Implement Azure AD role-based access control resource

[beachfires]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm currently trying to manage our Azure Active Directory using terraform and have managed to move user/group/role-assignments so far. One last thing I want to be able to do using terraform is assign AD Administrative Roles. For example I want to be able to assign the Admin role "Application administrator" or "Security administrator" to a user as the Active Directory scope (https://docs.microsoft.com/en-gb/azure/active-directory/roles/custom-overview#understand-azure-ad-role-based-access-control). I do not see any way I can do this right now.

New or Affected Resource(s)

• azuread_assigned_roles

Potential Terraform Configuration

resource "azurerm_ad_role_assignment" "example" {
  name               = "00000000-0000-0000-0000-000000000000"
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = data.azurerm_client_config.example.object_id
}

References

[manicminer]

Hi @beachfires, thanks for requesting this feature! You are correct, we currently don't have the ability to assign directory roles to principals. This capability is currently blocked on our active work to move to the Microsoft Graph API (see #323 for context).

I believe there is an existing issue requesting this feature #50 - is the same as what you had in mind?

[yann-soubeyrand]

@manicminer as I understand, #50 is to assign AD roles to AD users and this issue is to assign AD roles to Azure principals. I’m not sure I understand correctly, but we have use cases for the latter anyway. @beachfires tell me if I’m wrong and I should open another issue.

[manicminer]

@yann-soubeyrand Thanks, that makes sense. The most likely implementation will be a single member-style resource that accepts a role ID and an object ID for a principal (user or service). Something like this:

resource "azuread_directory_role_member" "example_up" {
  role_id          = data.azuread_directory_role.global_admin.id
  member_object_id = azuread_user.example.object_id
}

resource "azuread_directory_role_member" "example_sp" {
  role_id          = data.azuread_directory_role.user_admin.id
  member_object_id = azuread_service_principal.example.object_id
}

That said, I'm happy to leave this issue open for clarification.

[beachfires]

Yes, exactly what @manicminer described.

[manicminer]

Just noticed this is a duplicate of #50, going to close this in favor of the existing issue

[manicminer]

Duplicate of #50

[github-actions]

This functionality has been released in v2.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.