-
Notifications
You must be signed in to change notification settings - Fork 0
/
aad.tf
39 lines (31 loc) · 1.21 KB
/
aad.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
locals {
signin_url = "https://%s/signin-oidc"
}
data "azuread_users" "key_vault_admins" {
user_principal_names = var.key_vault_admins
}
resource "azuread_group" "key-vault-admins" {
display_name = "Key Vault Admins ${upper(terraform.workspace)}"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = data.azuread_users.key_vault_admins.object_ids
}
data "azuread_service_principal" "azure-vpn" {
application_id = local.azure_vpn_app_id
}
data "azuread_users" "vpn-users" {
user_principal_names = var.vpn_users
}
resource "azuread_group" "vpn-admins" {
count = terraform.workspace == "prod" ? 1 : 0
display_name = "VPN Users ${upper(terraform.workspace)}"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = data.azuread_users.vpn-users.object_ids
}
resource "azuread_app_role_assignment" "azure-vpn" {
count = terraform.workspace == "prod" ? 1 : 0
app_role_id = "00000000-0000-0000-0000-000000000000" # Default Access role
principal_object_id = azuread_group.vpn-admins[0].object_id
resource_object_id = data.azuread_service_principal.azure-vpn.object_id
}