azuread_service_principal: export the oauth2_permissions property

azuread/data_application.go

@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/terraform/helper/schema"
 
 	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph"
 	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/tf"
 	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate"
 )
@@ -109,54 +110,7 @@ func dataApplication() *schema.Resource {
 				},
 			},
 
-			"oauth2_permissions": {
-				Type:     schema.TypeList,
-				Optional: true,
-				Computed: true,
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"admin_consent_description": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"admin_consent_display_name": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"id": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"is_enabled": {
-							Type:     schema.TypeBool,
-							Computed: true,
-						},
-
-						"type": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"user_consent_description": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"user_consent_display_name": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"value": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-					},
-				},
-			},
+			"oauth2_permissions": graph.SchemaOauth2Permissions(),
 		},
 	}
 }
@@ -243,7 +197,7 @@ func dataApplicationRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("Error setting `group_membership_claims`: %+v", err)
 	}
 
-	if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil {
+	if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil {
 		return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err)
 	}
 

azuread/data_service_principal.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph"
 	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate"
 
 	"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
@@ -38,6 +39,8 @@ func dataServicePrincipal() *schema.Resource {
 				ValidateFunc:  validate.UUID,
 				ConflictsWith: []string{"object_id", "display_name"},
 			},
+
+			"oauth2_permissions": graph.SchemaOauth2Permissions(),
 		},
 	}
 }
@@ -126,5 +129,9 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta
 	d.Set("display_name", sp.DisplayName)
 	d.Set("object_id", sp.ObjectID)
 
+	if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(sp.Oauth2Permissions)); err != nil {
+		return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err)
+	}
+
 	return nil
 }

azuread/data_service_principal_test.go

@@ -24,6 +24,8 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) {
 					resource.TestCheckResourceAttrSet(dataSourceName, "application_id"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "object_id"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "display_name"),
+					resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))),
 				),
 			},
 		},

azuread/helpers/graph/application.go

@@ -0,0 +1,96 @@
+package graph
+
+import (
+	"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func SchemaOauth2Permissions() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeList,
+		Optional: true,
+		Computed: true,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"admin_consent_description": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"admin_consent_display_name": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"id": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"is_enabled": {
+					Type:     schema.TypeBool,
+					Computed: true,
+				},
+
+				"type": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"user_consent_description": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"user_consent_display_name": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+
+				"value": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+			},
+		},
+	}
+}
+
+func FlattenOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} {
+	if in == nil {
+		return []map[string]interface{}{}
+	}
+
+	result := make([]map[string]interface{}, 0)
+	for _, p := range *in {
+		permission := make(map[string]interface{})
+		if v := p.AdminConsentDescription; v != nil {
+			permission["admin_consent_description"] = v
+		}
+		if v := p.AdminConsentDisplayName; v != nil {
+			permission["admin_consent_display_name"] = v
+		}
+		if v := p.ID; v != nil {
+			permission["id"] = v
+		}
+		if v := p.IsEnabled; v != nil {
+			permission["is_enabled"] = *v
+		}
+		if v := p.Type; v != nil {
+			permission["type"] = v
+		}
+		if v := p.UserConsentDescription; v != nil {
+			permission["user_consent_description"] = v
+		}
+		if v := p.UserConsentDisplayName; v != nil {
+			permission["user_consent_display_name"] = v
+		}
+		if v := p.Value; v != nil {
+			permission["value"] = v
+		}
+
+		result = append(result, permission)
+	}
+
+	return result
+}

azuread/resource_application.go

@@ -130,53 +130,7 @@ func resourceApplication() *schema.Resource {
 				},
 			},
 
-			"oauth2_permissions": {
-				Type:     schema.TypeList,
-				Computed: true,
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"admin_consent_description": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"admin_consent_display_name": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"id": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"is_enabled": {
-							Type:     schema.TypeBool,
-							Computed: true,
-						},
-
-						"type": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"user_consent_description": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"user_consent_display_name": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-
-						"value": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-					},
-				},
-			},
+			"oauth2_permissions": graph.SchemaOauth2Permissions(),
 
 			"object_id": {
 				Type:     schema.TypeString,
@@ -366,7 +320,7 @@ func resourceApplicationRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("Error setting `required_resource_access`: %+v", err)
 	}
 
-	if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil {
+	if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil {
 		return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err)
 	}
 
@@ -478,42 +432,3 @@ func flattenADApplicationResourceAccess(in *[]graphrbac.ResourceAccess) []interf
 
 	return accesses
 }
-
-func flattenADApplicationOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} {
-	if in == nil {
-		return []map[string]interface{}{}
-	}
-
-	result := make([]map[string]interface{}, 0)
-	for _, p := range *in {
-		permission := make(map[string]interface{})
-		if v := p.AdminConsentDescription; v != nil {
-			permission["admin_consent_description"] = v
-		}
-		if v := p.AdminConsentDisplayName; v != nil {
-			permission["admin_consent_display_name"] = v
-		}
-		if v := p.ID; v != nil {
-			permission["id"] = v
-		}
-		if v := p.IsEnabled; v != nil {
-			permission["is_enabled"] = *v
-		}
-		if v := p.Type; v != nil {
-			permission["type"] = v
-		}
-		if v := p.UserConsentDescription; v != nil {
-			permission["user_consent_description"] = v
-		}
-		if v := p.UserConsentDisplayName; v != nil {
-			permission["user_consent_display_name"] = v
-		}
-		if v := p.Value; v != nil {
-			permission["value"] = v
-		}
-
-		result = append(result, permission)
-	}
-
-	return result
-}

azuread/resource_service_principal.go

@@ -39,6 +39,8 @@ func resourceServicePrincipal() *schema.Resource {
 				Computed: true,
 			},
 
+			"oauth2_permissions": graph.SchemaOauth2Permissions(),
+
 			"object_id": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -116,6 +118,10 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro
 		return fmt.Errorf("Error setting `tags`: %+v", err)
 	}
 
+	if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil {
+		return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err)
+	}
+
 	return nil
 }
 

azuread/resource_service_principal_test.go

@@ -26,6 +26,8 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) {
 					testCheckADServicePrincipalExists(resourceName),
 					resource.TestCheckResourceAttrSet(resourceName, "display_name"),
 					resource.TestCheckResourceAttrSet(resourceName, "application_id"),
+					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))),
 					resource.TestCheckResourceAttrSet(resourceName, "object_id"),
 				),
 			},

website/docs/d/service_principal.html.markdown

@@ -49,8 +49,30 @@ The following arguments are supported:
 
 -> **NOTE:** At least one of `application_id`, `display_name` or `object_id` must be specified.
 
+* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below.
+
 ## Attributes Reference
 
 The following attributes are exported:
 
 * `id` - The Object ID for the Service Principal.
+
+---
+
+`oauth2_permission` block exports the following:
+
+* `id` - The unique identifier for one of the `OAuth2Permission`
+
+* `type` - The type of the permission
+
+* `admin_consent_description` - The description of the admin consent
+
+* `admin_consent_display_name` - The display name of the admin consent
+
+* `is_enabled` - Is this permission enabled?
+
+* `user_consent_description` - The description of the user consent
+
+* `user_consent_display_name` - The display name of the user consent
+
+* `value` - The name of this permission