-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New resource & data source 'azuread_group' #14
Conversation
Tests pass: TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestAccAzureADGroup* -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azuread/version.ProviderVersion=acc"
? github.com/terraform-providers/terraform-provider-azuread [no test files]
=== RUN TestAccAzureADGroup_basic
--- PASS: TestAccAzureADGroup_basic (2.87s)
=== RUN TestAccAzureADGroup_complete
--- PASS: TestAccAzureADGroup_complete (2.26s)
PASS TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestAccDataSourceAzureADGroup* -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azuread/version.ProviderVersion=acc"
? github.com/terraform-providers/terraform-provider-azuread [no test files]
=== RUN TestAccDataSourceAzureADGroup_byObjectId
--- PASS: TestAccDataSourceAzureADGroup_byObjectId (3.42s)
=== RUN TestAccDataSourceAzureADGroup_byName
--- PASS: TestAccDataSourceAzureADGroup_byName (3.19s)
PASS |
thanks for porting this over @tiwood - will take a look shortly :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @tiwood
Thanks for porting this PR over from the other repo - on the whole this looks good to me; I've left a few (mostly minor) comments in-line but if we can fix those up this otherwise LGTM 👍
Thanks!
@tombuildsstuff, this is ready for another review. |
…ionally only id is exported as output
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for pushing those changes @tiwood - this now LGTM (and I’ll kick off the tests shortly) 👍
@tiwood sorry for the delay - been trying to get the permissions sorted for the service principal - will take a look at that again today |
No worries, if I can help let me know. For reference, this is how I do it in cloud shell: $aadUserAdminRole = Get-AzureADDirectoryRole | ? DisplayName -eq "User Account Administrator"
$terraformServicePrincipal = Get-AzureADServicePrincipal | ? ObjectId -eq "_YourTerraformServicePrincipalObjectId_"
Add-AzureADDirectoryRoleMember -ObjectId $aadUserAdminRole.ObjectId -RefObjectId $terraformServicePrincipal.ObjectId |
-> **NOTE:** Additionally, due to a limitation within the API, you have to assign **one** of the following Azure Active Directory Roles to the Service Principal to be able to delete Groups: | ||
|
||
* User Account Administrator | ||
* Company Administrator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after spending some time looking into this, it appears that Company Administrator
should be the only role necessary - the User Account Administrator
doesn't appear to have sufficient rights on it's own (I'm assuming it may for the azuread_user
resource however?) - as such could we update this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
User Account Administrator
should definitely work, see https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#user-account-administrator.
I use these permissions exclusively on my Service Principal and it seems to work.
I've found, that if you apply a role to the Service principal, it may take a few min to propagate.
@tiwood thanks for the help - got the permissions working in the end - and the tests now run for me:
|
@tiwood thanks for this PR - this now LGTM 👍 |
@tiwood the docs here don't specify the option to use |
Hi @ksix, can you explain further what you need? |
Do you have any idea when 0.2.0 might be released? I'd love to start using the group resource instead of littering object_id all over the place. |
@tiwood I want to create groups in one script and assign them in another (asynchronously), coupling to the name is unsafe because it can be changed by others or may not even return the right group. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
This PR adds a new resource and data source for Azure Active Directory groups.
The is based on the PR hashicorp/terraform-provider-azurerm#1839
Example Usage
The following attributes are exported:
id
- The Object ID for the Azure AD Group.name
- The Display Name for the Azure AD Group.