Merge pull request #5 from quantum-sec/feature/XDR-3403

XDR-3403: Update Terraform's Azuread provider to 2.x

examples/azuread-application/main.tf

@@ -1,25 +1,25 @@
 terraform {
   required_version = ">= 0.12.26"
   required_providers {
-    aws = {
+    azuread = {
       source  = "hashicorp/azuread"
-      version = "1.3.0"
+      version = "2.22.0"
     }
   }
 }
 
 module "azuread_application" {
   source = "../../modules/azuread-application"
 
-  name                       = var.name
-  homepage                   = var.homepage
-  identifier_uris            = var.identifier_uris
-  reply_urls                 = var.reply_urls
-  logout_url                 = var.logout_url
-  available_to_other_tenants = var.available_to_other_tenants
-  public_client              = var.public_client
-  oauth2_allow_implicit_flow = var.oauth2_allow_implicit_flow
-  group_membership_claims    = var.group_membership_claims
-  owners                     = var.owners
-  oauth2_permissions         = var.oauth2_permissions
+  display_name                            = var.display_name
+  homepage_url                            = var.homepage_url
+  identifier_uris                         = var.identifier_uris
+  redirect_uris                           = var.redirect_uris
+  logout_url                              = var.logout_url
+  sign_in_audience                        = var.sign_in_audience
+  fallback_public_client_enabled          = var.fallback_public_client_enabled
+  oauth2_implicit_flow_allow_access_token = var.oauth2_implicit_flow_allow_access_token
+  group_membership_claims                 = var.group_membership_claims
+  owners                                  = var.owners
+  oauth2_permission_scopes                = var.oauth2_permission_scopes
 }

examples/azuread-application/vars.tf

@@ -1,10 +1,10 @@
-variable "name" {
+variable "display_name" {
   description = "The display name for the application."
   type        = string
   default     = "test-azuread-application"
 }
 
-variable "homepage" {
+variable "homepage_url" {
   description = "The URL to the application's home page. If no homepage is specified this defaults to `https://{name}`."
   type        = string
   default     = null
@@ -16,7 +16,7 @@ variable "identifier_uris" {
   default     = []
 }
 
-variable "reply_urls" {
+variable "redirect_uris" {
   description = "A set of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to."
   type        = set(string)
   default     = []
@@ -28,28 +28,28 @@ variable "logout_url" {
   default     = null
 }
 
-variable "available_to_other_tenants" {
+variable "sign_in_audience" {
   description = "Whether or not this Azure AD application is available to other tenants."
-  type        = bool
-  default     = false
+  type        = string
+  default     = "AzureADMyOrg"
 }
 
-variable "public_client" {
+variable "fallback_public_client_enabled" {
   description = "Whether or not this Azure AD application is a public client."
   type        = bool
   default     = false
 }
 
-variable "oauth2_allow_implicit_flow" {
+variable "oauth2_implicit_flow_allow_access_token" {
   description = "Whether or not the OAuth 2.0 implicit flow is allowed for this application."
   type        = bool
   default     = false
 }
 
 variable "group_membership_claims" {
   description = "Configures the `groups` claim issued in a user or OAuth 2.0 access token that the app expects. One of `None`, `SecurityGroup`, `DirectoryRole`, `ApplicationGroup`, or `All`."
-  type        = string
-  default     = null
+  type        = set(string)
+  default     = []
 }
 
 variable "owners" {
@@ -58,16 +58,26 @@ variable "owners" {
   default     = null
 }
 
-variable "oauth2_permissions" {
+variable "oauth2_permission_scopes" {
   description = "A set of OAuth 2.0 permission scopes granted to clients."
-  type = set(object({
+  type = map(object({
     admin_consent_description  = string
     admin_consent_display_name = string
     value                      = string
     type                       = string
-    is_enabled                 = bool
+    enabled                    = bool
     user_consent_description   = string
     user_consent_display_name  = string
   }))
-  default = []
+  default = {
+    scope1 = {
+      admin_consent_description  = "Allow the application to access example on behalf of the signed-in user"
+      admin_consent_display_name = "Access example"
+      value                      = "user_impersonation"
+      type                       = "User"
+      enabled                    = true
+      user_consent_description   = "Allow the application to access example on your behalf."
+      user_consent_display_name  = "Access example"
+    }
+  }
 }

examples/azuread-service-principal/main.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_version = ">= 0.12.26"
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.22.0"
+    }
+  }
+}
+
+module "azuread_app" {
+  source       = "../../modules/azuread-application"
+  display_name = "exampleadapplication"
+}
+
+module "azuread-service-principal" {
+  source = "../../modules/azuread-service-principal"
+
+  application_id = module.azuread_app.application_id
+}
+
+output "password" {
+  value     = module.azuread-service-principal.password
+  sensitive = true
+}
+
+output "key_id" {
+  value = module.azuread-service-principal.password_key_id
+}

modules/azuread-application/main.tf

@@ -8,34 +8,53 @@ terraform {
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 1.3"
+      version = "~> 2.22"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.2"
     }
   }
 }
 
+resource "random_uuid" "oauth2_permission_scope_id" {
+  for_each = var.oauth2_permission_scopes
+}
+
 resource "azuread_application" "app" {
-  display_name               = var.name
-  homepage                   = var.homepage
-  identifier_uris            = var.identifier_uris
-  reply_urls                 = var.reply_urls
-  logout_url                 = var.logout_url
-  available_to_other_tenants = var.available_to_other_tenants
-  public_client              = var.public_client
-  oauth2_allow_implicit_flow = var.oauth2_allow_implicit_flow
-  group_membership_claims    = var.group_membership_claims
-  owners                     = var.owners
-
-  dynamic "oauth2_permissions" {
-    for_each = var.oauth2_permissions
-
-    content {
-      admin_consent_description  = oauth2_permissions.value.admin_consent_description
-      admin_consent_display_name = oauth2_permissions.value.admin_consent_display_name
-      value                      = oauth2_permissions.value.value
-      type                       = oauth2_permissions.value.type
-      is_enabled                 = oauth2_permissions.value.is_enabled
-      user_consent_description   = oauth2_permissions.value.user_consent_description
-      user_consent_display_name  = oauth2_permissions.value.user_consent_display_name
+  display_name    = var.display_name
+  identifier_uris = var.identifier_uris
+
+  group_membership_claims = var.group_membership_claims
+  owners                  = var.owners
+
+  sign_in_audience               = var.sign_in_audience
+  fallback_public_client_enabled = var.fallback_public_client_enabled
+
+  web {
+    homepage_url  = var.homepage_url
+    logout_url    = var.logout_url
+    redirect_uris = var.redirect_uris
+
+    implicit_grant {
+      access_token_issuance_enabled = var.oauth2_implicit_flow_allow_access_token
+    }
+  }
+
+  api {
+    dynamic "oauth2_permission_scope" {
+      for_each = var.oauth2_permission_scopes
+
+      content {
+        admin_consent_description  = oauth2_permission_scope.value.admin_consent_description
+        admin_consent_display_name = oauth2_permission_scope.value.admin_consent_display_name
+        value                      = oauth2_permission_scope.value.value
+        type                       = oauth2_permission_scope.value.type
+        enabled                    = oauth2_permission_scope.value.enabled
+        user_consent_description   = oauth2_permission_scope.value.user_consent_description
+        user_consent_display_name  = oauth2_permission_scope.value.user_consent_display_name
+        id                         = random_uuid.oauth2_permission_scope_id[oauth2_permission_scope.key].result
+      }
     }
   }
 }

modules/azuread-application/vars.tf

@@ -1,9 +1,9 @@
-variable "name" {
+variable "display_name" {
   description = "The display name for the application."
   type        = string
 }
 
-variable "homepage" {
+variable "homepage_url" {
   description = "The URL to the application's home page. If no homepage is specified this defaults to `https://{name}`."
   type        = string
   default     = null
@@ -15,7 +15,7 @@ variable "identifier_uris" {
   default     = []
 }
 
-variable "reply_urls" {
+variable "redirect_uris" {
   description = "A set of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to."
   type        = set(string)
   default     = []
@@ -27,28 +27,41 @@ variable "logout_url" {
   default     = null
 }
 
-variable "available_to_other_tenants" {
-  description = "Whether or not this Azure AD application is available to other tenants."
-  type        = bool
-  default     = false
+variable "sign_in_audience" {
+  description = "The Microsoft account types that are supported for the current application."
+  type        = string
+  default     = "AzureADMyOrg"
+  validation {
+    condition = contains([
+      "AzureADMyOrg",
+      "AzureADMultipleOrgs",
+      "AzureADandPersonalMicrosoftAccount",
+      "PersonalMicrosoftAccount"],
+    var.sign_in_audience)
+    error_message = "Allowed values for input_parameter are \"AzureADMyOrg\", \"AzureADMultipleOrgs\", \"AzureADandPersonalMicrosoftAccount\" or \"PersonalMicrosoftAccount\"."
+  }
 }
 
-variable "public_client" {
+variable "fallback_public_client_enabled" {
   description = "Whether or not this Azure AD application is a public client."
   type        = bool
   default     = false
 }
 
-variable "oauth2_allow_implicit_flow" {
-  description = "Whether or not the OAuth 2.0 implicit flow is allowed for this application."
+variable "oauth2_implicit_flow_allow_access_token" {
+  description = "Whether or not application can request an access token using OAuth 2.0 implicit flow."
   type        = bool
   default     = false
 }
 
 variable "group_membership_claims" {
   description = "Configures the `groups` claim issued in a user or OAuth 2.0 access token that the app expects. One of `None`, `SecurityGroup`, `DirectoryRole`, `ApplicationGroup`, or `All`."
-  type        = string
-  default     = null
+  type        = set(string)
+  validation {
+    condition     = can([for c in var.group_membership_claims : contains(["None", "SecurityGroup", "DirectoryRole", "ApplicationGroup", "All"], c)])
+    error_message = "Allowed values for input_parameter are \"None\", \"SecurityGroup\", \"DirectoryRole\", \"ApplicationGroup\" or \"All\"."
+  }
+  default = []
 }
 
 variable "owners" {
@@ -57,16 +70,16 @@ variable "owners" {
   default     = null
 }
 
-variable "oauth2_permissions" {
+variable "oauth2_permission_scopes" {
   description = "A set of OAuth 2.0 permission scopes granted to clients."
-  type = set(object({
+  type = map(object({
     admin_consent_description  = string
     admin_consent_display_name = string
     value                      = string
     type                       = string
-    is_enabled                 = bool
+    enabled                    = bool
     user_consent_description   = string
     user_consent_display_name  = string
   }))
-  default = []
+  default = {}
 }

modules/azuread-service-principal/main.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 1.3"
+      version = "~> 2.22"
     }
 
     random = {
@@ -18,12 +18,6 @@ terraform {
   }
 }
 
-resource "random_password" "service_principal_password" {
-  length           = 32
-  special          = true
-  override_special = "._"
-}
-
 resource "azuread_service_principal" "service_principal" {
   application_id               = var.application_id
   app_role_assignment_required = var.app_role_assignment_required
@@ -33,6 +27,6 @@ resource "azuread_service_principal_password" "password" {
   depends_on = [azuread_service_principal.service_principal]
 
   service_principal_id = azuread_service_principal.service_principal.id
-  value                = var.password != null ? var.password : random_password.service_principal_password.result
-  end_date_relative    = var.end_date_relative
+
+  end_date_relative = var.end_date_relative
 }

modules/azuread-service-principal/outputs.tf

@@ -18,18 +18,14 @@ output "app_role_assignment_required" {
   value       = azuread_service_principal.service_principal.app_role_assignment_required
 }
 
-output "oauth2_permissions" {
-  description = "A collection of OAuth 2.0 permissions exposed by the associated application."
-  value       = azuread_service_principal.service_principal.oauth2_permissions
-}
 
 output "password_key_id" {
   description = "The key ID for the service principal password."
-  value       = azuread_service_principal_password.password.id
+  value       = azuread_service_principal_password.password.key_id
 }
 
 output "password" {
-  description = "The randomly generated password for this service principal."
-  value       = var.password == null ? random_password.service_principal_password.result : null
+  description = "The randomly generated password by Azure Active Directory for this service principal."
+  value       = azuread_service_principal_password.password.value
   sensitive   = true
 }

modules/azuread-service-principal/vars.tf

@@ -9,13 +9,6 @@ variable "app_role_assignment_required" {
   default     = false
 }
 
-variable "password" {
-  description = "The password for this service principal. If this is omitted, a random password will be generated."
-  type        = string
-  default     = null
-  sensitive   = true
-}
-
 variable "end_date_relative" {
   description = "A relative duration for which the password is valid until."
   type        = string