Assign an AD role to a aad_group -- azuread_pim_eligible_role_assignment

[omilun]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Terraform Version

1.5.0

AzureRM Provider Version

3.64

I need to create a PIM and assign Azure AD roles like "Directory Reader" and "Global Reader" roles to a group by using Terraform. Recently we have the chance to create a PIM by using azurerm_pim_eligible_role_assignment and @josh-barker have done a good work at it and i appreciate it and i have used it since two days back.

Current me if i am wrong, For having the feature, we need to have the same functionality in "azuread" and "Directory" scope.

New or Affected Resource(s)/Data Source(s)

azuread, azurerm_pim_eligible_role_assignment

Potential Terraform Configuration

No response

References

MS DOC

[manicminer]

Thanks for requesting this @omilun. This feature request pertains to the AzureAD provider so I'm going to migrate the issue to that repository.

[garretth9]

Is this not covered by the azuread_directory_role_eligibility_schedule_request resource? In our own PIM implementation we use terraform to

1. Create groups for azure AD roles
2. Create Entitlement management access packages to let users request access to those groups
3. Set the groups as eligible for the appropriate role using the above resource.

The only part we have to do manually currently is configure the PIM settings for each role (max activation duration, MFA settings, etc).