Feature Tracker - EntitlementManagment - AccessPackages

[kaovd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Leaving a feature tracker here to get feedback / +1s as well as to track progress when downstream work starts

New or Affected Resource(s)

• Currently Developing in Upstream SDK Capability for relevant accessPackage* Resource Types on the Beta API
  EntitlementManagement - AccessPackages manicminer/hamilton#92

Credit to @stanleyz for reviving this effort implementing all below code and getting upstream bugfixes merged to make this possible

(In order of dependencies)

• azuread_access_package_catalog
• azuread_access_package
• azuread_access_package_assignment_policy
• azuread_access_package_resource_catalog_association
• azuread_access_package_resource_package_association

Current Issues (Taken from #903 )

There is no valid MS graph API to delete the resource roles from an access package, hence can't be deleted programatically and would require manual deletion

Potential Terraform Configuration

resource "azuread_group" "test_group" {
	display_name     = "test-access-package-resource-catalog-association-%[1]d"
	security_enabled = true
}
resource "azuread_access_package_catalog" "test_catalog" {
	display_name = "test-catalog-%[1]d"	
  	description  = "Test catalog %[1]d"
}
resource "azuread_access_package_resource_catalog_association" "test" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = azuread_group.test_group.object_id
  resource_origin_system = "AadGroup"
}
resource "azuread_access_package" "test" {
	display_name = "test-package-%[1]d"
	description  = "Test Package %[1]d"
	catalog_id   = azuread_access_package_catalog.test_catalog.id
}
resource "azuread_access_package_resource_package_association" "test" {
	access_package_id               = azuread_access_package.test.id
	catalog_resource_association_id = azuread_access_package_resource_catalog_association.test.id
}

data "azuread_group" "example" {
    display_name = "myexamplegroup"
    security_enabled = true
}

data "azuread_group" "example_2" {
    display_name = "myexamplegroup_2"
    security_enabled = true
}

data "azuread_group" "example_3" {
    display_name = "myexamplegroup_3"
    security_enabled = true
}


data "azuread_group" "example_4" {
    display_name = "myexamplegroup_4"
    security_enabled = true
}

resource "azuread_access_package_catalog" "example" {
  display_name = "My Access package catalog"
  description = "Created by terraform"
} 

resource  "azuread_access_package_resource_request" "example_2" {
    access_package_catalog_id = azuread_access_package_catalog.example.id
    access_package_resource {
        origin_id = data.azuread_group.example_2.id
        origin_system = "AadGroup" // AadGroup , SharePointOnline, Application
    }
}


resource "azuread_access_package" "example" {
    access_package_catalog_id = azuread_access_package_catalog.example.id
    display_name = "My Access Package"
    description = "Created by terraform"
    is_hidden = false
    is_role_scopes_visible = false

    role_scope {
        resource = azuread_access_package_resource_request.example
        role = "Member" //Either this or also has Owner is AAD
    }

    role_scope {
        resource = azuread_access_package_resource_request.example_2
        role = "Member" //Either this or also has Owner is AAD       
    }

} 

resource "azuread_access_package_assignment_policy" "example" {
  access_package_id = azuread_access_package.example.id
  display_name = "My AP Policy"
  description = "Created by terraform"
  can_extend = true

  requestor_settings {
      scope_type = "SpecificDirectorySubjects"
      accept_requests = true 
      allowed_requestor {
          id = data.azuread_group.example_3.id
          description = "AP Users"
      }
      allowed_requestor {
          id = "00000000-0000-0000-0000-000000000000"
          description = "secondary user"
      }
  }

  requestor_approval_settings {
      is_approval_required = true 
      is_approval_required_for_extension = true 
      is_requestor_justification_required = true 
      approval_mode = "Serial" //One of NoApproval, SingleStage or Serial. The NoApproval is used when isApprovalRequired is false.

      approval_stage { //There can only be maximum two of these
          timeout_in_days = 30 
          is_approver_justification_required = true 
          is_escalation_enabled = true 
          escalation_time_in_minutes = 90
          primary_approver {
            id = "00000000-0000-0000-0000-000000000000"
            description = "secondary user"
            is_backup = false
          }

          primary_approver {
              id = data.azuread_group.example_4.id
              description = "Backup Approver"
              is_backup = true
          }

          escalation_approvers {
            id = "00000000-0000-0000-0000-000000000000"
            description = "escalation user"
            is_backup = false
          }

      }

    approval_stage { //There can only be maximum two of these
          timeout_in_days = 30 
          is_approver_justification_required = true 
          is_escalation_enabled = true 
          escalation_time_in_minutes = 90
          primary_approver {
            id = "00000000-0000-0000-0000-000000000000"
            description = "secondary user"
            is_backup = false
          }

          primary_approver { //Require ID Or maanger level here - Manager level not currently in SDK Plan to implement when  reaching base implementation
              id = data.azuread_group.example_4.id
              description = "Backup Approver"
              is_backup = true
          }

          escalation_approvers {
            id = "00000000-0000-0000-0000-000000000000"
            description = "escalation user"
            is_backup = false
          }

      }


  }

  approval_question { //No restriction on amount pretty much
      is_required = true 
      sequence = 1
      text {
          default = "Why do you want this"
          localization {
              text = "Why do you want this"
              LanguageCode = "GB"
          }

        localization {
              text = "Warum willst du das"
              LanguageCode = "DE"
          }
      }
  }

    approval_question {
      is_required = true 
      sequence = 2
      text {
          default = "Why do you want this 2"
          localization {
              text = "Why do you want this 2"
              LanguageCode = "GB"
          }

        localization {
              text = "Warum willst du das 2"
              LanguageCode = "DE"
          }
      }
  }

}

References

manicminer/hamilton#92
manicminer/hamilton#93
#903

[kaovd]

Bit of an update - had a bit of a hiatus on this but have been waiting to see where the specification ends up MS side, as some beta endpoints (resource request & role scope) are extremely idempotent

Instead I will push this in two parts, first Catalogs, Access Package and Assignments - Then resource and role scopes. The first half are effectively done just some debug needed

In the mean time, for role and resource scopes you may likely be able to work around this will script provisioners for these and use terraform for the primary bits and policy

[sigurdfalk]

@kaovd any progress on this one? 🙏🏻

[kaovd]

@sigurdfalk Some upstream fixes have been merged just waiting for the hamiltion release so can get changes in but AccessPackages,catalogs and policy is pretty much finalized

[manicminer]

@kaovd You beat me to it, your upstream PR is now released! Thanks for your work on this! :D

[MortyN]

The upstream PR in this case is for Hamilton, correct @manicminer ? is it anything else from Microsoft that is blocking progress? Eager to get a status update :D @kaovd , thanks for the work that has already been done.

[QuduSEC]

Hello people! It seems there are no more blockers! Are looking forward to!

[kaovd]

@QuduSEC see the linked PR Fix, this is still blocked by manicminer/hamilton#156

[seanhoughton]

It looks like manicminer/hamilton#156 has been merged, are there any more blockers?

[sGrindvoll]

Any updates on the progress of this one? Any blockers left? Waiting eagerly for the release of this feature :D

[jdelforno]

Any updates on the progress of this one? Any blockers left? Waiting eagerly for the release of this feature :D

I'm wondering if there's any worth investing time in a terraform/arm hybrid if the Graph API has been implemented.

[mariussm]

@jdelforno , you are mixing PIM and Entitlement Management now aren't you? Of course we need to handle access packages using Terraform, even though it is available through the Microsoft Graph.

I see someone has linked both a Bicep issue, the PIM issue (68) and stuff , but this has nothing to do with access packages what so ever.

[sikksakk]

agree with @mariussm here, I too believe this should be possible to handle with Terraform :) anything we can contribute with to push this forward?

[golnaz-gohari]

Waiting for the release of this feature.

[github-actions]

This functionality has been released in v2.37.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!