terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Feature Request: Enable Specifying Role Assignment Principal Type

Open csmith66 opened this issue 8 months ago • 0 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like have the ability to control the principal_type value set in all of the module's role assignments, whether implicitly or explicitly (preferably).

Example: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/0783a8a720ed4d950c10006bfa845eb59155f334/resources.role_assignments.tf#L1

Is your feature request related to a problem?

Yes, it is a security best practice to utilize Groups instead of assigning individual Users role assignments. Using this module to define and deploy a policy that enforces this concept by blocking creation of role assignments targeting individual users requires that any future role assignments explicitly set the principal_type. However, this module does not expose any mechanism to pass the principal_type or do any internal checks against Entra to determine the appropriate value to set, effectively breaking the module's capability to manage role assignments.

Describe the solution you'd like

At least one of two mechanisms should be provided:

  • Internally do a lookup to determine the appropriate value and automatically set the principal_type for every role assignment (less consumer impact, but likely more challenging)
  • Provide an optional attribute in the archetype JSON. If not explicitly provided, default to the existing behavior of not supplying a value to the underlying resource. 
         "access_control_v2" = {
       "Contributor Users" = {
         "principal_type" = "User"
         "members"        = ["principal ids"] 
       }
       "Contributor Groups" = {
         "principal_type" = "Group"
         "members"        = ["principal ids"] 
       }
       "Contributor SPNs" = {
         "principal_type"    = "ServicePrincipal"
         "members"           = ["principal ids"]
       }
     }

Additional context

  • This feature request is somewhat related to #864, and it could potentially share a common implementation. However, it could be handled separately if implementation is complex, or there is a desire to keep the functionality independent.

  • While this request is not currently a blocking issue that would classify it as a bug, it is reasonable to assume this module will require addressing this functionality eventually. The Azure CLI already makes note that this is likely a future breaking change in the REST API with the following message: RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.

csmith66 avatar Jun 06 '24 21:06 csmith66