-
Notifications
You must be signed in to change notification settings - Fork 278
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rename some fields to make more sense
- Loading branch information
Showing
3 changed files
with
209 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
--- | ||
subcategory: "Policies" | ||
--- | ||
|
||
# Resource: azuread_group_role_management_policy | ||
|
||
Manage a role policy for an Azure AD group. | ||
|
||
## API Permissions | ||
|
||
The following API permissions are required in order to use this resource. | ||
|
||
When authenticated with a service principal, this resource requires the `RoleManagementPolicy.ReadWrite.AzureADGroup` Microsoft Graph API permissions. | ||
|
||
When authenticated with a user principal, this resource requires `Global Administrator` directory role, or the `Privileged Role Administrator` role in Identity Governance. | ||
|
||
## Example Usage | ||
|
||
```terraform | ||
resource "azuread_group" "example" { | ||
display_name = "group-name" | ||
security_enabled = true | ||
} | ||
resource "azuread_user" "member" { | ||
user_principal_name = "jdoe@hashicorp.com" | ||
display_name = "J. Doe" | ||
mail_nickname = "jdoe" | ||
password = "SecretP@sswd99!" | ||
} | ||
resource "azuread_group_role_management_policy" "example" { | ||
object_id = azuread_group.example.id | ||
assignment_type = "member" | ||
eligible_assignment_rules { | ||
expiration_required = false | ||
} | ||
active_assignment_rules { | ||
expire_after = "P365D" | ||
} | ||
notification_rules { | ||
approver_notifications { | ||
eligible_assignments { | ||
notification_level = "Critical" | ||
default_recipients = false | ||
additional_recipients = [ | ||
"someone@example.com", | ||
"someone.else@example.com", | ||
] | ||
} | ||
} | ||
} | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
* `object_id` - (Required) The Object ID of the Azure AD group for which the policy applies. | ||
* `assignment_type` - (Required) The type of assignment this policy coveres. Can be either `member` or `owner`. | ||
* `active_assignment_rules` - (Optional) An `active_assignment_rules` block as defined below. | ||
* `activation_rules` - (Optional) An `activation_rules` block as defined below. | ||
* `eligible_assignment_rules` - (Optional) An `eligible_assignment_rules` block as defined below. | ||
* `notification_rules` - (Optional) An `notification_rules` block as defined below. | ||
|
||
--- | ||
|
||
An `active_assignment_rules` block supports the following: | ||
|
||
* `expiration_required` - (Optional) Must an assignment have an expiry date. `false` allows permanent assignment. | ||
* `expire_after` - (Optional) The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`. | ||
* `require_multifactor_authentication` - (Optional) Is multi-factor authentication required to create new assignments. | ||
* `require_justification` - (Optional) Is a justification required to create new assignments. | ||
* `require_ticket_info` - (Optional) Is ticket information required to create new assignments. | ||
|
||
One of `expiration_required` or `expire_after` must be provided. | ||
|
||
--- | ||
|
||
An `activation_rules` block supports the following: | ||
|
||
* `maximum_duration` - (Optional) The maximum length of time an activated role can be valid, in an IS)8601 Duration format (e.g. `PT8H`). Valid range is `PT30M` to `PT23H30M`, in 30 minute increments, or `PT1D`. | ||
* `approval_stages` - (Optional) An `approval_stages` block as defined below. | ||
* `require_approval` - (Optional) Is approval required for activation. If `true` an `approval_stages` block must be provided. | ||
* `required_conditional_access_authentication_context` - (Optional) The Entra ID Conditional Access context that must be present for activation. Conflicts with `require_multifactor_authentication`. | ||
* `require_multifactor_authentication` - (Optional) Is multi-factor authentication required to activate the role. Conflicts with `required_conditional_access_authentication_context`. | ||
* `require_justification` - (Optional) Is a justification required during activation of the role. | ||
* `require_ticket_info` - (Optional) Is ticket information requrired during activation of the role. | ||
|
||
--- | ||
|
||
An `admin_notifications` block supports the following: | ||
|
||
* `activations` An optional `notification_settings` block as defined below for configuring notifications to adminstrators of role activations. | ||
* `active_assignments` An optional `notification_settings` block as defined below for configuring notifications to adminstrators of new active assignments. | ||
* `eligible_assignments` An optional `notification_settings` block as defined below for configuring notifications to adminstrators of new eligible assignments. | ||
|
||
--- | ||
|
||
An `approval_stages` block supports the following: | ||
|
||
* One or more `primary_approver` blocks as defined below. | ||
|
||
--- | ||
|
||
An `approver_notifications` block supports the following: | ||
|
||
* `activations` - An optional `notification_settings` block as defined below for configuring notifications to approvers of new activation request. | ||
* `active_assignments` - An optional `notification_settings` block as defined below for configuring notifications to approvers of new active assignment requests. | ||
* `eligible_assignments` - An optional `notification_settings` block as defined below for configuring notifications to approvers of new eligible assignment requests. | ||
|
||
--- | ||
|
||
An `assignee_notifications` block supports the following: | ||
|
||
* `activations` - An optional `notification_settings` block as defined below for configuring notifications to assignees of role activations. | ||
* `active_assignments` - An optional `notification_settings` block as defined below for configuring notifications to assignees of new active assignments. | ||
* `eligible_assignments` - An optional `notification_settings` block as defined below for configuring notifications to assignees of new eligible assignments. | ||
|
||
--- | ||
|
||
An `eligible_assignment_rules` block supports the following: | ||
|
||
* `expiration_required`- Must an assignment have an expiry date. `false` allows permanent assignment. | ||
* `expire_after` - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`. | ||
|
||
One of `expiration_required` or `expire_after` must be provided. | ||
|
||
--- | ||
|
||
A `notification_rules` block supports the following: | ||
|
||
* `admin_notifications` - (Optional) An `admin_notifications` block as defined above. | ||
* `approver_notifications` - (Optional) An `approver_notifications` block as defined above. | ||
* `assignee_notifications` - (Optional) An `assignee_notifications` block as defined above. | ||
|
||
--- | ||
|
||
A `notification_settings` block supports the following: | ||
|
||
* `notification_level` - (Required) What level of notifications should be sent. Options are `All` or `Critical`. | ||
* `default_recipients` - (Required) Should the default recipients receive these notifications. | ||
* `additional_recipients` - (Optional) A list of additional email addresses that will receive these notifications. | ||
|
||
--- | ||
|
||
A `primary_approver` block supports the following: | ||
|
||
* `user_id` - (Required) The ID of the user or group which will act as an approver. | ||
* `group_id` - (Required) The ID of the user or group which will act as an approver. | ||
* `description` - (Required) A description of the approver. | ||
|
||
Only one of `user_id` or `group_id` can be supplied per block. Multiple approvers can be set by providing multiple `primary_approver` blocks. | ||
|
||
## Attributes Reference | ||
|
||
In addition to all arguments above, the following attributes are exported: | ||
|
||
* `id` (String) The ID of this policy. | ||
* `display_name` (String) The display name of this policy. | ||
* `description` (String) The description of this policy. | ||
|
||
## Import | ||
|
||
An assignment schedule can be imported using the ID, e.g. | ||
|
||
```shell | ||
terraform import azuread_privileged_access_group_eligibility_schedule_request.example Group_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000 | ||
``` | ||
|
||
Because these policies are created automatically by Entra ID, they will auto-import on first use. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters