dayland
commented
3 weeks ago This is documented here... https://github.com/microsoft/PubSec-Info-Assistant/blob/main/docs/deployment/manual_app_registration.md. I am going to leave this ticket open as finding this documentation is not as easy as it could be, so we will work to provide better access to this.
Is your feature request related to a problem? Please describe. Right now, as intended the terraform scripts deploy not only the infrastructure, but also the EntraID Service Principals and Role Assignments required to run the info-assistant. This is problematic for customers who are running in highly controlled environments as they may or may not have the ability to create Service Principals or Role Assignments.
For these environments, right now we just see the deployment fail, without any guidance for customers on what to do next.
Describe the solution you'd like So it would be ideal if there was a configuration option in the local.env file named DEPLOY_ENTRA_ID_AND_ROLE_ASSIGNMENTS, which defaults to true, but can be flipped to false in these situations.
If the bit is "true", it would continue and deploy as it does today.
If the bit is "false", it would deploy all of the infrastructure and then provide details on the Service Principals and role assignments that need to be performed by someone with higher level permissions.
Describe alternatives you've considered I know the default is "this should be run by someone with that level of rights," is the default but that's just not practical in these situations, as really once the Service Principals and roles are assigned, the customer can iterate on this without making changes to them.
Additional context I'm also happy to assist with this and has the opportunity to help several customers.