feat: include sso in standard setup

Author: Felix Zieger

main.tf

@@ -49,6 +49,13 @@ module "metering_service_principal" {
   assignment_scope       = data.azuread_client_config.current.tenant_id
 }
 
+module "sso_service_principal" {
+  count  = var.sso_enabled ? 1 : 0
+  source = "./modules/meshcloud-sso/"
+
+  service_principal_name = var.metering_service_principal_name
+}
+
 # facilitate migration from v0.1.0 of the module
 moved {
   from = module.replicator_spp

modules/meshcloud-sso/module.tf

@@ -11,15 +11,32 @@ terraform {
     }
   }
 }
+//---------------------------------------------------------------------------
+// Queries Entra ID for information about well-known application IDs.
+// Retrieve details about the service principal 
+//---------------------------------------------------------------------------
 
 data "azuread_application_published_app_ids" "well_known" {}
 
 data "azuread_service_principal" "msgraph" {
   client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 }
 
+//---------------------------------------------------------------------------
+// Create New application in Microsoft Entra ID
+//---------------------------------------------------------------------------
+data "azuread_application_template" "enterprise_app" {
+  # will create the application based on this template ID to have features like Provisioning
+  # available in the enterprise application
+  template_id = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621"
+}
+
 resource "azuread_application" "meshcloud_sso" {
-  display_name = "sso.${var.service_principal_name_suffix}"
+  display_name = var.service_principal_name
+  template_id  = data.azuread_application_template.enterprise_app.template_id
+  feature_tags {
+    enterprise = true
+  }
 
   required_resource_access {
     resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
@@ -29,18 +46,16 @@ resource "azuread_application" "meshcloud_sso" {
       type = "Scope"
     }
   }
-
   web {
     redirect_uris = [var.meshstack_redirect_uri]
   }
+}
 
-  # As far as we know it is not possible to automate the "Grant admin consent button" for app registrations
-  # You have to grant admin consent manually
-  lifecycle {
-    ignore_changes = [
-      app_role
-    ]
-  }
+resource "azuread_app_role_assignment" "meshcloud_sso_user_read" {
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["User.Read"]
+  principal_object_id = azuread_application.meshcloud_sso.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
+  depends_on          = [azuread_application.meshcloud_sso]
 }
 
 resource "azuread_application_password" "meshcloud_sso" {

modules/meshcloud-sso/outputs.tf

@@ -1,12 +1,12 @@
-output "app_registration" {
-  description = "Application registration application id and object id"
+output "credentials" {
+  description = "Service Principal application id and object id"
   value = {
-    object_id = azuread_application.meshcloud_sso.object_id
-    app_id    = azuread_application.meshcloud_sso.client_id
+    Enterprise_Application_Object_ID = azuread_application.meshcloud_sso.object_id
+    Application_Client_ID            = azuread_application.meshcloud_sso.client_id
   }
 }
 
-output "app_registration_client_secret" {
+output "application_client_secret" {
   description = "Password for the application registration."
   value       = azuread_application_password.meshcloud_sso.value
   sensitive   = true

modules/meshcloud-sso/variables.tf

@@ -1,9 +1,9 @@
-variable "service_principal_name_suffix" {
+variable "service_principal_name" {
   type        = string
-  description = "Service principal name suffix."
+  description = "Service principal name."
 }
 
 variable "meshstack_redirect_uri" {
   type        = string
-  description = "Redirect URI that will be provided by meshcloud. It is individual per meshStack."
+  description = "Redirect URI that was provided by meshcloud. It is individual per meshStack."
 }

outputs.tf

@@ -21,6 +21,17 @@ output "metering_service_principal_password" {
   sensitive   = true
 }
 
+output "sso_service_principal" {
+  description = "SSO Service Principal."
+  value       = length(module.sso_service_principal) > 0 ? module.sso_service_principal[0].credentials : null
+}
+
+output "sso_service_principal_password" {
+  description = "Password for SSO Service Principal."
+  value       = length(module.sso_service_principal) > 0 ? module.sso_service_principal[0].application_client_secret : null
+  sensitive   = true
+}
+
 output "azure_ad_tenant_id" {
   description = "The Azure AD tenant id."
   value       = data.azuread_client_config.current.tenant_id

variables.tf

@@ -15,6 +15,12 @@ variable "replicator_assignment_scopes" {
   description = "Names or UUIDs of the Management Groups which replicator should manage."
 }
 
+variable "sso_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to create SSO Service Principal or not."
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # OPTIONAL PARAMETERS
 # These parameters have reasonable defaults.