Privileged Identity Management

Azure module to deploy a Privileged Identity Management.

Prerequisites

This module can only be applied with a Service Principal due to limitations with the Azure CLI and the AzureRM provider:

• Azure/azure-cli#22775
• Azure/azure-cli#26471

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "pim" {
  source  = "claranet/pim/azurerm"
  version = "x.x.x"

  pim_enabled_groups = {
    "Tenant Global Administrators Group" = {
      members = [
        "user.mail@tenantname.onmicrosoft.com",
        "guest.user_guest.domaine#EXT#@tenantname.onmicrosoft.com",
      ]
      roles = ["Global Administrator"]
    }
    "Existing Group" = {
      members = [
        "member1@tenantname.onmicrosoft.com",
        "member2@tenantname.onmicrosoft.com",
      ]
      roles        = ["Security Operator", "Cloud App Security Administrator"]
      create_group = false
    }
  }
}

Providers

Name	Version
azuread	~> 3.3

Modules

No modules.

Resources

Name	Type
azuread_directory_role.main	resource
azuread_directory_role_eligibility_schedule_request.main	resource
azuread_group_member.main	resource
azuread_group_without_members.main	resource
azuread_group.main	data source
azuread_user.main	data source

Inputs

Name	Description	Type	Default	Required
pim_enabled_groups	Managed PIM groups with roles and members.	map(object({ roles = list(string) members = list(string) create_group = optional(bool, true) custom_group_description = optional(string, null) }))	n/a	yes

Outputs

Name	Description
resource	Privileged Identity Management resource object.

Related documentation

Microsoft Azure documentation: PIM