hashicorp · katbyte · Jul 12, 2019 · Mar 13, 2019 · Mar 13, 2019 · Mar 13, 2019
diff --git a/azuread/helpers/graph/group.go b/azuread/helpers/graph/group.go
@@ -0,0 +1,64 @@
+package graph
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
+)
+
+func GroupAllMembers(groupId string, client graphrbac.GroupsClient, ctx context.Context) ([]string, error) {
+	it, err := client.GetGroupMembersComplete(ctx, groupId)
+
+	if err != nil {
+		return nil, fmt.Errorf("Error listing existing group members from Azure AD Group with ID %q: %+v", groupId, err)
+	}
+
+	existingMembers := make([]string, 0)
+
+	var memberObjectID string
+	for it.NotDone() {
+		// possible members are users, groups or service principals
+		// we try to 'cast' each result as the corresponding type and diff
+		// if we found the object we're looking for
+		user, _ := it.Value().AsUser()
+		if user != nil {
+			memberObjectID = *user.ObjectID
+		}
+
+		group, _ := it.Value().AsADGroup()
+		if group != nil {
+			memberObjectID = *group.ObjectID
+		}
+
+		servicePrincipal, _ := it.Value().AsServicePrincipal()
+		if servicePrincipal != nil {
+			memberObjectID = *servicePrincipal.ObjectID
+		}
+
+		existingMembers = append(existingMembers, memberObjectID)
+		if err := it.NextWithContext(ctx); err != nil {
+			return nil, fmt.Errorf("Error during pagination of group members from Azure AD Group with ID %q: %+v", groupId, err)
+		}
+	}
+
+	log.Printf("[DEBUG] %d members in Azure AD group with ID: %q", len(existingMembers), groupId)
+
+	return existingMembers, nil
+}
+
+func GroupAddMember(groupId string, member string, client graphrbac.GroupsClient, ctx context.Context) error {
+	memberGraphURL := fmt.Sprintf("https://graph.windows.net/%s/directoryObjects/%s", client.TenantID, member)
+
+	properties := graphrbac.GroupAddMemberParameters{
+		URL: &memberGraphURL,
+	}
+
+	log.Printf("[DEBUG] Adding member with id %q to Azure AD group with id %q", member, groupId)
+	if _, err := client.AddMember(ctx, groupId, properties); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/azuread/helpers/slices/slices.go b/azuread/helpers/slices/slices.go
@@ -0,0 +1,16 @@
+package slices
+
+// difference returns the elements in `a` that aren't in `b`.
+func Difference(a, b []string) []string {
+	mb := make(map[string]struct{}, len(b))
+	for _, x := range b {
+		mb[x] = struct{}{}
+	}
+	var diff []string
+	for _, x := range a {
+		if _, found := mb[x]; !found {
+			diff = append(diff, x)
+		}
+	}
+	return diff
+}
diff --git a/azuread/provider.go b/azuread/provider.go
@@ -85,6 +85,7 @@ func Provider() terraform.ResourceProvider {
 			"azuread_application":                resourceApplication(),
 			"azuread_application_password":       resourceApplicationPassword(),
 			"azuread_group":                      resourceGroup(),
+			"azuread_group_member":               resourceGroupMember(),
 			"azuread_service_principal":          resourceServicePrincipal(),
 			"azuread_service_principal_password": resourceServicePrincipalPassword(),
 			"azuread_user":                       resourceUser(),

diff --git a/azuread/resource_group.go b/azuread/resource_group.go
@@ -4,6 +4,10 @@ import (
 	"fmt"
 	"log"
 
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/slices"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/tf"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate"
+
 	"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
 	"github.com/google/uuid"
 	"github.com/hashicorp/terraform/helper/schema"
@@ -17,6 +21,7 @@ func resourceGroup() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGroupCreate,
 		Read:   resourceGroupRead,
+		Update: resourceGroupUpdate,
 		Delete: resourceGroupDelete,
 
 		Importer: &schema.ResourceImporter{
@@ -35,6 +40,18 @@ func resourceGroup() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+
+			"members": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Computed: true,
+				Set:      schema.HashString,
+				ForceNew: false,
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validate.UUID,
+				},
+			},
 		},
 	}
 }
@@ -61,6 +78,19 @@ func resourceGroupCreate(d *schema.ResourceData, meta interface{}) error {
 	}
 	d.SetId(*group.ObjectID)
 
+	// Add members if specified
+	if v, ok := d.GetOk("members"); ok {
+		members := tf.ExpandStringSlicePtr(v.(*schema.Set).List())
+
+		for _, memberUuid := range *members {
+			err := graph.GroupAddMember(*group.ObjectID, memberUuid, client, ctx)
+
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	_, err = graph.WaitForReplication(func() (interface{}, error) {
 		return client.Get(ctx, *group.ObjectID)
 	})
@@ -88,9 +118,50 @@ func resourceGroupRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("name", resp.DisplayName)
 	d.Set("object_id", resp.ObjectID)
+
+	members, err := graph.GroupAllMembers(d.Id(), client, ctx)
+	if err != nil {
+		return err
+	}
+
+	d.Set("members", members)
+
 	return nil
 }
 
+func resourceGroupUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).groupsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	if v, ok := d.GetOkExists("members"); ok && d.HasChange("members") {
+		existingMembers, err := graph.GroupAllMembers(d.Id(), client, ctx)
+		if err != nil {
+			return err
+		}
+
+		desiredMembers := *tf.ExpandStringSlicePtr(v.(*schema.Set).List())
+		membersForRemoval := slices.Difference(existingMembers, desiredMembers)
+		membersToAdd := slices.Difference(desiredMembers, existingMembers)
+
+		for _, existingMember := range membersForRemoval {
+			log.Printf("[DEBUG] Removing member with id %q from Azure AD group with id %q", existingMember, d.Id())
+			if resp, err := client.RemoveMember(ctx, d.Id(), existingMember); err != nil {
+				if !ar.ResponseWasNotFound(resp) {
+					return fmt.Errorf("Error Deleting group member %q from Azure AD Group with ID %q: %+v", existingMember, d.Id(), err)
+				}
+			}
+		}
+
+		for _, newMember := range membersToAdd {
+			if err := graph.GroupAddMember(d.Id(), newMember, client, ctx); err != nil {
+				return err
+			}
+		}
+	}
+
+	return resourceGroupRead(d, meta)
+}
+
 func resourceGroupDelete(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*ArmClient).groupsClient
 	ctx := meta.(*ArmClient).StopContext

diff --git a/azuread/resource_group_member.go b/azuread/resource_group_member.go
@@ -0,0 +1,113 @@
+package azuread
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar"
+	"github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate"
+)
+
+func resourceGroupMember() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGroupMemberCreate,
+		Read:   resourceGroupMemberRead,
+		Delete: resourceGroupMemberDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"group_object_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validate.UUID,
+			},
+			"member_object_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: validate.UUID,
+			},
+		},
+	}
+}
+
+func resourceGroupMemberCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).groupsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	groupID := d.Get("group_object_id").(string)
+	memberID := d.Get("member_object_id").(string)
+
+	if err := graph.GroupAddMember(groupID, memberID, client, ctx); err != nil {
+		return err
+	}
+
+	id := fmt.Sprintf("%s/%s", groupID, memberID)
+	d.SetId(id)
+
+	return resourceGroupMemberRead(d, meta)
+}
+
+func resourceGroupMemberRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).groupsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id := strings.Split(d.Id(), "/")
+	if len(id) != 2 {
+		return fmt.Errorf("ID should be in the format {groupObjectId}/{memberObjectId} - but got %q", d.Id())
+	}
+
+	groupID := id[0]
+	memberID := id[1]
+
+	members, err := graph.GroupAllMembers(groupID, client, ctx)
+	if err != nil {
+		return fmt.Errorf("Error retrieving Azure AD Group members (groupObjectId: %q): %+v", groupID, err)
+	}
+
+	var memberObjectID string
+
+	for _, objectID := range members {
+		if objectID == memberID {
+			memberObjectID = objectID
+		}
+	}
+
+	if memberObjectID == "" {
+		d.SetId("")
+		return fmt.Errorf("Azure AD Group Member not found - groupObjectId:%q / memberObjectId:%q", groupID, memberID)
+	}
+
+	d.Set("group_object_id", groupID)
+	d.Set("member_object_id", memberObjectID)
+
+	return nil
+}
+
+func resourceGroupMemberDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).groupsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	id := strings.Split(d.Id(), "/")
+	if len(id) != 2 {
+		return fmt.Errorf("ID should be in the format {groupObjectId}/{memberObjectId} - but got %q", d.Id())
+	}
+
+	groupID := id[0]
+	memberID := id[1]
+
+	resp, err := client.RemoveMember(ctx, groupID, memberID)
+	if err != nil {
+		if !ar.ResponseWasNotFound(resp) {
+			return fmt.Errorf("Error removing Member (memberObjectId: %q) from Azure AD Group (groupObjectId: %q): %+v", memberID, groupID, err)
+		}
+	}
+
+	return nil
+}