New Data Source/Resource: azuread_user

[glenjamin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When using azurerm_role_assignment to set permissions, we often want to refer to existing users and groups.

It would be great if there was a data provider for this.

It might also be useful to have a resource provider to create these in the first place.

New or Affected Resource(s)

n/a

Potential Terraform Configuration

n/a

References

n/a

[tombuildsstuff]

hey @glenjamin

Thanks for opening this issue :)

We've had a few requests for managing/using information about Users and Groups within Terraform recently - I'm going to add the thinking tag to this for the moment. In general Terraform whilst could return this information as Data Sources - I don't necessarily think it's the right tool to be managing this information (since it can naturally change outside of Terraform e.g. users synced from Azure AD) - and whilst this issue is mostly about Data Sources, two are naturally related since in order to write tests for a Data Source we generally need a matching resource.

Thanks!

[glenjamin]

I forgot about Azure AD syncing.

I agree that resources for these might not make the most sense, but at the moment I have to put a load of AD Object IDs in my code, so it would be nice if there was a way to do the data sources.

[LaurentLesle]

I think it is a good idea to be able to generate service principals in Azure AD from Terraform and link the service principal to a custom role, azure keyvault policy or other resources. I tend to use certificates instead of service principal's password and with Terraform I can nicely linked that from Keyvault. At least the use case for initial provisioning would work well. Certificate rotation/password changes could be more tricky. I would not use terraform for Azure AD users (type members/guests). I can see however a lot of use cases for Azure AD Groups creation + custom roles.

[perbergland]

If this was available I would definitely use it for groups and service principals and maybe for users when running without any syncing to other ADs (pure Azure AD).

[tombuildsstuff]

👋🏻

We've just posted a proposal regarding splitting the Azure Active Directory resources out into their own Provider in #2322, which would allow us to ship support for the AzureAD Group and User resources. If you're subscribed to this thread we'd be interested to hear any feedback you may have on the proposal in that thread :)

Thanks!

[katbyte]

Hi @glenjamin,

As in 2.0 we are deprecating all Azure AD resources and data sources in the Azure RM provider in favour of this new provider I have moved the issue here.

[perbergland]

Since it seems this will be implemented fairly soon I have been thinking about how to treat group members and owners.
For most use cases I would prefer to be able to add both owners and members outside of terraform so then it would make the most sense to have group members and owners as resources separate from the group itself, but sometimes I want to have fully managed groups and then it would be preferred to have both properties as lists and purge any item not mentioned in the list.

What are other people's thoughts?

[tombuildsstuff]

@perbergland I'd suggest opening a separate issue for that (tbh this issue should be split into two, one for the Groups and one for Users since both of these areas are pretty big, but anyway 🙃).

In terms of how that's implemented I could see it being useful to manage both internally and externally as you've mentioned; but I'd suggest it needs further research as to the API's available in that new issue?

[tombuildsstuff]

Support for Groups has been merged in #14 (thanks @tiwood 🍾) - as such I'm going to update the title of this issue to focus on support for Users (which is being added in #18)

[katbyte]

Support for users was merged in #18 (thanks again @tiwood)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!