[Enhancement]: vault_azure_secret_backend_role support for EntraID Roles
Andrei-Predoiu opened this issue · comments
Description
Currently vault_azure_secret_backend_role only supports Azure Infrastructure roles, they can be queried with az role definition list --query=[].roleName.
This works well for a lot of classic infrastructure deployment tasks, but it cannot generate service accounts with EntraID(AzureAD) permissions and thus cannot query or manage groups, users etc.
In practice this is much needed when wanting to also create a mechanism for users to access the deployed infrastructure via groups or assignments.
Fx:
- Deploy a VM and create a security group where i can add members that will automatically get Operator access
- Deploy an Azure APIM Instance with AzureAD SSO Login. In this case an AzureAD app needs to be configured along with the APIM instance
Affected Resource(s) and/or Data Source(s)
resource_vault_azure_secret_backend_role
Potential Terraform Configuration
resource "vault_azure_secret_backend" "azure" {
use_microsoft_graph_api = true
subscription_id = "1234"
tenant_id = "1234"
client_id = "1234"
client_secret = "ABC"
environment = "AzurePublicCloud"
}
resource "vault_azure_secret_backend_role" "terraform_apim_api_role" {
backend = vault_azure_secret_backend.azure.path
role = "terraform-apim"
ttl = 3600
max_ttl = 3600
permanently_delete = true
# Not split into two backend roles for dev and prod, because the terraform is not made for it, one job for both environments.
azure_roles {
role_name = "API Management Service Contributor"
scope = "/subscriptions/123444-1234-1234-1234-12345667890"
}
graph_roles {
app_id_uri = "https://graph.microsoft.com"
role_names = [
"GroupMember.ReadWrite.All",
"User.Read.All",
]
}
graph_roles {
app_id_uri = "https://erp.dynamics.com"
role_names = [
"Connector.FullAccess",
]
}
}References
Would you like to implement a fix?
None