azuread_service_principal: export the oauth2_permissions property

azuread/data_service_principal.go

@@ -38,6 +38,55 @@ func dataServicePrincipal() *schema.Resource {
 				ValidateFunc:  validate.UUID,
 				ConflictsWith: []string{"object_id", "display_name"},
 			},
+
+			"oauth2_permissions": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"admin_consent_description": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"admin_consent_display_name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"is_enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+
+						"type": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"user_consent_description": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"user_consent_display_name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"value": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -126,5 +175,9 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta
 	d.Set("display_name", sp.DisplayName)
 	d.Set("object_id", sp.ObjectID)
 
+	if oauth2Permissions, ok := sp.AdditionalProperties["oauth2Permissions"].([]interface{}); ok {
+		d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions))
+	}
+
 	return nil
 }

azuread/data_service_principal_test.go

@@ -24,6 +24,8 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) {
 					resource.TestCheckResourceAttrSet(dataSourceName, "application_id"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "object_id"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "display_name"),
+					resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))),
 				),
 			},
 		},

azuread/resource_service_principal.go

@@ -51,6 +51,54 @@ func resourceServicePrincipal() *schema.Resource {
 				Computed: true,
 			},
 
+			"oauth2_permissions": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"admin_consent_description": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"admin_consent_display_name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"is_enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+
+						"type": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"user_consent_description": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"user_consent_display_name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+
+						"value": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+
 			"object_id": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -123,6 +171,10 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro
 		}
 	}
 
+	if oauth2Permissions, ok := app.AdditionalProperties["oauth2Permissions"].([]interface{}); ok {
+		d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions))
+	}
+
 	return nil
 }
 
@@ -140,3 +192,43 @@ func resourceServicePrincipalDelete(d *schema.ResourceData, meta interface{}) er
 
 	return nil
 }
+
+func flattenServicePrincipalOauth2Permissions(in []interface{}) []map[string]interface{} {
+	if in == nil {
+		return []map[string]interface{}{}
+	}
+
+	result := make([]map[string]interface{}, 0, len(in))
+	for _, oauth2Permissions := range in {
+		rawPermission := oauth2Permissions.(map[string]interface{})
+		permission := make(map[string]interface{})
+		if v := rawPermission["adminConsentDescription"]; v != nil {
+			permission["admin_consent_description"] = v
+		}
+		if v := rawPermission["adminConsentDisplayName"]; v != nil {
+			permission["admin_consent_description"] = v
+		}
+		if v := rawPermission["id"]; v != nil {
+			permission["id"] = v
+		}
+		if v := rawPermission["isEnabled"]; v != nil {
+			permission["is_enabled"] = v.(bool)
+		}
+		if v := rawPermission["type"]; v != nil {
+			permission["type"] = v
+		}
+		if v := rawPermission["userConsentDescription"]; v != nil {
+			permission["user_consent_description"] = v
+		}
+		if v := rawPermission["userConsentDisplayName"]; v != nil {
+			permission["user_consent_display_name"] = v
+		}
+		if v := rawPermission["value"]; v != nil {
+			permission["value"] = v
+		}
+
+		result = append(result, permission)
+	}
+
+	return result
+}

azuread/resource_service_principal_test.go

@@ -26,6 +26,8 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) {
 					testCheckADServicePrincipalExists(resourceName),
 					resource.TestCheckResourceAttrSet(resourceName, "display_name"),
 					resource.TestCheckResourceAttrSet(resourceName, "application_id"),
+					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))),
 					resource.TestCheckResourceAttrSet(resourceName, "object_id"),
 				),
 			},

website/docs/d/service_principal.html.markdown

@@ -49,8 +49,30 @@ The following arguments are supported:
 
 -> **NOTE:** At least one of `application_id`, `display_name` or `object_id` must be specified.
 
+* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below.
+
 ## Attributes Reference
 
 The following attributes are exported:
 
 * `id` - The Object ID for the Service Principal.
+
+---
+
+`oauth2_permission` block exports the following:
+
+* `id` - The unique identifier for one of the `OAuth2Permission`
+
+* `type` - The type of the permission
+
+* `admin_consent_description` - The description of the admin consent
+
+* `admin_consent_display_name` - The display name of the admin consent
+
+* `is_enabled` - Is this permission enabled?
+
+* `user_consent_description` - The description of the user consent
+
+* `user_consent_display_name` - The display name of the user consent
+
+* `value` - The name of this permission

website/docs/r/service_principal.html.markdown

@@ -52,6 +52,28 @@ The following attributes are exported:
 
 * `display_name` - The Display Name of the Azure Active Directory Application associated with this Service Principal.
 
+* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below.
+
+---
+
+`oauth2_permission` block exports the following:
+
+* `id` - The unique identifier for one of the `OAuth2Permission`.
+
+* `type` - The type of the permission.
+
+* `admin_consent_description` - The description of the admin consent.
+
+* `admin_consent_display_name` - The display name of the admin consent.
+
+* `is_enabled` - Is this permission enabled?
+
+* `user_consent_description` - The description of the user consent.
+
+* `user_consent_display_name` - The display name of the user consent.
+
+* `value` - The name of this permission.
+
 ## Import
 
 Azure Active Directory Service Principals can be imported using the `object id`, e.g.