search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

Cannot assign groups to application via service principal #1378

Open zemirco opened 1 month ago

zemirco commented 1 month ago

Community Note

Terraform (and AzureAD Provider) Version

Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.48.0
+ provider registry.terraform.io/jfrog/artifactory v10.7.4
+ provider registry.terraform.io/jfrog/platform v1.7.2
+ provider registry.terraform.io/jfrog/project v1.5.2

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "azuread_application" "jfrog" {
  display_name    = "Artifactory SAML SSO + SCIM"
}

resource "azuread_service_principal" "jfrog" {
  client_id = azuread_application.jfrog.client_id
}

locals {
  scim_groups = [
    data.terraform_remote_state.az.outputs.azuread_group_devops,
  ]
}

resource "azuread_app_role_assignment" "jfrog" {
  for_each            = toset(local.scim_groups[*].object_id)
  app_role_id         = "18d14569-c3bd-439b-9a66-3a2aee01d14f"
  principal_object_id = each.key
  resource_object_id  = azuread_service_principal.jfrog.object_id
}

Debug Output

https://gist.github.com/zemirco/07a36d90f68ac65f4ebcbfa420f8a94f

Panic Output

Expected Behavior

I'm able to add / remove groups to my Enterprise Application (so that the group members are able to login via SAML SSO) via my CI/CD pipeline using GitHub Actions by authenticating as a service principal.

This is how it should look like in the end. image

The app registration has the Application.ReadWrite.OwnedBy permission. image

The service principal uses OIDC to connect to our Azure AD. image

Actual Behavior

It all works locally when I run the command as a user.

It does not work when the command runs inside our CI/CD pipeline which is GitHub Actions. Here we're getting the following error.

azuread_app_role_assignment.jfrog["3ef3cd62-73c6-402f-9951-18da865b3776"]: Destroying... [id=ed84d346-a092-46d6-aae2-b04b1da85370/appRoleAssignment/Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA]
β•·
β”‚ Error: Deleting app role assignment for resource "ed84d346-a0[9](***/actions/runs/9064212294/job/24920697658?pr=135#step:6:10)2-46d6-aae2-b04b1da85370" with ID "Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA", got status 403
β”‚ 
β”‚ AppRoleAssignedToClient.BaseClient.Delete(): unexpected status 403 with
β”‚ OData error: Authorization_RequestDenied: Insufficient privileges to
β”‚ complete the operation.
β•΅
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Steps to Reproduce

  1. terraform apply

References

manicminer commented 1 month ago

Hi @zemirco, thanks for reporting this issue. I couldn't say why the DELETE request is being sent without seeing a copy of the plan for this apply, however you will need to assign the AppRoleAssignment.ReadWrite.All app role to your Terraform service principal in order to manage app role assignments. Unfortunately Application.ReadWrite.xyz is not sufficient - as this is a privileged API that technically permits you to add any API permission for any application.

zemirco commented 1 month ago

It finally works. Here is how we did it πŸ₯³

The permission Application.ReadWrite.OwnedBy is enough but the owner has to be set at the App Registration as well as the Enterprise Application.

image

image

Wow :) I'm so glad this finally works as we've spent so many hours on this topic.

Thank you for maintaining the azuread provider.

manicminer commented 1 month ago

Ah that's great, thanks for reporting back! This is easily missed and I'll see if we can call this out more clearly in the docs.

mysticrenji commented 2 weeks ago

Glad that it is sorted @zemirco. :)