feat: grant admin consent in code

Felix Zieger · Felix Zieger · commit 72197c9dfceb · 2022-03-02T18:51:16.000+01:00
diff --git a/README.md b/README.md
@@ -55,9 +55,7 @@ For an overview of the module structure, refer to [generated terraform docs](./T
     terraform output -json
     ```
 
-7. Grant admin consent to the newly created Replicator Service Principal. See the terraform output on how to do this.
-
-8. Grant access on the enrollment account as described in the [meshcloud public docs](https://docs.dev.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-azure-manually.html#set-up-subscription-provisioning).
+7. Grant access on the enrollment account as described in the [meshcloud public docs](https://docs.dev.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-azure-manually.html#set-up-subscription-provisioning).
 
 ### Using CLI
 
diff --git a/modules/meshcloud-idp-lookup-spp/module.tf b/modules/meshcloud-idp-lookup-spp/module.tf
@@ -12,6 +12,13 @@ terraform {
   }
 }
 
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing   = true
+}
+
 resource "azuread_application" "meshcloud_idp_lookup" {
   display_name = "idplookup.${var.spp_name_suffix}"
 
@@ -21,12 +28,12 @@ resource "azuread_application" "meshcloud_idp_lookup" {
     }
   }
   required_resource_access {
-    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 
     # We only require this User.Read.All permission to see all of the Users in the AAD https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names
     # Since this is a role (and not a scope) permission, you also have to enable admin consent in azure portal
     resource_access {
-      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
+      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
       type = "Role"
     }
 
@@ -47,6 +54,12 @@ resource "azuread_service_principal" "meshcloud_idp_lookup" {
   application_id = azuread_application.meshcloud_idp_lookup.application_id
 }
 
+resource "azuread_app_role_assignment" "meshcloud_idp_lookup" {
+  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+  principal_object_id = azuread_service_principal.meshcloud_idp_lookup.object_id
+  resource_object_id  = azuread_service_principal.msgraph.object_id
+}
+
 resource "azuread_service_principal_password" "spp_pw" {
   service_principal_id = azuread_service_principal.meshcloud_idp_lookup.id
   end_date             = "2999-01-01T01:02:03Z" # no expiry
diff --git a/modules/meshcloud-idp-lookup-spp/outputs.tf b/modules/meshcloud-idp-lookup-spp/outputs.tf
@@ -1,6 +1,5 @@
 output "service_principal" {
   value = {
-    INFO      = "On the very first time running tf apply, you have to run 'az ad app permission admin-consent --id ${azuread_service_principal.meshcloud_idp_lookup.application_id}' or click the 'Grant Admin consent button' in the portal"
     object_id = azuread_service_principal.meshcloud_idp_lookup.id
     app_id    = azuread_service_principal.meshcloud_idp_lookup.application_id
     password  = "Execute `terraform output idp_lookup_spp_password` to see the password"
diff --git a/modules/meshcloud-replicator-spp/module.tf b/modules/meshcloud-replicator-spp/module.tf
@@ -53,6 +53,13 @@ resource "azurerm_role_definition" "meshcloud_replicator" {
   ]
 }
 
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing   = true
+}
+
 resource "azuread_application" "meshcloud_replicator" {
   display_name = "replicator.${var.spp_name_suffix}"
 
@@ -62,20 +69,20 @@ resource "azuread_application" "meshcloud_replicator" {
     }
   }
   required_resource_access {
-    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 
     resource_access {
-      id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" # Directory.Read.All
+      id   = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
       type = "Role"
     }
 
     resource_access {
-      id   = "62a82d76-70ea-41e2-9197-370581804d09" # Group.ReadWrite.All
+      id   = azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
       type = "Role"
     }
 
     resource_access {
-      id   = "09850681-111b-4a89-9bed-3f2cae46d706" # User.Invite.All
+      id   = azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
       type = "Role"
     }
   }
@@ -122,6 +129,24 @@ resource "azurerm_role_assignment" "meshcloud_replicator" {
   principal_id       = azuread_service_principal.meshcloud_replicator.id
 }
 
+resource "azuread_app_role_assignment" "meshcloud_replicator-directory" {
+  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+  principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
+  resource_object_id  = azuread_service_principal.msgraph.object_id
+}
+
+resource "azuread_app_role_assignment" "meshcloud_replicator-group" {
+  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
+  principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
+  resource_object_id  = azuread_service_principal.msgraph.object_id
+}
+
+resource "azuread_app_role_assignment" "meshcloud_replicator-user" {
+  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
+  principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
+  resource_object_id  = azuread_service_principal.msgraph.object_id
+}
+
 resource "azuread_service_principal_password" "spp_pw" {
   service_principal_id = azuread_service_principal.meshcloud_replicator.id
   end_date             = "2999-01-01T01:02:03Z" # no expiry
diff --git a/modules/meshcloud-replicator-spp/outputs.tf b/modules/meshcloud-replicator-spp/outputs.tf
@@ -1,6 +1,5 @@
 output "service_principal" {
   value = {
-    INFO      = "On the very first time running tf apply, you have to run 'az ad app permission admin-consent --id ${azuread_service_principal.meshcloud_replicator.application_id}' or click the 'Grant Admin consent button' in the portal"
     object_id = azuread_service_principal.meshcloud_replicator.id
     app_id    = azuread_service_principal.meshcloud_replicator.application_id
     password  = "Execute `terraform output replicator_spp_password` to see the password"
