Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
I would like have the ability to control the principal_type value set in all of the module's role assignments, whether implicitly or explicitly (preferably).
Yes, it is a security best practice to utilize Groups instead of assigning individual Users role assignments. Using this module to define and deploy a policy that enforces this concept by blocking creation of role assignments targeting individual users requires that any future role assignments explicitly set the principal_type. However, this module does not expose any mechanism to pass the principal_type or do any internal checks against Entra to determine the appropriate value to set, effectively breaking the module's capability to manage role assignments.
Describe the solution you'd like
At least one of two mechanisms should be provided:
Internally do a lookup to determine the appropriate value and automatically set the principal_type for every role assignment (less consumer impact, but likely more challenging)
Provide an optional attribute in the archetype JSON. If not explicitly provided, default to the existing behavior of not supplying a value to the underlying resource.
This feature request is somewhat related to #864, and it could potentially share a common implementation. However, it could be handled separately if implementation is complex, or there is a desire to keep the functionality independent.
While this request is not currently a blocking issue that would classify it as a bug, it is reasonable to assume this module will require addressing this functionality eventually. The Azure CLI already makes note that this is likely a future breaking change in the REST API with the following message:
RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
Community Note
Description
I would like have the ability to control the
principal_typevalue set in all of the module's role assignments, whether implicitly or explicitly (preferably).Example: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/0783a8a720ed4d950c10006bfa845eb59155f334/resources.role_assignments.tf#L1
Is your feature request related to a problem?
Yes, it is a security best practice to utilize Groups instead of assigning individual Users role assignments. Using this module to define and deploy a policy that enforces this concept by blocking creation of role assignments targeting individual users requires that any future role assignments explicitly set the
principal_type. However, this module does not expose any mechanism to pass theprincipal_typeor do any internal checks against Entra to determine the appropriate value to set, effectively breaking the module's capability to manage role assignments.Describe the solution you'd like
At least one of two mechanisms should be provided:
principal_typefor every role assignment (less consumer impact, but likely more challenging)Additional context
This feature request is somewhat related to #864, and it could potentially share a common implementation. However, it could be handled separately if implementation is complex, or there is a desire to keep the functionality independent.
While this request is not currently a blocking issue that would classify it as a bug, it is reasonable to assume this module will require addressing this functionality eventually. The Azure CLI already makes note that this is likely a future breaking change in the REST API with the following message:
RBAC service might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.