The Azure AD provider for Terraform can be used to manage your Azure Active Directory resources declaratively. This allows you to do things like:
-
Automatically provision users and make sure they belong to the correct groups.
-
Manage Azure compute permissions via Azure AD groups.
In this post, you will learn what the Azure AD Terraform provider is used for, how to authenticate and grant permissions and see examples of what you can do with it. Let’s get started.
Step 1 - Create a Group in Azure AD
The following example shows how to use the Azure AD provider to create a group in Azure AD:
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "= 1.6.0"
}
}
}
resource "azuread_group" "test" {
display_name = "Test Group"
}
The terraform section at the beginning is used to specify the version of the provider that we want to use, while the azuread_group resource defines our group.
Step 2 - Authenticate with Azure
The Azure AD provider allows for multiple authentication methods, which are outlined in the provider’s documentation. To allow you to get up and running quickly, the AD provider will attempt to get your credentials via the Azure CLI.
While this is fine for experimentation and local testing, for non-interactive scenarios like CI you will need to use a Service Principal or a Managed Service Identity.
Step 3 - Grant Permissions
In order to manage your Azure AD objects, the account used by Terraform needs to have the correct permissions to perform its actions. You can manage these permissions via the Roles and administrators section of Azure AD:
For example, to allow a Service Principal to manage groups, you would add it to the Groups administrator role:
The Terraform provider is well documented and will typically contain a notice at the top of each resource explaining the permissions that are required for using it.
Step 4 - Assign API Permissions
Another option that can be used with Service Principals instead of granting an administrator role is to assign specific API permissions to them. To do this, first find the AD Application linked to your Service Principal in the App Registrations section:
Go to the API permissions page for the application, and click on Add a permission:
In the window that appears, choose the Azure Active Directory Graph API, and then select the relevant permission you want to add:
Before the Service Principal can actually use the permission you just added, you need to take a final step called granting Admin Consent. You can do this by clicking on the Grant admin consent for <tenant> button displayed above the permissions table:
NOTES:
- When adding permissions to your Service Principal, you need to add Application permissions rather than Delegated permissions. This means that the Service Principal is allowed to perform the specified actions as itself, rather than on behalf of another user.
- The set of permissions that you can add via API permissions is quite limited. For example, to create AD groups, you need to add the Directory.ReadWrite.All permission, but this will not allow your Service Principal to delete any of the groups it creates. In order to be able to delete groups, you need to grant it the Group Administrator role, so depending on your requirements, there may not be any point in granting API permissions.
- The Azure AD Terraform provider switches to the Microsoft Graph API as of version 2.0.0, so when version 2 is released, you will need to grant permissions to the Microsoft Graph API instead of to the Azure Active Directory Graph API.
More Examples
Example 1 – Managing Users and Groups
The following example creates two users and two groups and assigns each user to a group:
resource "azuread_user" "adamc" {
user_principal_name = "[email protected]"
display_name = "Adam Connelly"
password = "SuperSecret01@!"
force_password_change = true
}
resource "azuread_user" "bobd" {
user_principal_name = "[email protected]"
display_name = "Bob Dolton"
password = "SuperSecret01@!"
force_password_change = true
}
resource "azuread_group" "development" {
display_name = "Development"
members = [
azuread_user.adamc.id
]
}
resource "azuread_group" "sales" {
display_name = "Sales"
members = [
azuread_user.bobd.id
]
}
Example 2 – Creating a Service Principal and granting RBAC permissions
The following example combines the Azure AD provider with the Azure RM provider, allowing you to create a Service Principal and assign it permission to manage certain Azure resources:
# Create an AD Application
resource "azuread_application" "automation" {
display_name = "sp-automation"
}
# Create a Service Principal from that Application
resource "azuread_service_principal" "automation" {
application_id = azuread_application.automation.application_id
app_role_assignment_required = false
}
# Get information about the configured Azure subscription
data "azurerm_subscription" "primary" {}
# Grant our service principal "Contributor" access over the subscription
resource "azurerm_role_assignment" "automation_contributor" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.automation.object_id
}
Key Points
In this post, we’ve covered what the Azure AD Terraform provider is used for, how to authenticate and grant the correct permissions, as well as showing a few examples of what can be done with it. Hopefully, you’ve found it useful!
First Published here