hi @danielhelfand

Thanks for opening this issue :)

Issue #286 attempted to address this issue, but I think it was closed too quickly. I would like terraform for Azure to support more Active Directory features. The list would include creating Active Directory users, groups, and then being able to assign roles to those resources.

Terraform currently supports Role Assignments within Azure (e.g. assigning a User to a specific Role within Azure) - but given there's no API available for provisioning Groups or Users via Azure Active Directory, unfortunately we'd be unable to support this at this time.

I'd argue that Terraform probably isn't the right tool to be managing Users (in particular Active Directory users, where it's common to have hundreds/thousands of users in a given Organizational Unit) - there's some hidden complexities regarding how users and passwords are handled too - so whilst Terraform may be able to do something were an API available - I don't think we'd add support for this in the Provider if I'm honest.

Not sure if these are on your road map, and I know firsthand that programmatic access for Azure Active Directory is lacking at this time. Not even Azure Resource Manager supports these options

Unfortunately since Terraform makes use of the Resource Manager API's via the Azure SDK for Go - we're unable to implement support for a feature if there's no matching Resource Manager API. For the reasons outlined above we'd be unable to support this functionality within Terraform and as such I'm going to close this issue for the moment.

Thanks!

@tombuildsstuff, To follow up here, is there any way to assign roles to an AD Group via terraform using the azurerm_role_assignment?

@danielhelfand no - the azurerm_role_assignment resource is used for assigning a given user to a Role (e.g. Owner, Contributor, Reader) within an Azure subscription, rather than AD Groups unfortunately.

@tombuildsstuff Gotcha, thanks for the clarification. Assuming this is true for azurerm_role_define as well in terms of assigning roles to groups. I'll try and do some more research on approaches for this and follow up here.

@tombuildsstuff as far as I can tell, the APIs are all there in the Azure SDK for Go to manage Active Directory objects in the https://github.com/Azure/azure-sdk-for-go/tree/master/services/graphrbac/1.6/graphrbac directory but maybe that's what you meant by "Resource Manager API" - it is true that these belong to the Azure Graph API.

@tombuildsstuff as far as I can tell, the APIs are all there in the Azure SDK for Go to manage Active Directory objects in the https://github.com/Azure/azure-sdk-for-go/tree/master/services/graphrbac/1.6/graphrbac

Indeed. What's missing here is an implementation of Graph API. I guess that's a lot of work.

I have some issues open with Azure SDK for Go around this. The first issue is with azure-sdk-for-go. The second issue is with azure-sdk-for-go-samples asking for an example of how to utilize the Graph API.

Not sure where they are with these issues, but it looks like they are in progress. Feel free to ask questions or weigh in with those issues.

Hi @danielhelfand,

I do not know enough of those internals, yet.
But as far as I understand #1727 there's already everything in place for Azure SDK for Go (as @perbergland also said before).

What's unclear to me is the GraphRBAC thing. Does this API simply describe the management of graph releated aspects of Active Directory or is this to be understood synonymously for the Microsoft.AAD resource?

@tombuildsstuff

I'd argue that Terraform probably isn't the right tool to be managing Users (in particular Active Directory users, where it's common to have hundreds/thousands of users in a given Organizational Unit) - there's some hidden complexities regarding how users and passwords are handled too - so whilst Terraform may be able to do something were an API available - I don't think we'd add support for this in the Provider if I'm honest.

I agree and disagree here. I think you're 100% right regarding Terraform dealing with users, but groups are a different story imo. I want to be able to spin up resources and create a group and group assignments via terraform, but (as you say) I don't trust Terraform to store my user's passwords. Adding groups and not users would allow for RBAC via TF without the security caveats.

The API is currently available as @perbergland says. https://github.com/Azure/azure-sdk-for-go/tree/master/services/graphrbac/1.6/graphrbac

I as well have come to understand why it makes sense to not have terraform manage users in Azure. However, I am curious then why this is available in the terraform AWS provider. What made this a good use case for AWS?

I'm managing AWS IAM users in Terraform. And I was hoping to be able to do the same in Azure (particularly to modularise some of that so I only have to define the users once). Am not storing passwords in Terraform, though, and - I know I should be using a SAML solution instead, but I'm dealing with a lot of legacy stuff and taking it one step at a time.

So I certainly appreciate the functionality being available in the AWS provider - and would love it being available in the Azure provider too. Whether I'll keep using it forever is another story, but it certainly helps having it available now!

@lfshr

I agree and disagree here. I think you're 100% right regarding Terraform dealing with users, but groups are a different story imo. I want to be able to spin up resources and create a group and group assignments via terraform, but (as you say) I don't trust Terraform to store my user's passwords. Adding groups and not users would allow for RBAC via TF without the security caveats.

I'd tend agree with Groups and Group assignments - however (if we look past the password issue mentioned above for a moment) the other issue is how we'd test this.

Every Data Source and Resource in the Provider has a set of Acceptance Tests which run to create and tear down Resources to ensure they work. While we could do this for Azure AD Groups (since spinning up another groups is isolated) - testing an Azure AD User/Group Assignment is considerably more complicated as it'd require a User to exist (either by creating a new user, where there's potentially an email involved - or to use a long running test user, which would need to ensure the cleanup's done correctly).

That's not to say this isn't possible to work around - but we're unable to ship a Data Source/Resource without tests; and there's some complications to think through here for those two resources in particular.

@tombuildsstuff Hey, since the blocker has been removed for this, can this FR be reopened for group management?

Totally get why there's no plans to do Users, but provisioning groups would be real handy.

hi @danielhelfand

Thanks for opening this issue :)

Issue #286 attempted to address this issue, but I think it was closed too quickly. I would like terraform for Azure to support more Active Directory features. The list would include creating Active Directory users, groups, and then being able to assign roles to those resources.

Terraform currently supports Role Assignments within Azure (e.g. assigning a User to a specific Role within Azure) - but given there's no API available for provisioning Groups or Users via Azure Active Directory, unfortunately we'd be unable to support this at this time.

I'd argue that Terraform probably isn't the right tool to be managing Users (in particular Active Directory users, where it's common to have hundreds/thousands of users in a given Organizational Unit) - there's some hidden complexities regarding how users and passwords are handled too - so whilst Terraform may be able to do something were an API available - I don't think we'd add support for this in the Provider if I'm honest.

Not sure if these are on your road map, and I know firsthand that programmatic access for Azure Active Directory is lacking at this time. Not even Azure Resource Manager supports these options

Unfortunately since Terraform makes use of the Resource Manager API's via the Azure SDK for Go - we're unable to implement support for a feature if there's no matching Resource Manager API. For the reasons outlined above we'd be unable to support this functionality within Terraform and as such I'm going to close this issue for the moment.

Thanks!

Hey @bytemech,

There actually was a PR for AD Groups, but, last I had read in the PR, there is going to be a separate provider for Azure AD resources. The last comment in the PR should hopefully explain more.

@bytemech as @danielhelfand has mentioned this is being split out into it's own provider and more info can be found here: https://github.com/terraform-providers/terraform-provider-azurerm/issues/2322

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!