Support for azurerm_pim_eligible_role_assignment condition

[isehuetdk]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I would like to add conditions to my PIM assignment as in https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleeligibilityschedulerequests?pivots=deployment-language-terraform to restrict certain permissions, e.g. allow access management for high privileged roles.

This feature is currently not supported in azurerm_pim_eligible_role_assignment version 3.97.1.

Also added as request/note here https://github.com/hashicorp/terraform-provider-azurerm/issues/23458#issuecomment-1954334534

Using the azapi to deploy this using "Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview" does not resolve the issue due to https://github.com/hashicorp/terraform-provider-azurerm/issues/22513 that throws an error 400 when redeploying an existing PIM assignment. Furthermore, the API does not support destroy function to remove the assignment through code.

New or Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Potential Terraform Configuration

resource "azurerm_pim_eligible_role_assignment" "example" {
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = "${data.azurerm_subscription.primary.id}${data.azurerm_role_definition.example.id}"
  principal_id       = data.azurerm_client_config.example.object_id

  schedule {
    start_date_time = time_static.example.rfc3339
    expiration {
      duration_hours = 8
    }
  }

  justification = "Expiration Duration Set"

  ticket {
    number = "1"
    system = "example ticket system"
  }

  condition = "<condition>"
  condition_version = "2.0"
}

References

No response

[isehuetdk]

Module azurerm_role_assignment already supports this functionality.

[sgrinker303]

This should be added for both eligible and active PIM assignments. As already mentioned, it is included in standard role assignments.

[jkroepke]

I need this functionality as well. I can offer a Pull Request, if no one is already on it.