search

microsoft / terraform-provider-power-platform

Power Platform Terraform Provider
https://registry.terraform.io/providers/microsoft/power-platform/latest/docs
MIT License
35 stars 13 forks source link

We need documentation on how to create application users (S2S) with data_record resource #414

Closed webstean closed 1 month ago

webstean commented 2 months ago

Description

19 says, we should be using the data_record resource to manage application users/S2S, but how to do this isn't documented anywhere, as the project won't be created an "application_user" resource.

I## Definition of Done

Contributions

Do you plan to raise a PR to address this issue? NO?

See the contributing guide for more information about what's expected for contributions.

mattdot commented 2 months ago

Here's an example of a module we used on a project. We're still figuring out if we want to publish a module's repo or just document them in this one.

data "powerplatform_security_roles" "all_roles" {
  business_unit_id = var.businessunitid
  environment_id   = var.environment_id
}

data "powerplatform_environments" "envs" {
}

locals {
  selected_roles = [for role in coalesce(data.powerplatform_security_roles.all_roles.security_roles, []) : role.role_id if contains(var.roles, role.name)]
}

resource "powerplatform_data_record" "app_user" {
  table_logical_name = "systemuser"
  environment_id     = var.environment_id
  columns = {
    applicationid = var.applicationid
    businessunitid = {
      table_logical_name = "businessunit"
      data_record_id     = var.businessunitid
    }
    systemuserroles_association = tolist([for rid in local.selected_roles : { table_logical_name = "role", data_record_id = tostring(rid) }])
    isdisabled                  = false
  }
}

locals {
  dataverse_url = one([for e in data.powerplatform_environments.envs.environments : e.dataverse.url if e.id == var.environment_id])
}

resource "powerplatform_rest" "user_disable_on_destroy" {
  destroy = {
    scope                = "${local.dataverse_url}.default"
    method               = "PATCH"
    url                  = "${local.dataverse_url}api/data/v9.2/systemusers(${powerplatform_data_record.app_user.id})"
    expected_http_status = [200, 204]
    body = jsonencode({
      isdisabled    = true
      applicationid = var.applicationid
    })
  }
  depends_on = [powerplatform_data_record.app_user]
}
mawasile commented 2 months ago

@webstean as Matt mentioned we are working on a modules that will encapsulate all those business level operations but if you are building a bigger end to end setup feel free to contribute it to https://github.com/microsoft/power-platform-terraform-quickstarts

webstean commented 2 months ago

Thinking about it, the above seems like a lot of code for creating objects that most non-trivial implementations are always going to need. Is there an option for a new dedicated resource to be added to provider to create application user objects?

mawasile commented 2 months ago

our general "rule of thumb", is that for objects that can be created only by calling WebAPI we prefer to have them created fully in hcl rather than natively in provider. We created powerplatform_record and powerplatform_rest resources (also) for that. With that approach we can change and release new functionalities without releasing new provider. Also more people can contribute to changes that are in hcl only rather than provider's go code.

webstean commented 2 months ago

Was reviewing the above, I don't see away to determine the value of the businessunitid (aka the root business unit) within each environment with the current version of the provider, do you have sample/module for this? The doc: https://learn.microsoft.com/en-us/power-platform/admin/create-edit-business-units says that "The organization (also known as the root business unit) is the top level of a business unit hierarchy ". I tried using the organization id from environment resource, the apply failed with:

with powerplatform_data_record.terraform_user["coe"],
│   on powerapps-application-s2s-users.tf line 59, in resource "powerplatform_data_record" "terraform_user":
│   59: resource "powerplatform_data_record" "terraform_user" {
│ 
│ status: 404, message: {"error":{"code":"0x[80](https://github.com/lxxxxxxxxxxxxxxxxxxxxjob/29910500608#step:9:81)040217","message":"Entity
│ 'businessunit' With Id = 2a67e376-e66b-ef11-a66d-002248942cc5 Does Not
│ Exist"}}

The code is:

resource "powerplatform_data_record" "terraform_user" {
  for_each = powerplatform_environment.environments

  table_logical_name = "systemuser"
  environment_id     = each.value.id
  columns = {
    applicationid = data.azuread_client_config.current.client_id
    businessunitid = {
      table_logical_name = "businessunit"
      data_record_id     = each.value.dataverse.organization_id
    }
    systemuserroles_association = tolist([for rid in local.selected_roles : { table_logical_name = "role", data_record_id = tostring(rid) }])
    isdisabled                  = false
  }
}
mattdot commented 2 months ago 
data "powerplatform_data_records" "business_unit_root" {
  environment_id    = var.environment_id
  entity_collection = "businessunits"
  filter            = "_parentbusinessunitid_value eq null"
  select            = ["businessunitid", "name"]
}