How to Manage Active Directory Objects with Azure AD Provider for Terraform

How to Manage Active Directory Objects with Azure AD Provider for Terraform

How to Manage Active Directory Objects with Azure AD Provider for Terraform

The Azure AD provider for Terraform can be used to manage your Azure Active Directory resources declaratively. This allows you to do things like:

  • Automatically provision users and make sure they belong to the correct groups.
  • Manage Azure compute permissions via Azure AD groups.

Example Usage

The following example shows how to use the Azure AD provider to create a group in Azure AD:

terraform {
 required_providers {
   azuread = {
     source  = "hashicorp/azuread"
     version = "= 1.6.0"
   }
 }
}

resource "azuread_group" "test" {
 display_name = "Test Group"
}

The terraform section at the start is used to specify the version of the provider that we want to use, and the azuread_group  resource defines our group.

Authenticating with Azure

The Azure AD provider allows multiple authentication methods, which are outlined in the provider’s documentation. To allow you to get up and running quickly, the AD provider will attempt to get your credentials via the Azure CLI.

While this is fine for experimentation and local testing, for non-interactive scenarios like CI you need to use a Service Principal or a Managed Service Identity.

Permissions

In order to manage your Azure AD objects, the account used by Terraform needs to have the correct permissions to perform its actions. You can manage these permissions via the Roles and administrators section of Azure AD:

Manage Active Directory Objects

For example, to allow a Service Principal to manage groups, you would add it to the Groups administrator role:

Manage Active Directory Objects

The Terraform provider is well documented, and will typically contain a notice at the top of each resource explaining the permissions that are required to use it.

API Permissions

Another option that can be used with Service Principals instead of granting an administrator role is to grant specific API permissions to them. To do this, first find the AD Application linked to your Service Principal in the App Registrations section:

Manage Active Directory Objects

Go to the API permissions page for the application, and click on Add a permission:

Manage Active Directory Objects

On the screen that appears, choose the Azure Active Directory Graph API, and then choose the relevant permission you want to add:

Manage Active Directory Objects

Before the Service Principal can actually use the permission you just added, you need to take a final step called granting Admin Consent. You can do this by clicking on the Grant admin consent for <tenant> button displayed above the permissions table:

Manage Active Directory Objects

NOTES:

  • When adding permissions to your Service Principal, you need to add Application permissions rather than Delegated permissions. This means that the Service Principal is allowed to perform the specified actions as itself, rather than on behalf of another user.
  • The set of permissions that you can add via API permissions is quite limited. For example, to create AD groups you need to add the Directory.ReadWrite.All permission, but this will not allow your Service Principal to delete any groups it creates. In order to be able to delete groups, you need to grant it the Group Administrator role, so depending on your requirements there may not be any point in granting API permissions.
  • The Azure AD Terraform provider is switching to the Microsoft Graph API as of version 2.0.0, so after version 2 is released you will need to grant permissions to the Microsoft Graph API instead of to the Azure Active Directory Graph API.

More Examples

Example 1 – Managing Users and Groups

The following example creates two users and two groups, and assigns each user to a group:

resource "azuread_user" "adamc" {
 user_principal_name   = "adamc@mydomain.com"
 display_name          = "Adam Connelly"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_user" "bobd" {
 user_principal_name   = "bobd@mydomain.com"
 display_name          = "Bob Dolton"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_group" "development" {
 display_name = "Development"
 members = [
   azuread_user.adamc.id
 ]
}

resource "azuread_group" "sales" {
 display_name = "Sales"
 members = [
   azuread_user.bobd.id
 ]
}

Example 2 – Creating a Service Principal and granting RBAC permissions

The following example combines the Azure AD provider with the Azure RM provider, allowing you to create a Service Principal and assign it permission to manage certain Azure resources:

# Create an AD Application
resource "azuread_application" "automation" {
 display_name = "sp-automation"
}

# Create a Service Principal from that Application
resource "azuread_service_principal" "automation" {
 application_id               = azuread_application.automation.application_id
 app_role_assignment_required = false
}

# Get information about the configured Azure subscription
data "azurerm_subscription" "primary" {}

# Grant our service principal "Contributor" access over the subscription
resource "azurerm_role_assignment" "automation_contributor" {
 scope                = data.azurerm_subscription.primary.id
 role_definition_name = "Contributor"
 principal_id         = azuread_service_principal.automation.object_id
}

Conclusion

In this post, we’ve covered what the Azure AD Terraform provider is used for, how to authenticate and grant the correct permissions, as well as showing a few examples of what you can do with it. Hopefully, you’ve found it useful!

If you’re interested in finding out about how you can use Spacelift to manage your Azure resources, check out our Azure documentation. Also, don’t forget that you can easily give Spacelift a free test drive!

Share this post

twitter logo

Comments