feat: sso app registration

Felix Zieger · Felix Zieger · commit ab5127cf72f9 · 2022-03-03T16:13:42.000+01:00
diff --git a/TERRAFORM_DOCS.md b/TERRAFORM_DOCS.md
@@ -10,7 +10,8 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.12.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 2.97.0 |
 
 ## Modules
 
@@ -25,6 +26,7 @@
 
 | Name | Type |
 |------|------|
+| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/client_config) | data source |
 | [azurerm_management_group.root](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/data-sources/management_group) | data source |
 
 ## Inputs
@@ -44,6 +46,7 @@
 
 | Name | Description |
 |------|-------------|
+| <a name="output_azure_ad_tenant_id"></a> [azure\_ad\_tenant\_id](#output\_azure\_ad\_tenant\_id) | The Azure AD tenant id. |
 | <a name="output_idp_lookup_spp"></a> [idp\_lookup\_spp](#output\_idp\_lookup\_spp) | IDP Lookup Service Principal. |
 | <a name="output_idp_lookup_spp_password"></a> [idp\_lookup\_spp\_password](#output\_idp\_lookup\_spp\_password) | Password for IDP Lookup Service Principal. |
 | <a name="output_kraken_spp"></a> [kraken\_spp](#output\_kraken\_spp) | Kraken Service Principal. |
diff --git a/modules/meshcloud-idp-lookup-spp/README.md b/modules/meshcloud-idp-lookup-spp/README.md
@@ -20,20 +20,22 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [azuread_app_role_assignment.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/app_role_assignment) | resource |
 | [azuread_application.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
 | [azuread_service_principal.meshcloud_idp_lookup](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
 | [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal_password) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/application_published_app_ids) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_scope"></a> [scope](#input\_scope) | The scope to which SPP permissions should be assigned to. Usually this is a management group that sits atop the subscriptions. | `string` | n/a | yes |
 | <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | n/a |
+| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | Service Principal application id and object id |
 | <a name="output_service_principal_password"></a> [service\_principal\_password](#output\_service\_principal\_password) | Password for the Service Principal. |
diff --git a/modules/meshcloud-kraken-spp/README.md b/modules/meshcloud-kraken-spp/README.md
@@ -39,5 +39,5 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | n/a |
+| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | Service Principal application id and object id |
 | <a name="output_service_principal_password"></a> [service\_principal\_password](#output\_service\_principal\_password) | Password for the Service Principal. |
diff --git a/modules/meshcloud-replicator-spp/README.md b/modules/meshcloud-replicator-spp/README.md
@@ -21,11 +21,16 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [azuread_app_role_assignment.meshcloud_replicator-directory](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.meshcloud_replicator-group](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.meshcloud_replicator-user](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/app_role_assignment) | resource |
 | [azuread_application.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
 | [azuread_service_principal.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
 | [azuread_service_principal_password.spp_pw](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal_password) | resource |
 | [azurerm_role_assignment.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azurerm/2.97.0/docs/resources/role_definition) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/application_published_app_ids) | data source |
 
 ## Inputs
 
@@ -40,5 +45,5 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | n/a |
+| <a name="output_service_principal"></a> [service\_principal](#output\_service\_principal) | Service Principal application id and object id |
 | <a name="output_service_principal_password"></a> [service\_principal\_password](#output\_service\_principal\_password) | Password for the Service Principal. |
diff --git a/modules/meshcloud-sso/README.md b/modules/meshcloud-sso/README.md
@@ -0,0 +1,40 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.18.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 2.97.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.18.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_application.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application) | resource |
+| [azuread_application_password.meshcloud_sso](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/application_password) | resource |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/resources/service_principal) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.18.0/docs/data-sources/application_published_app_ids) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_meshstack_redirect_uri"></a> [meshstack\_redirect\_uri](#input\_meshstack\_redirect\_uri) | Redirect URI that will be provided by meshcloud. It is individual per meshStack. | `string` | n/a | yes |
+| <a name="input_spp_name_suffix"></a> [spp\_name\_suffix](#input\_spp\_name\_suffix) | Service principal name suffix. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_app_registration"></a> [app\_registration](#output\_app\_registration) | Application registration application id and object id |
+| <a name="output_app_registration_client_secret"></a> [app\_registration\_client\_secret](#output\_app\_registration\_client\_secret) | Password for the application registration. |
diff --git a/modules/meshcloud-sso/module.tf b/modules/meshcloud-sso/module.tf
@@ -0,0 +1,49 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.97.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.18.0"
+    }
+  }
+}
+
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing   = true
+}
+
+resource "azuread_application" "meshcloud_sso" {
+  display_name = "sso.${var.spp_name_suffix}"
+
+  required_resource_access {
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+
+    resource_access {
+      id   = azuread_service_principal.msgraph.app_role_ids["User.Read"]
+      type = "Scope"
+    }
+
+    # As far as we know it is not possible to automate the "Grant admin consent button" for app registrations
+    # You have to grant admin consent manually
+    lifecycle {
+      ignore_changes = [
+        app_role
+      ]
+    }
+  }
+
+  web {
+    redirect_uris = [var.meshstack_redirect_uri]
+  }
+}
+
+resource "azuread_application_password" "meshcloud_sso" {
+  application_object_id = azuread_application.meshcloud_sso.object_id
+}
diff --git a/modules/meshcloud-sso/outputs.tf b/modules/meshcloud-sso/outputs.tf
@@ -0,0 +1,13 @@
+output "app_registration" {
+  description = "Application registration application id and object id"
+  value = {
+    object_id = azuread_service_principal.meshcloud_sso.id
+    app_id    = azuread_service_principal.meshcloud_sso.application_id
+  }
+}
+
+output "app_registration_client_secret" {
+  description = "Password for the application registration."
+  value       = azuread_application_password.meshcloud_sso.value
+  sensitive   = true
+}
diff --git a/modules/meshcloud-sso/variables.tf b/modules/meshcloud-sso/variables.tf
@@ -0,0 +1,9 @@
+variable "spp_name_suffix" {
+  type        = string
+  description = "Service principal name suffix."
+}
+
+variable "meshstack_redirect_uri" {
+  type        = string
+  description = "Redirect URI that will be provided by meshcloud. It is individual per meshStack."
+}
