From 855ee7e387a304d854c85744863feb27830aca62 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Tue, 27 Aug 2019 16:46:02 -0700 Subject: [PATCH 01/14] Expose Principal Type attribute --- azurerm/resource_arm_role_assignment.go | 41 ++++++++++++++-- azurerm/resource_arm_role_assignment_test.go | 50 ++++++++++++++++++-- website/docs/r/role_assignment.html.markdown | 3 ++ 3 files changed, 87 insertions(+), 7 deletions(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 47eae31960da..48529f70684c 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -14,6 +14,7 @@ import ( "github.com/hashicorp/go-uuid" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" ) @@ -64,6 +65,24 @@ func resourceArmRoleAssignment() *schema.Resource { Required: true, ForceNew: true, }, + + "principal_type": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + string(authorization.Application), + string(authorization.DirectoryObjectOrGroup), + string(authorization.DirectoryRoleTemplate), + string(authorization.Everyone), + string(authorization.ForeignGroup), + string(authorization.Group), + string(authorization.MSI), + string(authorization.ServicePrincipal), + string(authorization.Unknown), + string(authorization.User), + }, false), + }, }, } } @@ -118,11 +137,19 @@ func resourceArmRoleAssignmentCreate(d *schema.ResourceData, meta interface{}) e } } + roleAssignmentProperties := authorization.RoleAssignmentProperties{ + RoleDefinitionID: utils.String(roleDefinitionId), + PrincipalID: utils.String(principalId), + } + + principalType := d.Get("principal_type").(string) + + if principalType != "" { + roleAssignmentProperties.PrincipalType = authorization.PrincipalType(principalType) + } + properties := authorization.RoleAssignmentCreateParameters{ - RoleAssignmentProperties: &authorization.RoleAssignmentProperties{ - RoleDefinitionID: utils.String(roleDefinitionId), - PrincipalID: utils.String(principalId), - }, + RoleAssignmentProperties: &roleAssignmentProperties, } if err := resource.Retry(300*time.Second, retryRoleAssignmentsClient(scope, name, properties, meta)); err != nil { @@ -164,6 +191,12 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) + principalType := d.Get("principal_type").(string) + + if principalType != "" { + d.Set("principal_type", props.PrincipalType) + } + //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { roleResp, err := roleDefinitionsClient.GetByID(ctx, *roleId) diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 7caa13fe8ec0..456ac00caf58 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -24,8 +24,9 @@ func TestAccAzureRMRoleAssignment(t *testing.T) { "requiresImport": testAccAzureRMRoleAssignment_requiresImport, }, "assignment": { - "sp": testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal, - "group": testAccAzureRMActiveDirectoryServicePrincipal_group, + "sp": testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal, + "spType": testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipalWithType, + "group": testAccAzureRMActiveDirectoryServicePrincipal_group, }, "management": { "assign": testAccAzureRMRoleAssignment_managementGroup, @@ -219,6 +220,27 @@ func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal(t *testing.T }) } +func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipalWithType(t *testing.T) { + resourceName := "azurerm_role_assignment.test" + ri := tf.AccRandTimeInt() + id := uuid.New().String() + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testCheckAzureRMRoleAssignmentDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMRoleAssignment_servicePrincipalWithType(ri, id), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMRoleAssignmentExists("azurerm_role_assignment.test"), + resource.TestCheckResourceAttr(resourceName, "principal_type", "ServicePrincipal"), + ), + }, + }, + }) +} + func testAccAzureRMActiveDirectoryServicePrincipal_group(t *testing.T) { ri := tf.AccRandTimeInt() id := uuid.New().String() @@ -440,6 +462,28 @@ resource "azurerm_role_assignment" "test" { `, rInt, roleAssignmentID) } +func testAccAzureRMRoleAssignment_servicePrincipalWithType(rInt int, roleAssignmentID string) string { + return fmt.Sprintf(` +data "azurerm_subscription" "current" {} + +resource "azuread_application" "test" { + name = "acctestspa-%d" +} + +resource "azuread_service_principal" "test" { + application_id = "${azuread_application.test.application_id}" +} + +resource "azurerm_role_assignment" "test" { + name = "%s" + scope = "${data.azurerm_subscription.current.id}" + role_definition_name = "Reader" + principal_id = "${azuread_service_principal.test.id}" + principal_type = "ServicePrincipal" +} +`, rInt, roleAssignmentID) +} + func testAccAzureRMRoleAssignment_group(rInt int, roleAssignmentID string) string { return fmt.Sprintf(` data "azurerm_subscription" "current" {} @@ -448,7 +492,7 @@ resource "azuread_group" "test" { name = "acctestspa-%d" } -resource "azurerm_role_assignment" "test" { +resource ServicePrincipal { name = "%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" diff --git a/website/docs/r/role_assignment.html.markdown b/website/docs/r/role_assignment.html.markdown index 294a06f58935..77424bf6d924 100644 --- a/website/docs/r/role_assignment.html.markdown +++ b/website/docs/r/role_assignment.html.markdown @@ -22,6 +22,7 @@ resource "azurerm_role_assignment" "test" { scope = "${data.azurerm_subscription.primary.id}" role_definition_name = "Reader" principal_id = "${data.azurerm_client_config.test.service_principal_object_id}" + principal_type = "ServicePrincipal" } ``` @@ -133,6 +134,8 @@ The following arguments are supported: ~> **NOTE:** The Principal ID is also known as the Object ID (ie not the "Application ID" for applications). +* `PrincipalType` - (Optional) The principal type of the assigned `principal_id`. Possible values include: `User`, `Group`, `ServicePrincipal`, `Unknown`, `DirectoryRoleTemplate`, `ForeignGroup`, `Application`, `MSI`, `DirectoryObjectOrGroup`, `Everyone`. + ## Attributes Reference The following attributes are exported: From 84029eda59d84cab526447aec617c59fbe742f2c Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 28 Aug 2019 14:56:42 -0700 Subject: [PATCH 02/14] Update azurerm/resource_arm_role_assignment_test.go Co-Authored-By: Tom Harvey --- azurerm/resource_arm_role_assignment_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 456ac00caf58..2a0263c7de1d 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -492,7 +492,7 @@ resource "azuread_group" "test" { name = "acctestspa-%d" } -resource ServicePrincipal { +resource "azurerm_role_assignment" "test" { name = "%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" From 19e6594dc16fe2773b5a5eb028ce51944f670fc1 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 28 Aug 2019 15:12:42 -0700 Subject: [PATCH 03/14] Update azurerm/resource_arm_role_assignment_test.go Co-Authored-By: kt --- azurerm/resource_arm_role_assignment_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 2a0263c7de1d..b811c7603b49 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -475,7 +475,7 @@ resource "azuread_service_principal" "test" { } resource "azurerm_role_assignment" "test" { - name = "%s" + name = "acctestRA%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" principal_id = "${azuread_service_principal.test.id}" From c9887164b8a42c9f9fdfbf907fc99c2ba09cd531 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 28 Aug 2019 15:32:41 -0700 Subject: [PATCH 04/14] Updates per PR comments --- azurerm/resource_arm_role_assignment.go | 16 +++++++--------- azurerm/resource_arm_role_assignment_test.go | 16 ++++++++-------- website/docs/r/role_assignment.html.markdown | 2 +- 3 files changed, 16 insertions(+), 18 deletions(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 48529f70684c..776bb8688650 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -137,19 +137,17 @@ func resourceArmRoleAssignmentCreate(d *schema.ResourceData, meta interface{}) e } } - roleAssignmentProperties := authorization.RoleAssignmentProperties{ - RoleDefinitionID: utils.String(roleDefinitionId), - PrincipalID: utils.String(principalId), + properties := authorization.RoleAssignmentCreateParameters{ + RoleAssignmentProperties: &authorization.RoleAssignmentProperties{ + RoleDefinitionID: utils.String(roleDefinitionId), + PrincipalID: utils.String(principalId), + } } principalType := d.Get("principal_type").(string) - + if principalType != "" { - roleAssignmentProperties.PrincipalType = authorization.PrincipalType(principalType) - } - - properties := authorization.RoleAssignmentCreateParameters{ - RoleAssignmentProperties: &roleAssignmentProperties, + properties.RoleAssignmentProperties.PrincipalType = authorization.PrincipalType(principalType) } if err := resource.Retry(300*time.Second, retryRoleAssignmentsClient(scope, name, properties, meta)); err != nil { diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 456ac00caf58..d36c717cfbb8 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -478,8 +478,8 @@ resource "azurerm_role_assignment" "test" { name = "%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" - principal_id = "${azuread_service_principal.test.id}" - principal_type = "ServicePrincipal" + principal_id = "${azuread_service_principal.test.id}" + principal_type = "ServicePrincipal" } `, rInt, roleAssignmentID) } @@ -492,7 +492,7 @@ resource "azuread_group" "test" { name = "acctestspa-%d" } -resource ServicePrincipal { +resource "azurerm_role_assignment" "test" { name = "%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" @@ -508,17 +508,17 @@ data "azurerm_subscription" "primary" {} data "azurerm_client_config" "test" {} data "azurerm_role_definition" "test" { - name = "Monitoring Reader" + name = "Monitoring Reader" } resource "azurerm_management_group" "test" { - group_id = "%s" + group_id = "%s" } resource "azurerm_role_assignment" "test" { - scope = "${azurerm_management_group.test.id}" - role_definition_id = "${data.azurerm_role_definition.test.id}" - principal_id = "${data.azurerm_client_config.test.service_principal_object_id}" + scope = "${azurerm_management_group.test.id}" + role_definition_id = "${data.azurerm_role_definition.test.id}" + principal_id = "${data.azurerm_client_config.test.service_principal_object_id}" } `, groupId) } diff --git a/website/docs/r/role_assignment.html.markdown b/website/docs/r/role_assignment.html.markdown index 77424bf6d924..f8717c8c1485 100644 --- a/website/docs/r/role_assignment.html.markdown +++ b/website/docs/r/role_assignment.html.markdown @@ -134,7 +134,7 @@ The following arguments are supported: ~> **NOTE:** The Principal ID is also known as the Object ID (ie not the "Application ID" for applications). -* `PrincipalType` - (Optional) The principal type of the assigned `principal_id`. Possible values include: `User`, `Group`, `ServicePrincipal`, `Unknown`, `DirectoryRoleTemplate`, `ForeignGroup`, `Application`, `MSI`, `DirectoryObjectOrGroup`, `Everyone`. +* `PrincipalType` - (Optional) The principal type of the assigned `principal_id`. Possible values include: `Application`, `DirectoryObjectOrGroup`, `DirectoryRoleTemplate`, `Everyone`, `ForeignGroup`, `Group`, `MSI`, `ServicePrincipal`, `Unknown` and `User`. ## Attributes Reference From 18bdc0fe1926c6e4f0fae3058fa441dfefa3eb3e Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 28 Aug 2019 15:41:31 -0700 Subject: [PATCH 05/14] Missed a comma --- azurerm/resource_arm_role_assignment.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 776bb8688650..8c9a971adff0 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -141,11 +141,11 @@ func resourceArmRoleAssignmentCreate(d *schema.ResourceData, meta interface{}) e RoleAssignmentProperties: &authorization.RoleAssignmentProperties{ RoleDefinitionID: utils.String(roleDefinitionId), PrincipalID: utils.String(principalId), - } + }, } principalType := d.Get("principal_type").(string) - + if principalType != "" { properties.RoleAssignmentProperties.PrincipalType = authorization.PrincipalType(principalType) } From 808509ee678d354aebe1bcac11d5077995ca3d2e Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 28 Aug 2019 16:10:04 -0700 Subject: [PATCH 06/14] Revert name change --- azurerm/resource_arm_role_assignment_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 7801bfd23ba5..d36c717cfbb8 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -475,7 +475,7 @@ resource "azuread_service_principal" "test" { } resource "azurerm_role_assignment" "test" { - name = "acctestRA%s" + name = "%s" scope = "${data.azurerm_subscription.current.id}" role_definition_name = "Reader" principal_id = "${azuread_service_principal.test.id}" From 9daeb7a54311700c13f2e7ce0378e8ff1b07fb68 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Thu, 29 Aug 2019 19:37:09 -0700 Subject: [PATCH 07/14] Update per PR review --- azurerm/resource_arm_role_assignment.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 8c9a971adff0..19d4bc188ad5 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -69,6 +69,7 @@ func resourceArmRoleAssignment() *schema.Resource { "principal_type": { Type: schema.TypeString, Optional: true, + Computed: true, ForceNew: true, ValidateFunc: validation.StringInSlice([]string{ string(authorization.Application), @@ -188,12 +189,7 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) - - principalType := d.Get("principal_type").(string) - - if principalType != "" { - d.Set("principal_type", props.PrincipalType) - } + d.Set("principal_type", props.PrincipalType) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { From 13173f9c3da78f905247117b2157e18bc7460a18 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 30 Aug 2019 15:38:58 -0700 Subject: [PATCH 08/14] Change of direction --- azurerm/resource_arm_role_assignment.go | 26 +++++--------------- azurerm/resource_arm_role_assignment_test.go | 11 ++++----- website/docs/r/role_assignment.html.markdown | 3 +-- 3 files changed, 12 insertions(+), 28 deletions(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 19d4bc188ad5..d4231990126f 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -14,7 +14,6 @@ import ( "github.com/hashicorp/go-uuid" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" - "github.com/hashicorp/terraform/helper/validation" "github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" ) @@ -66,23 +65,11 @@ func resourceArmRoleAssignment() *schema.Resource { ForceNew: true, }, - "principal_type": { - Type: schema.TypeString, + "skip_service_principal_aad_check": { + Type: schema.TypeBool, Optional: true, - Computed: true, ForceNew: true, - ValidateFunc: validation.StringInSlice([]string{ - string(authorization.Application), - string(authorization.DirectoryObjectOrGroup), - string(authorization.DirectoryRoleTemplate), - string(authorization.Everyone), - string(authorization.ForeignGroup), - string(authorization.Group), - string(authorization.MSI), - string(authorization.ServicePrincipal), - string(authorization.Unknown), - string(authorization.User), - }, false), + Default: false, }, }, } @@ -145,10 +132,10 @@ func resourceArmRoleAssignmentCreate(d *schema.ResourceData, meta interface{}) e }, } - principalType := d.Get("principal_type").(string) + skipPrincipalCheck := d.Get("skip_service_principal_aad_check").(bool) - if principalType != "" { - properties.RoleAssignmentProperties.PrincipalType = authorization.PrincipalType(principalType) + if skipPrincipalCheck { + properties.RoleAssignmentProperties.PrincipalType = authorization.ServicePrincipal } if err := resource.Retry(300*time.Second, retryRoleAssignmentsClient(scope, name, properties, meta)); err != nil { @@ -189,7 +176,6 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) - d.Set("principal_type", props.PrincipalType) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index d36c717cfbb8..08e7696e0fb2 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -234,7 +234,6 @@ func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipalWithType(t *t Config: testAccAzureRMRoleAssignment_servicePrincipalWithType(ri, id), Check: resource.ComposeTestCheckFunc( testCheckAzureRMRoleAssignmentExists("azurerm_role_assignment.test"), - resource.TestCheckResourceAttr(resourceName, "principal_type", "ServicePrincipal"), ), }, }, @@ -475,11 +474,11 @@ resource "azuread_service_principal" "test" { } resource "azurerm_role_assignment" "test" { - name = "%s" - scope = "${data.azurerm_subscription.current.id}" - role_definition_name = "Reader" - principal_id = "${azuread_service_principal.test.id}" - principal_type = "ServicePrincipal" + name = "%s" + scope = "${data.azurerm_subscription.current.id}" + role_definition_name = "Reader" + principal_id = "${azuread_service_principal.test.id}" + skip_service_principal_aad_check = true } `, rInt, roleAssignmentID) } diff --git a/website/docs/r/role_assignment.html.markdown b/website/docs/r/role_assignment.html.markdown index f8717c8c1485..7920ce502a02 100644 --- a/website/docs/r/role_assignment.html.markdown +++ b/website/docs/r/role_assignment.html.markdown @@ -22,7 +22,6 @@ resource "azurerm_role_assignment" "test" { scope = "${data.azurerm_subscription.primary.id}" role_definition_name = "Reader" principal_id = "${data.azurerm_client_config.test.service_principal_object_id}" - principal_type = "ServicePrincipal" } ``` @@ -134,7 +133,7 @@ The following arguments are supported: ~> **NOTE:** The Principal ID is also known as the Object ID (ie not the "Application ID" for applications). -* `PrincipalType` - (Optional) The principal type of the assigned `principal_id`. Possible values include: `Application`, `DirectoryObjectOrGroup`, `DirectoryRoleTemplate`, `Everyone`, `ForeignGroup`, `Group`, `MSI`, `ServicePrincipal`, `Unknown` and `User`. +* `skip_service_principal_aad_check` - (Optional) If the `principal_id` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principal_id` is a `Service Principal` identity. If it is not a `Service Principal` identity it will cause the role assignment to fail. Defaults to `false`. ## Attributes Reference From fc6eecbc4d6a52cd327460902521d3207b789612 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 30 Aug 2019 15:57:30 -0700 Subject: [PATCH 09/14] Removing unused resource --- azurerm/resource_arm_role_assignment_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 08e7696e0fb2..08b8e2c29ace 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -221,7 +221,6 @@ func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal(t *testing.T } func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipalWithType(t *testing.T) { - resourceName := "azurerm_role_assignment.test" ri := tf.AccRandTimeInt() id := uuid.New().String() From 7b3452d6b36d9cab0d25d0fe7153fbc847314590 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 30 Aug 2019 16:29:46 -0700 Subject: [PATCH 10/14] added set to read CRUD --- azurerm/resource_arm_role_assignment.go | 1 + 1 file changed, 1 insertion(+) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index d4231990126f..70a7f8b36012 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -176,6 +176,7 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) + d.Set("skip_service_principal_aad_check", props.PrincipalType == authorization.ServicePrincipal) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { From 934b93cdbe2b197d0cbde4a6ba82638769177d43 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 30 Aug 2019 16:47:52 -0700 Subject: [PATCH 11/14] Update read --- azurerm/resource_arm_role_assignment.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 70a7f8b36012..e1d581c8608c 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -176,7 +176,7 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) - d.Set("skip_service_principal_aad_check", props.PrincipalType == authorization.ServicePrincipal) + d.Set("skip_service_principal_aad_check", d.Get("skip_service_principal_aad_check").(bool)) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { From 1d429071dfaf7a520a77eebd9b8dd8d90e020e37 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 30 Aug 2019 17:03:38 -0700 Subject: [PATCH 12/14] gofmt --- azurerm/resource_arm_role_assignment.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index e1d581c8608c..6b05b567162c 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -69,7 +69,7 @@ func resourceArmRoleAssignment() *schema.Resource { Type: schema.TypeBool, Optional: true, ForceNew: true, - Default: false, + Default: false, }, }, } From 1e3a8235a529d0795d6bd1775f591f386b76f272 Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Wed, 4 Sep 2019 14:30:22 -0700 Subject: [PATCH 13/14] Changes per PR comments --- azurerm/resource_arm_role_assignment.go | 1 - azurerm/resource_arm_role_assignment_test.go | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index 6b05b567162c..c0fc81b650be 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -176,7 +176,6 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) - d.Set("skip_service_principal_aad_check", d.Get("skip_service_principal_aad_check").(bool)) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 08b8e2c29ace..2160c25aaedb 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -65,6 +65,9 @@ func testAccAzureRMRoleAssignment_emptyName(t *testing.T) { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "skip_service_principal_aad_check", + }, }, }, }) @@ -91,6 +94,9 @@ func testAccAzureRMRoleAssignment_roleName(t *testing.T) { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "skip_service_principal_aad_check", + }, }, }, }) @@ -146,6 +152,9 @@ func testAccAzureRMRoleAssignment_dataActions(t *testing.T) { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "skip_service_principal_aad_check", + }, }, }, }) @@ -170,6 +179,9 @@ func testAccAzureRMRoleAssignment_builtin(t *testing.T) { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "skip_service_principal_aad_check", + }, }, }, }) @@ -196,6 +208,9 @@ func testAccAzureRMRoleAssignment_custom(t *testing.T) { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, + ImportStateVerifyIgnore: []string{ + "skip_service_principal_aad_check", + }, }, }, }) From 865796d79ab1df8a9070e006c7fa487d45f38bad Mon Sep 17 00:00:00 2001 From: Jeffrey Cline Date: Fri, 6 Sep 2019 16:31:44 -0700 Subject: [PATCH 14/14] Added principal_type as a computed attribute --- azurerm/resource_arm_role_assignment.go | 6 ++++++ azurerm/resource_arm_role_assignment_test.go | 2 ++ website/docs/r/role_assignment.html.markdown | 2 ++ 3 files changed, 10 insertions(+) diff --git a/azurerm/resource_arm_role_assignment.go b/azurerm/resource_arm_role_assignment.go index c0fc81b650be..44958652deea 100644 --- a/azurerm/resource_arm_role_assignment.go +++ b/azurerm/resource_arm_role_assignment.go @@ -65,6 +65,11 @@ func resourceArmRoleAssignment() *schema.Resource { ForceNew: true, }, + "principal_type": { + Type: schema.TypeString, + Computed: true, + }, + "skip_service_principal_aad_check": { Type: schema.TypeBool, Optional: true, @@ -176,6 +181,7 @@ func resourceArmRoleAssignmentRead(d *schema.ResourceData, meta interface{}) err d.Set("scope", props.Scope) d.Set("role_definition_id", props.RoleDefinitionID) d.Set("principal_id", props.PrincipalID) + d.Set("principal_type", props.PrincipalType) //allows for import when role name is used (also if the role name changes a plan will show a diff) if roleId := props.RoleDefinitionID; roleId != nil { diff --git a/azurerm/resource_arm_role_assignment_test.go b/azurerm/resource_arm_role_assignment_test.go index 2160c25aaedb..8f2c26ea8417 100644 --- a/azurerm/resource_arm_role_assignment_test.go +++ b/azurerm/resource_arm_role_assignment_test.go @@ -217,6 +217,7 @@ func testAccAzureRMRoleAssignment_custom(t *testing.T) { } func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal(t *testing.T) { + resourceName := "azurerm_role_assignment.test" ri := tf.AccRandTimeInt() id := uuid.New().String() @@ -229,6 +230,7 @@ func testAccAzureRMActiveDirectoryServicePrincipal_servicePrincipal(t *testing.T Config: testAccAzureRMRoleAssignment_servicePrincipal(ri, id), Check: resource.ComposeTestCheckFunc( testCheckAzureRMRoleAssignmentExists("azurerm_role_assignment.test"), + resource.TestCheckResourceAttr(resourceName, "principal_type", "ServicePrincipal"), ), }, }, diff --git a/website/docs/r/role_assignment.html.markdown b/website/docs/r/role_assignment.html.markdown index 7920ce502a02..5704a3bb901e 100644 --- a/website/docs/r/role_assignment.html.markdown +++ b/website/docs/r/role_assignment.html.markdown @@ -141,6 +141,8 @@ The following attributes are exported: * `id` - The Role Assignment ID. +* `principal_type` - The type of the `principal_id`, e.g. User, Group, Service Principal, Application, etc. + ## Import Role Assignments can be imported using the `resource id`, e.g.