terraform-provider-azuread
terraform-provider-azuread copied to clipboard
Assign an AD role to a aad_group -- azuread_pim_eligible_role_assignment
Is there an existing issue for this?
- [X] I have searched the existing issues
Community Note
- Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Description
Terraform Version
1.5.0
AzureRM Provider Version
3.64
I need to create a PIM and assign Azure AD roles like "Directory Reader" and "Global Reader" roles to a group by using Terraform. Recently we have the chance to create a PIM by using azurerm_pim_eligible_role_assignment and @josh-barker have done a good work at it and i appreciate it and i have used it since two days back.
Current me if i am wrong, For having the feature, we need to have the same functionality in "azuread" and "Directory" scope.
New or Affected Resource(s)/Data Source(s)
azuread, azurerm_pim_eligible_role_assignment
Potential Terraform Configuration
No response
References
Thanks for requesting this @omilun. This feature request pertains to the AzureAD provider so I'm going to migrate the issue to that repository.
Is this not covered by the azuread_directory_role_eligibility_schedule_request resource? In our own PIM implementation we use terraform to
- Create groups for azure AD roles
- Create Entitlement management access packages to let users request access to those groups
- Set the groups as eligible for the appropriate role using the above resource.
The only part we have to do manually currently is configure the PIM settings for each role (max activation duration, MFA settings, etc).