Access Reviews

[g-psantos]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Enable management of Azure AD Access Reviews through Terraform. The relevant API endpoints and resources are stable and documented here.

New or Affected Resource(s)

• azuread_access_review (mapping to accessReviewScheduleDefinition in the API)

Potential Terraform Configuration

The API resources are constructed in a very generic way and don't align well with how Terraform resources are usually configured (IMO). So, the provider should have some translation layer to enable resources such as the ones that follow:

resource "azuread_group_access_review" "this" {
  name                 = "Annual Review of Group Membership"
  scope                = "00000000-0000-0000-0000-000000000000"
  admin_description    = "Annual review of membership in ABC"
  reviewer_description = "Please review membership in the ABC Group and determine whether any users should be removed."

  # Ideally, `reviewers` would accept either the special strings `owners` or
  # `self` (for group owners and group members themselves, respectively) or a
  # list of user principal names.
  reviewers = ""

  # Number of days that each access review instance will take
  duration = 7

  # Access reviews can be one-time or recurring. Ideally, they're set as
  # recurring if a `recurrence` block is included in the resource and as
  # one-time otherwise. See the `recurrencePattern` resource documentation for
  # available parameter combinations.
  # 
  # The example below is for a review that starts on the first Monday of June
  # each year. (Or should, anyway...)
  recurrence {
    type         = "relative_yearly"
    interval     = 1
    month        = 6
    days_of_week = ["monday"]

    range {
      # Alternatively, `type` could be set to `endDate` (and an `end_date`
      # parameter would be required) or `numbered` (and an `occurrences`
      # parameter would be required).
      type = "noEnd"
    }
  }

  auto_apply              = true # Auto-apply reviewer decisions, including default decisions (if any)
  default_decision        = "recommendation" # Set to `null` for no default decision; set to `allow` or `deny` as alternative default decisions
  enable_recommendations  = true
  enable_notifications    = true
  enable_reminders        = true
  require_justification   = true
  enable_decision_history = false
}

References

• GH-879

[MrMeisterLabs]

Hi,

Any updates on this? Thank you for initiating this development!

[DenisBalan]

Any updates?

[SuryenduB]

Any Updates ?