chore: use user and group admin on au scope for replicator sp

Assigning custom role to the replicator on AU scope is not possible due to a bug in Azure

See hashicorp/terraform-provider-azuread#1546.

Therefore we need to assign User and Groups administrator built in roles. This only allows replicator to have admin permissions on the groups and users assigned to the AU.

For replicator to assign users to groups successfully, we therefore need User.Read.All on tenant level.

Author: malhussan

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.13.2]
+
+### Changed
+
+- Assign User.Read.All permission to replicator when using administrative units.
+- Assign replicator to User Administrator and Groups Administrator roles in administrative units scope.
+
 ## [v0.13.1]
 
 ### Changed

modules/meshcloud-replicator-service-principal/README.md

@@ -16,15 +16,18 @@ No modules.
 | Name | Type |
 |------|------|
 | [azuread_administrative_unit.meshcloud_replicator_au](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit) | resource |
+| [azuread_administrative_unit_role_member.groups_admin_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_role_member) | resource |
+| [azuread_administrative_unit_role_member.user_admin_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_role_member) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-administrativeunit](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-group](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-user](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.meshcloud_replicator-users_read_all](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_application.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
 | [azuread_application_federated_identity_credential.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_application_password.application_pw](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
-| [azuread_custom_directory_role.meshcloud_replicator_au_role](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/custom_directory_role) | resource |
-| [azuread_directory_role_assignment.meshcloud_replicator_au_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role_assignment) | resource |
+| [azuread_directory_role.groups_administrator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role) | resource |
+| [azuread_directory_role.user_administrator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role) | resource |
 | [azuread_service_principal.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azurerm_management_group_policy_assignment.privilege-escalation-prevention](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
 | [azurerm_policy_definition.privilege_escalation_prevention](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |

modules/meshcloud-replicator-service-principal/module.tf

@@ -232,6 +232,14 @@ resource "azuread_app_role_assignment" "meshcloud_replicator-administrativeunit"
   depends_on          = [azuread_application.meshcloud_replicator]
 }
 
+resource "azuread_app_role_assignment" "meshcloud_replicator-users_read_all" {
+  count               = var.administrative_unit_name == null ? 0 : 1
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+  principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
+  depends_on          = [azuread_application.meshcloud_replicator]
+}
+
 //---------------------------------------------------------------------------
 // Policy Definition for preventing the Application from assigning other privileges to itself
 // Assign it to the specified scope
@@ -311,35 +319,38 @@ resource "azuread_administrative_unit" "meshcloud_replicator_au" {
 }
 
 //--------------------------------------------------------------------------
-// Custom AU-scoped Role
+// AU Role Assignment for meshcloud_replicator
 //--------------------------------------------------------------------------
 
-resource "azuread_custom_directory_role" "meshcloud_replicator_au_role" {
+
+/*
+
+There is an issue when assigning the replicator a custom role in the AU scope, where the role is not found.
+
+See https://github.com/hashicorp/terraform-provider-azuread/issues/1546.
+
+For now we assign User Administrator and Groups Administrator roles as that is already restricted to the AU scope.
+*/
+resource "azuread_directory_role" "user_administrator" {
   count        = var.administrative_unit_name == null ? 0 : 1
-  display_name = "meshStack Replicator AU Role"
-  description  = "Custom role for meshStack replicator with limited User and Group permissions"
-  enabled      = true
-  version      = "1.0"
+  display_name = "User Administrator"
+}
 
-  # users permissions
-  permissions {
-    allowed_resource_actions = [
-      "microsoft.directory/users/standard/read",
-      "microsoft.directory/groups/standard/read",
-      "microsoft.directory/groups/create",
-      "microsoft.directory/groups/members/update",
-      "microsoft.directory/groups/members/read",
-      "microsoft.directory/groups/memberOf/read",
-    ]
-  }
+resource "azuread_directory_role" "groups_administrator" {
+  count        = var.administrative_unit_name == null ? 0 : 1
+  display_name = "Groups Administrator"
 }
 
-//--------------------------------------------------------------------------
-// AU Role Assignment for meshcloud_replicator
-//--------------------------------------------------------------------------
+resource "azuread_administrative_unit_role_member" "user_admin_assignment" {
+  count                         = var.administrative_unit_name == null ? 0 : 1
+  role_object_id                = azuread_directory_role.user_administrator[0].object_id
+  administrative_unit_object_id = azuread_administrative_unit.meshcloud_replicator_au[0].object_id
+  member_object_id              = azuread_service_principal.meshcloud_replicator.object_id
+}
 
-resource "azuread_directory_role_assignment" "meshcloud_replicator_au_assignment" {
-  count               = var.administrative_unit_name == null ? 0 : 1
-  role_id             = azuread_custom_directory_role.meshcloud_replicator_au_role[0].object_id
-  principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
+resource "azuread_administrative_unit_role_member" "groups_admin_assignment" {
+  count                         = var.administrative_unit_name == null ? 0 : 1
+  role_object_id                = azuread_directory_role.groups_administrator[0].object_id
+  administrative_unit_object_id = azuread_administrative_unit.meshcloud_replicator_au[0].object_id
+  member_object_id              = azuread_service_principal.meshcloud_replicator.object_id
 }