Created
February 19, 2020 20:54
-
-
Save straubt1/5e5c8c2f9218594257278657f00e6ac9 to your computer and use it in GitHub Desktop.
Base configuration for using Terraform to manage the SSO Application
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
tfe_application_name = "tfe" | |
tfe_application_url = "https://tfe.company.com" | |
spn_url = "https://some_url.com" | |
tfe_teams = [ | |
"app1-team-dev", | |
"app1-team-admin", | |
"app2-team-dev", | |
"app3-team-admin", | |
] | |
} | |
resource "azuread_application" "tfe" { | |
name = local.tfe_application_name | |
homepage = local.tfe_application_url | |
oauth2_allow_implicit_flow = true | |
group_membership_claims = "All" | |
public_client = true | |
type = "native" | |
reply_urls = [local.spn_url] | |
required_resource_access { | |
#resource_app_id = "${data.azuread_application.current.application_id}" | |
# MicrosoftGraph API | |
resource_app_id = "00000003-0000-0000-c000-000000000000" | |
resource_access { | |
id = "00000003-0000-0000-c000-000000000000" | |
type = "Scope" | |
} | |
resource_access { | |
id = "00000003-0000-0000-c000-000000000000" | |
type = "Scope" | |
} | |
resource_access { | |
id = "00000003-0000-0000-c000-000000000000" | |
type = "Role" | |
} | |
} | |
# Site Admins - static | |
app_role { | |
allowed_member_types = ["User"] | |
description = "site-admins" | |
display_name = format("Role mapping to TFE Team %s", "site-admins") | |
value = "site-admins" # Maps to TFE Team Name | |
is_enabled = true | |
} | |
dynamic "app_role" { | |
for_each = local.tfe_teams | |
content { | |
allowed_member_types = ["User"] | |
description = format("Role mapping to TFE Team %s", app_role.value) | |
display_name = app_role.value | |
value = app_role.value | |
is_enabled = true | |
} | |
} | |
} | |
# `terraform plan` | |
# | |
# # azuread_application.tfe will be created | |
# + resource "azuread_application" "tfe" { | |
# + application_id = (known after apply) | |
# + group_membership_claims = "All" | |
# + homepage = "https://tfe.company.com" | |
# + id = (known after apply) | |
# + identifier_uris = (known after apply) | |
# + name = "tfe" | |
# + oauth2_allow_implicit_flow = true | |
# + object_id = (known after apply) | |
# + owners = (known after apply) | |
# + public_client = true | |
# + reply_urls = [ | |
# + "https://some_url.com", | |
# ] | |
# + type = "native" | |
# + app_role { | |
# + allowed_member_types = [ | |
# + "User", | |
# ] | |
# + description = "Role mapping to TFE Team app1-team-admin" | |
# + display_name = "app1-team-admin" | |
# + id = (known after apply) | |
# + is_enabled = true | |
# + value = "app1-team-admin" | |
# } | |
# + app_role { | |
# + allowed_member_types = [ | |
# + "User", | |
# ] | |
# + description = "Role mapping to TFE Team app1-team-dev" | |
# + display_name = "app1-team-dev" | |
# + id = (known after apply) | |
# + is_enabled = true | |
# + value = "app1-team-dev" | |
# } | |
# + app_role { | |
# + allowed_member_types = [ | |
# + "User", | |
# ] | |
# + description = "Role mapping to TFE Team app2-team-dev" | |
# + display_name = "app2-team-dev" | |
# + id = (known after apply) | |
# + is_enabled = true | |
# + value = "app2-team-dev" | |
# } | |
# + app_role { | |
# + allowed_member_types = [ | |
# + "User", | |
# ] | |
# + description = "Role mapping to TFE Team app3-team-admin" | |
# + display_name = "app3-team-admin" | |
# + id = (known after apply) | |
# + is_enabled = true | |
# + value = "app3-team-admin" | |
# } | |
# + app_role { | |
# + allowed_member_types = [ | |
# + "User", | |
# ] | |
# + description = "site-admins" | |
# + display_name = "Role mapping to TFE Team site-admins" | |
# + id = (known after apply) | |
# + is_enabled = true | |
# + value = "site-admins" | |
# } | |
# + oauth2_permissions { | |
# + admin_consent_description = (known after apply) | |
# + admin_consent_display_name = (known after apply) | |
# + id = (known after apply) | |
# + is_enabled = (known after apply) | |
# + type = (known after apply) | |
# + user_consent_description = (known after apply) | |
# + user_consent_display_name = (known after apply) | |
# + value = (known after apply) | |
# } | |
# + required_resource_access { | |
# + resource_app_id = "00000003-0000-0000-c000-000000000000" | |
# + resource_access { | |
# + id = "00000003-0000-0000-c000-000000000000" | |
# + type = "Scope" | |
# } | |
# + resource_access { | |
# + id = "00000003-0000-0000-c000-000000000000" | |
# + type = "Scope" | |
# } | |
# + resource_access { | |
# + id = "00000003-0000-0000-c000-000000000000" | |
# + type = "Role" | |
# } | |
# } | |
# } | |
# Plan: 1 to add, 0 to change, 0 to destroy. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment