add owners to applications and service principals

Author: bickmeck

main.tf

@@ -69,6 +69,8 @@ module "replicator_service_principal" {
     issuer  = var.workload_identity_federation.issuer,
     subject = var.workload_identity_federation.replicator_subject
   }
+
+  application_owners = var.application_owners
 }
 
 module "mca_service_principal" {
@@ -80,6 +82,8 @@ module "mca_service_principal" {
   billing_account_name = var.mca.billing_account_name
   billing_profile_name = var.mca.billing_profile_name
   invoice_section_name = var.mca.invoice_section_name
+
+  application_owners = var.application_owners
 }
 
 module "metering_service_principal" {
@@ -94,6 +98,8 @@ module "metering_service_principal" {
     issuer  = var.workload_identity_federation.issuer,
     subject = var.workload_identity_federation.kraken_subject
   }
+
+  application_owners = var.application_owners
 }
 
 module "sso_service_principal" {
@@ -104,6 +110,8 @@ module "sso_service_principal" {
   meshstack_idp_domain         = var.sso_meshstack_idp_domain
   identity_provider_alias      = var.sso_identity_provider_alias
   app_role_assignment_required = var.sso_app_role_assignment_required
+
+  application_owners = var.application_owners
 }
 
 # facilitate migration from v0.1.0 of the module

modules/meshcloud-mca-service-principal/module.tf

@@ -30,11 +30,13 @@ data "azurerm_billing_mca_account_scope" "mca" {
 resource "azuread_application" "mca" {
   for_each     = toset(var.service_principal_names)
   display_name = each.key
+  owners       = var.application_owners
 }
 
 resource "azuread_service_principal" "mca" {
   for_each  = toset(var.service_principal_names)
   client_id = azuread_application.mca[each.key].client_id
+  owners    = var.application_owners
 }
 
 data "azapi_resource_list" "billing_role_definitions" {

modules/meshcloud-mca-service-principal/variables.tf

@@ -13,3 +13,9 @@ variable "billing_profile_name" {
 variable "invoice_section_name" {
   type = string
 }
+
+variable "application_owners" {
+  type        = list(string)
+  description = "List of user principals that should be added as owners to the mca service principal."
+  default     = []
+}

modules/meshcloud-metering-service-principal/module.tf

@@ -32,6 +32,7 @@ resource "azurerm_role_assignment" "meshcloud_metering" {
 //---------------------------------------------------------------------------
 resource "azuread_application" "meshcloud_metering" {
   display_name = var.service_principal_name
+  owners       = var.application_owners
 
   feature_tags {
     enterprise = true
@@ -50,6 +51,7 @@ resource "azuread_application" "meshcloud_metering" {
 //---------------------------------------------------------------------------
 resource "azuread_service_principal" "meshcloud_metering" {
   client_id = azuread_application.meshcloud_metering.client_id
+  owners    = var.application_owners
   feature_tags {
     enterprise = true
   }

modules/meshcloud-metering-service-principal/variables.tf

@@ -18,3 +18,9 @@ variable "workload_identity_federation" {
   description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
   type        = object({ issuer = string, subject = string })
 }
+
+variable "application_owners" {
+  type        = list(string)
+  description = "List of user principals that should be added as owners to the metering service principal."
+  default     = []
+}

modules/meshcloud-replicator-service-principal/module.tf

@@ -116,6 +116,7 @@ data "azuread_application_template" "enterprise_app" {
 }
 resource "azuread_application" "meshcloud_replicator" {
   display_name = var.service_principal_name
+  owners       = var.application_owners
   template_id  = data.azuread_application_template.enterprise_app.template_id
   feature_tags {
     enterprise = true
@@ -168,6 +169,7 @@ resource "azuread_application" "meshcloud_replicator" {
 //---------------------------------------------------------------------------
 resource "azuread_service_principal" "meshcloud_replicator" {
   client_id = azuread_application.meshcloud_replicator.client_id
+  owners    = var.application_owners
   feature_tags {
     enterprise = true
   }

modules/meshcloud-replicator-service-principal/variables.tf

@@ -53,3 +53,9 @@ variable "workload_identity_federation" {
   description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
   type        = object({ issuer = string, subject = string })
 }
+
+variable "application_owners" {
+  type        = list(string)
+  description = "List of user principals that should be added as owners to the replicator service principal."
+  default     = []
+}

modules/meshcloud-sso/module.tf

@@ -29,6 +29,7 @@ data "azuread_application_template" "enterprise_app" {
 
 resource "azuread_application" "meshcloud_sso" {
   display_name = var.service_principal_name
+  owners       = var.application_owners
   template_id  = data.azuread_application_template.enterprise_app.template_id
   feature_tags {
     enterprise = true
@@ -54,6 +55,7 @@ resource "azuread_service_principal" "meshcloud_sso" {
   use_existing                 = true
   app_role_assignment_required = var.app_role_assignment_required
   client_id                    = azuread_application.meshcloud_sso.client_id
+  owners                       = var.application_owners
 }
 
 resource "azuread_application_password" "meshcloud_sso" {

modules/meshcloud-sso/variables.tf

@@ -20,3 +20,9 @@ variable "app_role_assignment_required" {
   default     = false
   description = "Whether all users can login using the created application (false), or only assigned users (true)"
 }
+
+variable "application_owners" {
+  type        = list(string)
+  description = "List of user principals that should be added as owners to the sso service principal."
+  default     = []
+}

variables.tf

@@ -123,3 +123,9 @@ variable "mca" {
   })
   default = null
 }
+
+variable "application_owners" {
+  type        = list(string)
+  description = "List of user principals that should be added as owners to the created service principals."
+  default     = []
+}