Initial support for Microsoft Graph with opt-in beta #373
Conversation
ghost
added
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
4 times, most recently
from
66a9a37 to
33946d2
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
from
0d4a908 to
e06f028
Compare
manicminer
force-pushed
the
feature/resource-packages
branch
from
7e061a3 to
3a9c0a4
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
from
34c6ac0 to
14b1fa8
Compare
manicminer
force-pushed
the
feature/resource-packages
branch
2 times, most recently
from
d690b7a to
9225d08
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
3 times, most recently
from
c505e72 to
6f7c4d8
Compare
manicminer
force-pushed
the
feature/resource-packages
branch
from
9225d08 to
5dc0f38
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
from
6f7c4d8 to
6ea7423
Compare
manicminer
force-pushed
the
feature/resource-packages
branch
2 times, most recently
from
439ac7f to
8e0e9c2
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
2 times, most recently
from
f228887 to
1ab05ac
Compare
| ## Attributes Reference | ||
|
|
||
| In addition to all arguments above, the following attributes are exported: | ||
|
|
||
| *No additional attributes are exported* |
There was a problem hiding this comment.
I have tried to avoid mentioning the resource ID too much as it's a frequent source of confusion - instead there are contextual attributes like scope_id in this case.
internal/services/applications/application_password_resource.go
Outdated
Show resolved
Hide resolved
| var status int | ||
| for _, owner := range *group.Owners { | ||
| // don't fail if an owner already exists | ||
| checkOwnerAlreadyExists := func(resp *http.Response, o *odata.OData) bool { |
There was a problem hiding this comment.
wouldn't this indicate a bug?
There was a problem hiding this comment.
This mostly helps to work around API inconsistency where newly created groups (and other objects) sometimes inherit an owner but sometimes don't. Also the group read operation has inconsistencies where owners sometimes take awhile to show up after adding, this helps work around that without excessive/fruitless retry logic in the calling app.
| } | ||
|
|
||
| // despite the above check, sometimes owners are just gone | ||
| checkOwnerGone := func(resp *http.Response, o *odata.OData) bool { |
There was a problem hiding this comment.
(as above) wouldn't this indicate a bug?
There was a problem hiding this comment.
Similarly sometimes the read operation on a group indicates the presence of an owner when it's actually already been removed, so you end up with a GET showing an owner, but DELETEing that owner gets you a 403.
| if err := json.Unmarshal(data, &e); err != nil { | ||
| return err | ||
| } | ||
| for _, k := range []string{"error", "odata.error"} { |
There was a problem hiding this comment.
can this also be in @odata.error?
There was a problem hiding this comment.
I haven't seen that but maybe? AFAICT @odata.error isn't in the odata standard, although I think i'd probably expect it to have astring value if it showed up anywhere.
…ice_principal_password For both resources: - Since `value` is to be removed, generate a value for AAD Graph if one is not specified in configuration, mimicking characteristics of msgraph-generated passwords - As `end_date` / `end_date_relative` are also being removed, default `end_date_relative` to 17520h (2 years) which mimics MS Graph
Test ResultsApplications - AAD Graph
Applications - MS Graph
Domains - AAD Graph
Domains - MS Graph
Groups - AAD Graph
Groups - MS Graph
Service Principals - AAD Graph
Service Principals - MS Graph
Users - AAD Graph
Users - MS Graph
|
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
from
c70a8bc to
ebaf2ab
Compare
manicminer
force-pushed
the
feature/enable-microsoft-graph
branch
from
ebaf2ab to
b2de421
Compare
|
Great work! |
|
😁🎉🚀💐🥇⭐️🙌🥳 |
|
This has been released in version 1.5.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azuread" {
version = "~> 1.5.0"
}
# ... other configuration ... |
|
Awesome work! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR introduces support for Microsoft Graph using https://github.com/manicminer/hamilton, alongside the existing Azure Active Directory Graph API implementation, and aims to maintain forward and backward compatibility. Users can opt-in to using MS Graph by setting the
use_microsoft_graphprovider attribute or theAAD_USE_MICROSOFT_GRAPHenvironment variable.This is broken into multiple commits to aid review.
Authentication
Authentication for MS Graph is handled by hamilton/auth similarly to go-azure-helpers. Different auth methods can be configured and are tried in order, until one succeeds.
Authentication via hamilton/auth is only performed when MS Graph is enabled, to avoid erroring if no API permissions are granted to the principal.
Authentication via go-azure-helpers is always performed, even when MS Graph is enabled. Both methods must work for provider configuration to succeed. This will be removed in v2.0.
Client configuration is sourced from the AuthConfig supplied by go-azure-helpers. This will be switched in v2.0.
All national clouds are supported
The US Gov cloud is now two clouds in MS Graph - L4 and L5.
Resources
resource.StateChangeConf{}.WaitForState()method usages have been removed since MS Graph has been observed to be consistent in most cases.Documentation