Support for managing claims mapping policies (azuread_claims_mapping_policy, azuread_claims_mapping_policy_assignment)

[tiwood]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We want to manage claim mappings within our Terraform configuration.

New or Affected Resource(s)

• azuread_claims_mapping_policy
• azuread_claims_mapping_policy_assignment

Potential Terraform Configuration

#// ref: https://docs.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0
resource "azuread_claims_mapping_policy" "app" {
  version                 = 1
  display_name            = "foobar"
  include_basic_claim_set = true

  #// this can be repeated n times
  claim_mapping {
    source          = "user"            #// one of 'user', 'group'
    id              = "JobTitle"        #// conflicts with extension_id 
    extension_id    = "extension999999" #// conflicts with id
    saml_claim_type = "hisCoolJobTitle"
    jwt_claim_type  = "hisCoolJobTitle"
  }
}

#//ref: https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-claimsmappingpolicies?view=graph-rest-1.0&tabs=http
resource "azuread_claims_mapping_policy_assignment" "app" {
  service_princiapl_id     = azuread_service_principal.example.id
  claims_mapping_policy_id = azuread_claims_mapping_policy.app.id
}

References

https://docs.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0
https://docs.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0#properties-of-a-claims-mapping-policy-definition

[webframp]

Our team internally has started some work to add this support since we have a need for it. Based on early work in the hamilton sdk we currently have an alpha quality functional resource that works like this to create a claims mapping policy:

resource "azuread_claims_mapping_policy" "test" {
  definition = [
    jsonencode(
      {
        ClaimsMappingPolicy = {
          ClaimsSchema = [
            {
              ID            = "employeeid"
              JwtClaimType  = "name"
              SamlClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
              Source        = "user"
            },
            {
              ID            = "tenantcountry"
              JwtClaimType  = "country"
              SamlClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
              Source        = "company"
            }
          ]
          IncludeBasicClaimSet = "true"
          Version              = 1
        }
      }
    ),
  ]
  description  = "hcl-created-policy"
  display_name = "hcl-create-policy"
}

Plan output is still a bit funny as it shows a diff every single time for the entire definition block, this is something we'll still need to improve before it's really ready but we'll be testing it as well as adding policy assignment support for service principals.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.