The can be used to manage your Azure Active Directory resources declaratively. This allows you to do things like: Azure AD provider for Terraform Automatically provision users and make sure they belong to the correct groups. Manage Azure compute permissions via Azure AD groups. In this post, you will learn what the Azure AD Terraform provider is used for, how to authenticate and grant permissions and see examples of what you can do with it. Let’s get started. Step 1 - Create a Group in Azure AD The following example shows how to use the Azure AD provider to create a in Azure AD: group terraform {
 required_providers {
   azuread = {
     source  = "hashicorp/azuread"
     version = "= 1.6.0"
   }
 }
}

resource "azuread_group" "test" {
 display_name = "Test Group"
} The section at the beginning is used to specify the version of the provider that we want to use, while the resource defines our group. terraform azuread_group Step 2 - Authenticate with Azure The Azure AD provider allows for multiple authentication methods, which are outlined in the . To allow you to get up and running quickly, the AD provider will attempt to get your credentials via the . provider’s documentation Azure CLI While this is fine for experimentation and local testing, for non-interactive scenarios like CI you will need to use a or a . Service Principal Managed Service Identity Step 3 - Grant Permissions In order to manage your Azure AD objects, the account used by needs to have the correct permissions to perform its actions. You can manage these permissions via the Roles and administrators section of Azure AD: Terraform For example, to allow a Service Principal to manage groups, you would add it to the Groups administrator role: The Terraform provider is well documented and will typically contain a notice at the top of each resource explaining the permissions that are required for using it. Step 4 - Assign API Permissions Another option that can be used with Service Principals instead of granting an administrator role is to assign specific API permissions to them. To do this, first find the AD Application linked to your Service Principal in the section: App Registrations Go to the page for the application, and click on : API permissions Add a permission In the window that appears, choose the API, and then select the relevant permission you want to add: Azure Active Directory Graph Before the Service Principal can actually use the permission you just added, you need to take a final step called granting . You can do this by clicking on the button displayed above the permissions table: Admin Consent Grant admin consent for <tenant> NOTES: When adding permissions to your Service Principal, you need to add rather than . This means that the Service Principal is allowed to perform the specified actions as itself, rather than on behalf of another user. Application permissions Delegated permissions The set of permissions that you can add via API permissions is quite limited. For example, to create AD groups, you need to add the permission, but this will not allow your Service Principal to delete any of the groups it creates. In order to be able to delete groups, you need to grant it the role, so depending on your requirements, there may not be any point in granting API permissions. Directory.ReadWrite.All Group Administrator The Azure AD Terraform provider switches to the as of version 2.0.0, so when version 2 is released, you will need to grant permissions to the instead of to the . Microsoft Graph API Microsoft Graph API Azure Active Directory Graph API More Examples Example 1 – Managing Users and Groups The following example creates two users and two groups and assigns each user to a group: resource "azuread_user" "adamc" {
 user_principal_name   = "adamc@mydomain.com"
 display_name          = "Adam Connelly"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_user" "bobd" {
 user_principal_name   = "bobd@mydomain.com"
 display_name          = "Bob Dolton"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_group" "development" {
 display_name = "Development"
 members = [
   azuread_user.adamc.id
 ]
}

resource "azuread_group" "sales" {
 display_name = "Sales"
 members = [
   azuread_user.bobd.id
 ]
} Example 2 – Creating a Service Principal and granting RBAC permissions The following example combines the Azure AD provider with the , allowing you to create a Service Principal and assign it permission to manage certain Azure resources: Azure RM provider # Create an AD Application
resource "azuread_application" "automation" {
 display_name = "sp-automation"
}

# Create a Service Principal from that Application
resource "azuread_service_principal" "automation" {
 application_id               = azuread_application.automation.application_id
 app_role_assignment_required = false
}

# Get information about the configured Azure subscription
data "azurerm_subscription" "primary" {}

# Grant our service principal "Contributor" access over the subscription
resource "azurerm_role_assignment" "automation_contributor" {
 scope                = data.azurerm_subscription.primary.id
 role_definition_name = "Contributor"
 principal_id         = azuread_service_principal.automation.object_id
} Key Points In this post, we’ve covered what the Azure AD Terraform provider is used for, how to authenticate and grant the correct permissions, as well as showing a few examples of what can be done with it. Hopefully, you’ve found it useful! First Published here

Microsoft

ReadWrite

Read My Stories

Too Long; Didn't Read

Make resilience your competitive advantage

Managing Active Directory Objects with Azure AD Provider for Terraform

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

10 reasons to give cloud computing a go

10 Microsoft Azure Courses for Beginners to Learn Azure Cloud Computing

The Noonification: Proglogging: The Developers Detective Toolkit (10/9/2023)

Top 10 AI Development Companies in USA

2023 Will Be the Year of Kubernetes (and Other Predictions in the Cloud and Infrastructure Industry)

10 reasons to give cloud computing a go

10 Microsoft Azure Courses for Beginners to Learn Azure Cloud Computing

The Noonification: Proglogging: The Developers Detective Toolkit (10/9/2023)

Top 10 AI Development Companies in USA

2023 Will Be the Year of Kubernetes (and Other Predictions in the Cloud and Infrastructure Industry)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps