Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PIM for Roles #1369

Open
manicminer opened this issue May 8, 2024 · 3 comments
Open

PIM for Roles #1369

manicminer opened this issue May 8, 2024 · 3 comments
Labels
feature/identity-governance new-resource

Comments

@manicminer
Copy link
Contributor

manicminer commented May 8, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support for PIM for Azure AD / Entra ID roles.

New or Affected Resource(s)

TBD

Potential Terraform Configuration

# TBD

References
@manicminer manicminer mentioned this issue May 8, 2024
Closed
@philband
Copy link

I would be happy to provide a PR that provides the functionality to manage directory role policies, which is part of this issue and related #1390.

Implementation Question

So far the provider supports managing azuread_group_role_management_policy, for PIM for Groups. The endpoints and backend for PIM for EntraID roles are the same as for PIM for Groups, just the parameters differ a bit.
IMHO it would be best to consolidate all of the PIM policy management aspects into a single resource, rather than duplicating nearly all of the code required for a new endpoint.

From a naming perspective, keeping azuread_group_role_management_policy seems misleading - this leads to the following options:

  • Renaming/changing the azuread_group_role_management_policy to something like azuread_pim_policy and changing its interface to be compatible with both PIM for Groups and PIM for Entra ID roles. This would introduce a breaking change.
  • Creating a new resource azuread_pim_policy, which would be able to managed both PIM for Groups and PIM for Entra ID roles policies, and deprecating the old resource.
  • Creating a new resource azuread_directory_role_management_policy and just duplicating the code/finding a smart way to merge it in the provider logic.

Please let me know which solutions fits best with the project.

Details

The difference between required backend parameters can be seen in the following table.

Role Management Policy "type" scopeId scopeType
PIM for Groups Group ID Group
PIM for Entra ID roles "/" DirectoryRole

@mattdot
Copy link

mattdot commented Sep 4, 2024

while I like the idea of azuread_pim_policy if this were greenfield, I think it's disruptive to existing users. Creating azuread_directory_role_management_policy and just finding a way to share provider logic seems like a better approach given the current state of things.

@petr-stupka
Copy link

@manicminer what do you think? Can you please take a look into the @philband proposal? Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/identity-governance new-resource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manicminer @mattdot @petr-stupka @philband