DEVHIDE
Login Or Sign up

Azure PIM Role Settings for Owner role

194 Views Asked by At

Trying to set Azure PIM Role Settings for owner role via terraform includes Azure MFA, Activation hours, and also send notifications when eligible to activate this role via local_exec provider in terraform.

I tried this one:

resource "azurerm_role_assignment""pim_subscription_owner"{
    scope="/subscriptions/<sub id>"            
    role_definition_id ="/subscriptions/id/providers/Microsoft.Authorization/roleDefinitions/<sub           id>
    principal_id=<principal_id>
    lifecycle{
    ignore_changes=[
    role_definition_id,
    principal_id
    ]
    }
    }
    resource "azurerm_role_assignment""mfa_role_assignment"{
    scope=azurerm_role_assignment.pim_subscription_owner.scope
    role_definition_id="/providers/Microsoft.Authorization/roleDefinitions/"
    principal_id=azurerm_role_assignment.pim_subscription_owner.principal_id
    provisioner "local_exec" {
    command = <<EOT
    az ad sp mfa set --id ${azurerm_role_assignment.mfa_role_assignment.principal_id) --auth-type      MFA
    EOT
    interpreter=["bash","-c"]
    }
    }
azure terraform pim
Original Q&A
1

There are 1 best solutions below

2
Venkat V On BEST ANSWER

Azure PIM Role Settings for Owner role

There is no direct way via Terraform to update the Azure PIM role settings, but you can use a PowerShell script inside Terraform by using null_resource.

Here is the PowerShell script that updates the PIM role settings, such as justification and MFA requirement on activation.

PIMRole.ps1

    $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule"
        id = "Enablement_EndUser_Assignment"
        enabledRules = @(
            "Justification"
            "MultiFactorAuthentication"
            "Ticketing"
        )
        target = @{
            "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
            caller = "EndUser"
            operations = @(
                "All"
            )
            level = "Assignment"
            inheritableSettings = @(
            )
            enforcedSettings = @(
            )
        }
    }
    
    Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params

Terraform file

Please ensure that the PowerShell script is in the same folder as the Terraform code before executing it.

provider "azurerm" {
      features {}
    }
    resource "null_resource" "Powershell_script" {
      provisioner "local-exec" {
        command = <<-EOT
          powershell -ExecutionPolicy Bypass -File ${path.module}/PIMRole.ps1
        EOT
      }
    }

Reference: Update the justification, MFA, and ticketing rules required on activation

Get-AzureADMSPrivilegedRoleSetting

Related Questions in AZURE

Related Questions in TERRAFORM

Related Questions in PIM

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.