roles on a service_principal, without specifying the entire service_principal resources. This is similar to #306 which was fixed in 1.0.0 whereby it is now possible to specify an azuread_application_app_role independently of the azuread_application

In our AD setup, a service principal for an enterprise application is created for us by another team, and we can only create app_roles on it. We have no permission to be able to create or modify enterprise applications or service_principals on top, but would like to be able to create and assign app_roles to users on preexisting service-principals.

As with many terraform resources, it would be useful if both approaches were possible.

New or Affected Resource(s)

resource_service_principal.go

[manicminer]

@gtmtech Thanks for requesting this. Have you tried importing the existing service principal (to avoid duplicating an already existing one)? It might be a useful workaround for you in the meantime.

[gtmtech]

@manicminer, yeah I figured this was a method before on #306 as well - as well as putting lifecycle changes ignore on just about every field except approle.

I think what put me off was that we are going through a large enterprise application onboarding process, between different teams, responsible for different areas of AD, and I would constantly be having to terraform import eapps which struck me as a largely manual process as opposed to just using a datasource lookup based on name and resource for the approle which is far more automated.

I think your workaround would work the odd case here or there though, I had considered it. Would be super nice to have the resource available though

[manicminer]

@gtmtech I took a quick look at this using Microsoft Graph, and it seems like the appRoles collection returned for service principals is merely from the corresponding application manifest. When I try to patch a service principal directly to add appRoles I get a 400 error. Do you know if this is supposed to work?

[gtmtech]

@manicminer I'm currently using the shell provider to patch servicePrincipals as a workaround, but yes: - Python code sorry!

    service_principal = msgraph.get_app_service_principal()
    ...
    service_principal['appRoles'].append(approle)
    ...
    _r = msgraph.query_ms_graph_request(
      query_object = "servicePrincipals/{0}".format(service_principal['id']),
      auth_header  = auth_header,
      html_method  = "patch",
      html_data    = service_principal
    )

Asked a colleague to comment too as he does more stuff on ms-graph-explorer than I do.

[manicminer]

@gtmtech Thanks for updating, would you be able to capture the HTTP request and response so we can see what's happening under the hood?

[manicminer]

Given that appRoles are a property of the app registration rather than the service principal, I'm going to close this issue for now.

App roles can be configured using the azuread_application resource, and any configured roles will reflect in the attributes of the linked service principal.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.