Support for required_resource_access in azurerm_function_app.identity where SystemAssigned

[petersgiles]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Normally i need to do this with Powershell which means changes I make aren't maintained in state (horrible)

$TenantID = ...
$DisplayNameOfMSI = "function_name"

# Connect to Azure
Connect-AzureAD -TenantId $TenantID

# Get the MS Graph Service Principal
$GraphAppId = "00000003-0000-0000-c000-000000000000" # MS Graph Magic Guid
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

# Get the Managed Service Identity Service Principal
$MSI = Get-AzureADServicePrincipal | Where-Object { $_.DisplayName -eq $DisplayNameOfMSI }

# Assign Roles
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "Group.ReadWrite.All" -and $_.AllowedMemberTypes -contains "Application" }
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id 
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "User.ReadWrite.All" -and $_.AllowedMemberTypes -contains "Application" }
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id 
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "Directory.ReadWrite.All" -and $_.AllowedMemberTypes -contains "Application" }
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id 

# SHOW ME WHAT YOU GOT!
Get-AzureADServiceAppRoleAssignment -ObjectId $GraphServicePrincipal.ObjectId | Where-Object { $_.PrincipalDisplayName -eq $DisplayNameOfMSI } | Format-List

New or Affected Resource(s)

• azurerm_function_app

Potential Terraform Configuration

resource "azurerm_function_app" "example" {
  name                      = "function_name"
  resource_group_name       = ...
  location                  = ...
  app_service_plan_id       = azurerm_app_service_plan..id
  storage_connection_string = azurerm_storage_account.storage.primary_connection_string
  version                   = "~3"

  identity {
    type = "SystemAssigned"

    required_resource_access {
      # the Azure AD Graph
      resource_app_id = "00000003-0000-0000-c000-000000000000"

      # by name
      resource_access {
        name = 'User.Read'
        type = "Scope"
      }

      # or Id
      # The "Read and write all applications" permission. Get ID from:
      # az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='Application.ReadWrite.All']"
      resource_access {
        id = [SOME GUID]
        type = "Role"
      }
    }

  }
}

References

• Support for something like required_resource_access in azurerm_user_assigned_identity #5234
• New-AzureADServiceAppRoleAssignment

[aristosvo]

@petersgiles I can probably help, but what is wrong with azurerm_role_assignment?

[petersgiles]

Maybe nothing.

How would I use with the managed service identity created on a function app as per my example to grant access to ms graph role Group.ReadWrite.All?

This issue might be resolved with a specific example in the documentation.

[yuri-tieto]

@petersgiles I can probably help, but what is wrong with azurerm_role_assignment?

azurerm_role_assignment can be used only to assign role to Subscription Resources. It doesn't work with Azure AD permissions and roles. I would like to generalise the request to split ti to two parts: UserAssigned and SystemAssigned Managed Identities. In case when user creates Managed Identity (UserManaged) it will be great to be able to configure required_resource_access to define what Azure AD permissions Managed Identity should have.

[yuri-tieto]

@petersgiles I tried your PowerShell commands and they work fine (permissions are getting assigned for UserAssigned Managed Identity), but it doesn't help with being able to use terraform to manage AD groups or other AD resources. As an example I get Error: retrieving Azure AD Group with ID "GROUP_ID": graphrbac.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-07-15T09:52:57","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"REQUEST_ID"}}] though I added Read and write all groups permission to the Managed Identity. What works for me is to assign to Managed Identity Administrative Role (in case of groups - Groups administrator) and after 15 minutes I am able to create or read groups.

[favoretti]

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report on current versions of terraform and provider if this is still relevant. Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.