terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Privileged Identity Management (PIM)

Open Lachlan-White opened this issue 5 years ago • 62 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Ability to Create PIM Policies and Configure PIM access via Terraform

New or Affected Resource(s)

New data source would be required

  • azuread_privileged_identity_management

Potential Terraform Configuration

resource "azurerm_priviliged_identity_management" "PIM-Group-1" {
  scope = "Subscription_PIM_1"
  role_definition_name = "Contributor"
  aad_group_id = "${var.aad_group_id}"
}

References

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Lachlan-White avatar Mar 25 '19 22:03 Lachlan-White

What would also be super helpful here would be support for "Azure Resources" PIM.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles

mharrison365 avatar Feb 06 '20 21:02 mharrison365

Thanks for requesting this feature! It looks like PIM management is only available via the MS Graph API which we are currently not in a position to use as we're waiting on SDK support. I've marked this request as upstream-dependent and we'll revisit as soon as we are able.

manicminer avatar May 29 '20 01:05 manicminer

maybe add the assignment type (eligible/active) and assignment duration (start/end) as parameters?

khole avatar Aug 12 '20 03:08 khole

This would be tremendously useful to have in Terraform. The API docs are here: https://docs.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-resources?view=graph-rest-beta (beta)

christophetd avatar Aug 20 '20 15:08 christophetd

Agreed; this would be a very welcome addition!

MarkBooks avatar Aug 21 '20 19:08 MarkBooks

Would be super handy for our production setup. Currently, this missing functionality means quite some manual work

LudoNieuwenhuizen avatar Nov 03 '20 10:11 LudoNieuwenhuizen

This feature is currently waiting on implementation of MS Graph. We are actively working on it and this issue will receive priority as soon as we are able. See hashicorp/terraform-provider-azurerm#323 for more details. Thanks!

manicminer avatar Nov 03 '20 23:11 manicminer

+1 Me too

A few use cases I would like to see met:

  • Adding Subscriptions
  • Configuring Role Settings for both Azure AD and Azure Resources
  • Configuring Alerts
  • Configuring Access Reviews
  • Managing Role Assignments (Add/Update/Remove)

Presently I am resorting to using the AzureAD Preview PowerShell cmdlets. These work well but it is not as elegant as tf.

frazhamid avatar Feb 22 '21 13:02 frazhamid

We create all our RBAC groups using terraform when a resource group is provisioned, but they need manually onboarding to PIM so this would be very useful.

Any update?

darren-johnson avatar Mar 22 '21 10:03 darren-johnson

@manicminer , it appears that MS Graph was implemented in azuread version 1.5.0 (LINK HERE).

Does this mean that this issue can receive priority now or maybe it's already in progress?

schlbra avatar Jun 14 '21 16:06 schlbra

In order to maintain compatibility, new features will only be merged in v2.0 (or later), which we're working on right now.

Privileged Identity Management is a reasonably large feature that will likely not make it into 2.0, but will hopefully come soon thereafter as it's the highest voted feature on our backlog.

manicminer avatar Jun 14 '21 19:06 manicminer

I'm already subscribed to this issue but whenever it's ready I'm happy to volunteer testing time.

JonZeolla avatar Jun 15 '21 11:06 JonZeolla

Can you provide any additional information about when this is likely to be released.

bodemckenna avatar Jun 22 '21 09:06 bodemckenna

I am interested in this feature as-well - Happy to implement the resources and datasources myself if help is needed.

@manicminer - Let me know by ping, this is required by my workplace aswell.

Threpio avatar Aug 24 '21 09:08 Threpio

I'm also interested this feature.

tepley avatar Sep 07 '21 17:09 tepley

Thanks for the interest, but please stick to +1 on the original message. Help is always very welcome, however this particular feature is nontrivial - for context, there are 3 distinct iterations of this service, incompatible with each other and none of which have yet made it out of beta.

manicminer avatar Sep 07 '21 17:09 manicminer

Please stick me as a Plus 1 on implementing this in Azuread

TomHowarth avatar Sep 29 '21 19:09 TomHowarth

+1

masoud-fereidonian avatar Sep 29 '21 23:09 masoud-fereidonian

Dear All, as Microsoft changed it's PIM API in October (https://docs.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta), it might be a good thing to ask once again how the Status for the Azure PIM Terraform Provider is at the Moment? Anything planed or is there nothing on the horizon? Just wondering, as i think this would be a great thing for AAD PIM and Azure Resources PIM to be able to enroll it with Terraform.

pbeckendorf-gkgab avatar Dec 21 '21 14:12 pbeckendorf-gkgab

This would be really helpful, as we are planning to onboard management group structure into PIM, and we keep the RBAC assignments on the MG scope in TF state.

RenatoMartins-tomtom avatar Apr 01 '22 10:04 RenatoMartins-tomtom

Seems like there is already work in progress - https://github.com/hashicorp/terraform-provider-azuread/issues/547

petr-stupka avatar Apr 28 '22 14:04 petr-stupka

Hi all. Would love to know if any updates on this issue.. Would love to see this implemented in tf as soon as possible.

kehindeakala avatar Jul 07 '22 14:07 kehindeakala

Hello, checking up on this one as we need it via tf rather than regular clickops. Any updates, please?

ZarakiKenpachi7 avatar Aug 09 '22 05:08 ZarakiKenpachi7

Hi, what's the status of this much desired and valuable feature ?

archmangler avatar Sep 28 '22 07:09 archmangler

We have found a work around for PIM implementation in terraform https://goodworkaround.com/2021/10/14/assigning-pim-azure-rbac-permissions-using-terraform-and-arm-template/

However Im still waiting on updates on this one. Any timelines..

speedyankur avatar Sep 30 '22 11:09 speedyankur

@manicminer All API endpoints for Azure AD roles are now out beta (and have been for a while): https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-1.0

Any chance this will be prioritized in the backlog anytime soon?

I wish I had the required expertise for contributing to the provider, but I lack any Golang knowledge. If there is anything I can provide on the Graph side, or through testing, I am happy to help.

mariussm avatar Sep 30 '22 11:09 mariussm

This should really be prioritized - the workaround @speedyankur mentioned is not working for me, and I've gotten no response from its original author on their Github. We can do everything we need except for PIM, which is still a manual step since TF doesn't support it.

MohnJadden avatar Oct 27 '22 19:10 MohnJadden

Hi folks, I got fed up of waiting for this to be resolved, so I wrote a script that does it using the Azure APIs. This could easily be triggered from terraform or via a pipeline which is how I do it. If you are interested the script is available at https://github.com/thedevopsjedi/azure-pim

thedevopsjedi avatar Oct 28 '22 10:10 thedevopsjedi

Thank you for this - do you happen to have a guide on how to trigger via TF? I couldn't find much that allows us to directly trigger a resource provider that runs Powershell scripts with TF variables as PS parameters.

MohnJadden avatar Oct 28 '22 12:10 MohnJadden

A guide specifically no, as I did it in a pipeline but its simple to do, example code below and I'd just use terraform's data sources and outputs for the PowerShell parameters.

You'll need to ensure you have authenticated first too which is why I do it in a pipeline.

resource "null_resource" "trigger_powershell_script" {
  provisioner "local-exec" {
    command     = <<EOT
./script.ps1
EOT
    interpreter = ["pwsh", "-Command"]
  }
  depends_on = [RESOURCES]
}

thedevopsjedi avatar Oct 28 '22 12:10 thedevopsjedi