Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for azurerm_pim_eligible_role_assignment condition #25501

Open
1 task done
isehuetdk opened this issue Apr 3, 2024 · 2 comments
Open
1 task done

Support for azurerm_pim_eligible_role_assignment condition #25501

isehuetdk opened this issue Apr 3, 2024 · 2 comments
Labels
enhancement service/authorization

Comments

@isehuetdk
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I would like to add conditions to my PIM assignment as in https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleeligibilityschedulerequests?pivots=deployment-language-terraform
to restrict certain permissions, e.g. allow access management for high privileged roles.

This feature is currently not supported in azurerm_pim_eligible_role_assignment version 3.97.1.

Also added as request/note here #23458 (comment)

Using the azapi to deploy this using "Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview" does not resolve the issue due to #22513 that throws an error 400 when redeploying an existing PIM assignment. Furthermore, the API does not support destroy function to remove the assignment through code.

New or Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Potential Terraform Configuration

resource "azurerm_pim_eligible_role_assignment" "example" {
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = "${data.azurerm_subscription.primary.id}${data.azurerm_role_definition.example.id}"
  principal_id       = data.azurerm_client_config.example.object_id

  schedule {
    start_date_time = time_static.example.rfc3339
    expiration {
      duration_hours = 8
    }
  }

  justification = "Expiration Duration Set"

  ticket {
    number = "1"
    system = "example ticket system"
  }

  condition = "<condition>"
  condition_version = "2.0"
}

References

No response
@isehuetdk
Copy link
Author

Module azurerm_role_assignment already supports this functionality.

@sgrinker303
Copy link

This should be added for both eligible and active PIM assignments. As already mentioned, it is included in standard role assignments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/authorization
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sgrinker303 @isehuetdk @rcskosir