terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support for Determining AzureAD Principal Type from Object ID

Open bargokr opened this issue 3 years ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently AzureAD does not allow the assignment of AD groups as "Owners" of a Azure Application Registration and/or Azure Enterprise Application. Due to this limitation, we have to pull all users from the AD group we would like to assign (using data.azuread_group) and pass all object ids (using data.azuread_group.[name].members) to the "owners" attribute of the application registration / enterprise application. See below:

data "azuread_client_config" "tf_spn" {}

data "azuread_group" "ad_group" {
  object_id     = var.ra_object_id
  security_enabled = true
}

resource "azuread_application" "app_reg" {
  display_name = "${var.tenant}-${var.subscription}-${var.spn_name_short}"
  owners       = concat([data.azuread_client_config.tf_spn.object_id], data.azuread_group.ad_group.members)
}

This works fine for AD groups with only users as members, but when you have AD groups that have a mix of groups (nested) and members, it does not work.

We are proposing an additional data source that takes the input of "object_id" and exports attributes about the principal, including principal type. This would allow us to get the type of each principal and then do additional data pulls based on the principal type (either data.azuread_group or data. azuread_user).

Please provide similar functionality or a recommendation on how to handle this use case.

New or Affected Resource(s)

New - Data Source - azuread_principal_type or azuread_principal_lookup

Potential Terraform Configuration

# Get principal details (including type)
data "azuread_principal_type" "principal_lookup" {
  object_id     = var.object_id
}

# If type is group, get the object id of members of the group
data "azuread_group" "ad_group" {
  count         = data.azuread_principal_type.principal_lookup.type == "Group" ? "1" : "0"
  object_id     = var.object_id
}

# If principal type is group, add the object ids of all members as owners
resource "azuread_application" "app_reg" {
  count        = data.azuread_principal_type.principal_lookup.type == "Group" ? "1" : "0"
  display_name = var.app_name
  owners       = data.azuread_group.ad_group.members
}

# If principal type is user, add the object id of the user
resource "azuread_application" "app_reg" {
  count        = data.azuread_principal_type.principal_lookup.type == "User" ? "1" : "0"
  display_name = var.app_name
  owners       = var.object_id
}

References

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadobjectbyobjectid?view=azureadps-2.0

bargokr avatar Jun 14 '22 18:06 bargokr

@manicminer I am happy to have a crack at this but will need some basic direction as to which client I should have a look at using. Even if we limit this to just being groups and users, we currently use two slightly different hamilton instances there? Do we create a generic ObjectID client that returns a Generic Object Metadata in hamilton instead?

Threpio avatar Jul 17 '22 16:07 Threpio

@Threpio Thanks, you're very welcome to work on this. You can likely use the DirectoryObjectsClient, parse out the OData and switch on the odata.OData.Type field to output a deterministic value.

manicminer avatar Jul 18 '22 10:07 manicminer

Do you have a preference for where within ´internal/services´ this sits? I'll have a crack at the documentation aswell. Initial thoughts where for the 'user' dir.

Also is the ´obj.ODataType´ not just what we can return or do we want to limit it to either a user Principal or a Group?

Threpio avatar Jul 18 '22 10:07 Threpio

I think we can probably create a new service package for this and call it directoryobjects.

I'd prefer to switch on the odata type and error out if unrecognised. This way we can avoid exposing breaking changes to the user which could break their configuration.

manicminer avatar Jul 18 '22 11:07 manicminer

This functionality has been released in v2.28.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] avatar Aug 25 '22 22:08 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Sep 25 '22 02:09 github-actions[bot]