You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: allow assignment of additional replicator roles in policy
the privilege escalation policy did as intended to prevent additional
role assignments to the replicator SPN. However, this creates a conflict
when trying to add additional scopes where cancelling subscriptions
or deleting resource groups is allowed. We therefore now whitelist
those roles assignments in the policy.
|[azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/application_published_app_ids)| data source |
35
-
|[azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/service_principal)| data source |
|[azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_published_app_ids)| data source |
43
+
|[azuread_application_template.enterprise_app](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/application_template)| data source |
44
+
|[azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.46.0/docs/data-sources/service_principal)| data source |
36
45
37
46
## Inputs
38
47
39
48
| Name | Description | Type | Default | Required |
| <aname="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions)| Additional Subscription-Level Permissions the Service Principal needs. |`list(string)`|`[]`| no |
42
51
| <aname="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses)| Additional AAD-Level Resource Accesses the Service Principal needs. |`list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))`|`[]`| no |
43
-
| <aname="input_scope"></a> [scope](#input\_scope)| The scope to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions. |`string`| n/a | yes |
44
-
| <aname="input_service_principal_name_suffix"></a> [service\_principal\_name\_suffix](#input\_service\_principal\_name\_suffix)| Service principal name suffix. |`string`| n/a | yes |
45
-
| <aname="replicator_rg_enabled"></a> [replicator\_rg\_enabled](#input\_service\_principal\_name\_suffix)| Whether the created replicator Service Principal should be usable for Azure Resource Group based replication. |`bool`| false | no |
52
+
| <aname="input_assignment_scopes"></a> [assignment\_scopes](#input\_assignment\_scopes)| The scopes to which Service Principal permissions is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. |`list(string)`| n/a | yes |
53
+
| <aname="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes)| The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. |`list(string)`|`[]`| no |
54
+
| <aname="input_can_delete_rgs_in_scopes"></a> [can\_delete\_rgs\_in\_scopes](#input\_can\_delete\_rgs\_in\_scopes)| The scopes to which Service Principal delete resource group permission is assigned to. Only relevant when `replicator_rg_enabled`. List of subscription scopes of form `/subscriptions/<subscriptionId>`. |`list(string)`|`[]`| no |
55
+
| <aname="input_create_password"></a> [create\_password](#input\_create\_password)| Create a password for the enterprise application. |`bool`| n/a | yes |
56
+
| <aname="input_custom_role_scope"></a> [custom\_role\_scope](#input\_custom\_role\_scope)| The scope to which Service Principal permissions can be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions. |`string`| n/a | yes |
57
+
| <aname="input_replicator_rg_enabled"></a> [replicator\_rg\_enabled](#input\_replicator\_rg\_enabled)| Whether the created replicator Service Principal should be usable for Azure Resource Group based replication. |`bool`|`false`| no |
58
+
| <aname="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name)| Display name of the replicator service principal. |`string`| n/a | yes |
59
+
| <aname="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation)| Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. |`object({ issuer = string, subject = string })`|`null`| no |
46
60
47
61
## Outputs
48
62
49
63
| Name | Description |
50
64
|------|-------------|
65
+
| <aname="output_application_client_secret"></a> [application\_client\_secret](#output\_application\_client\_secret)| Client Secret Of the Application. |
51
66
| <aname="output_credentials"></a> [credentials](#output\_credentials)| Service Principal application id and object id |
52
-
| <aname="output_application_client_secret"></a> [application\_client\_secret](#output\_application\_client\_secret)| Password for the Service Principal. |
0 commit comments