terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
Feature Tracker - EntitlementManagment - AccessPackages
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Currently Developing in Upstream SDK Capability for relevant accessPackage* Resource Types on the Beta API https://github.com/manicminer/hamilton/issues/92
Leaving a feature tracker here to get feedback / +1s as well as to track progress when downstream work starts
New or Affected Resource(s)
(In order of dependencies)
- [x] azuread_access_package_catalog
- [ ] azuread_access_package_resource_request
- [x] azuread_access_package
- [ ] azuread_access_package_assignment_policy
Potential Terraform Configuration
data "azuread_group" "example" {
display_name = "myexamplegroup"
security_enabled = true
}
data "azuread_group" "example_2" {
display_name = "myexamplegroup_2"
security_enabled = true
}
data "azuread_group" "example_3" {
display_name = "myexamplegroup_3"
security_enabled = true
}
data "azuread_group" "example_4" {
display_name = "myexamplegroup_4"
security_enabled = true
}
resource "azuread_access_package_catalog" "example" {
display_name = "My Access package catalog"
description = "Created by terraform"
}
resource "azuread_access_package_resource_request" "example" {
access_package_catalog_id = azuread_access_package_catalog.example.id
access_package_resource {
origin_id = data.azuread_group.example.id
origin_system = "AadGroup" // AadGroup , SharePointOnline, Application
}
}
resource "azuread_access_package_resource_request" "example_2" {
access_package_catalog_id = azuread_access_package_catalog.example.id
access_package_resource {
origin_id = data.azuread_group.example_2.id
origin_system = "AadGroup" // AadGroup , SharePointOnline, Application
}
}
resource "azuread_access_package" "example" {
access_package_catalog_id = azuread_access_package_catalog.example.id
display_name = "My Access Package"
description = "Created by terraform"
is_hidden = false
is_role_scopes_visible = false
role_scope {
resource = azuread_access_package_resource_request.example
role = "Member" //Either this or also has Owner is AAD
}
role_scope {
resource = azuread_access_package_resource_request.example_2
role = "Member" //Either this or also has Owner is AAD
}
}
resource "azuread_access_package_assignment_policy" "example" {
access_package_id = azuread_access_package.example.id
display_name = "My AP Policy"
description = "Created by terraform"
can_extend = true
requestor_settings {
scope_type = "SpecificDirectorySubjects"
accept_requests = true
allowed_requestor {
id = data.azuread_group.example_3.id
description = "AP Users"
}
allowed_requestor {
id = "00000000-0000-0000-0000-000000000000"
description = "secondary user"
}
}
requestor_approval_settings {
is_approval_required = true
is_approval_required_for_extension = true
is_requestor_justification_required = true
approval_mode = "Serial" //One of NoApproval, SingleStage or Serial. The NoApproval is used when isApprovalRequired is false.
approval_stage { //There can only be maximum two of these
timeout_in_days = 30
is_approver_justification_required = true
is_escalation_enabled = true
escalation_time_in_minutes = 90
primary_approver {
id = "00000000-0000-0000-0000-000000000000"
description = "secondary user"
is_backup = false
}
primary_approver {
id = data.azuread_group.example_4.id
description = "Backup Approver"
is_backup = true
}
escalation_approvers {
id = "00000000-0000-0000-0000-000000000000"
description = "escalation user"
is_backup = false
}
}
approval_stage { //There can only be maximum two of these
timeout_in_days = 30
is_approver_justification_required = true
is_escalation_enabled = true
escalation_time_in_minutes = 90
primary_approver {
id = "00000000-0000-0000-0000-000000000000"
description = "secondary user"
is_backup = false
}
primary_approver { //Require ID Or maanger level here - Manager level not currently in SDK Plan to implement when reaching base implementation
id = data.azuread_group.example_4.id
description = "Backup Approver"
is_backup = true
}
escalation_approvers {
id = "00000000-0000-0000-0000-000000000000"
description = "escalation user"
is_backup = false
}
}
}
approval_question { //No restriction on amount pretty much
is_required = true
sequence = 1
text {
default = "Why do you want this"
localization {
text = "Why do you want this"
LanguageCode = "GB"
}
localization {
text = "Warum willst du das"
LanguageCode = "DE"
}
}
}
approval_question {
is_required = true
sequence = 2
text {
default = "Why do you want this 2"
localization {
text = "Why do you want this 2"
LanguageCode = "GB"
}
localization {
text = "Warum willst du das 2"
LanguageCode = "DE"
}
}
}
}
References
https://github.com/manicminer/hamilton/issues/92 https://github.com/manicminer/hamilton/pull/93
Bit of an update - had a bit of a hiatus on this but have been waiting to see where the specification ends up MS side, as some beta endpoints (resource request & role scope) are extremely idempotent
Instead I will push this in two parts, first Catalogs, Access Package and Assignments - Then resource and role scopes. The first half are effectively done just some debug needed
In the mean time, for role and resource scopes you may likely be able to work around this will script provisioners for these and use terraform for the primary bits and policy
@sigurdfalk Some upstream fixes have been merged just waiting for the hamiltion release so can get changes in but AccessPackages,catalogs and policy is pretty much finalized
@kaovd You beat me to it, your upstream PR is now released! Thanks for your work on this! :D
The upstream PR in this case is for Hamilton, correct @manicminer ? is it anything else from Microsoft that is blocking progress? Eager to get a status update :D @kaovd , thanks for the work that has already been done.
@QuduSEC see the linked PR Fix, this is still blocked by https://github.com/manicminer/hamilton/pull/156
It looks like https://github.com/manicminer/hamilton/pull/156 has been merged, are there any more blockers?
Any updates on the progress of this one? Any blockers left? Waiting eagerly for the release of this feature :D
Any updates on the progress of this one? Any blockers left? Waiting eagerly for the release of this feature :D
I'm wondering if there's any worth investing time in a terraform/arm hybrid if the Graph API has been implemented.
@jdelforno , you are mixing PIM and Entitlement Management now aren't you? Of course we need to handle access packages using Terraform, even though it is available through the Microsoft Graph.
I see someone has linked both a Bicep issue, the PIM issue (68) and stuff , but this has nothing to do with access packages what so ever.
agree with @mariussm here, I too believe this should be possible to handle with Terraform :) anything we can contribute with to push this forward?
This functionality has been released in v2.37.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}