I am deploying a new App Registration via Terraform and then assigning a Role in my Event Hub to that App Registration.
E.G. Deploy App Registration
data "azuread_client_config" "current" {}
resource "azuread_application" "eventhub_auth" {
display_name = "AppReg"
sign_in_audience = "AzureADMyOrg"
owners = [data.azuread_client_config.current.object_id]
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
enabled = true
id = uuid()
value = "admin"
}
app_role {
allowed_member_types = ["User"]
description = "ReadOnly roles have limited query access"
display_name = "ReadOnly"
enabled = true
id = uuid()
value = "User"
}
}
Role Assignment:
resource "azurerm_role_assignment" "receiver" {
scope = resource.azurerm_eventhub_namespace.hub.id
role_definition_name = "Azure Event Hubs Data Receiver"
principal_id = # I have tried the Object_ID, Application_ID and the Tenant_ID here and all of them fail
}
Is there another ID/Service Principle somewhere that I am missing?
I managed to work this out. Working config is:
resource "azuread_service_principal" "eventhub" {
application_id = azuread_application.eventhub_auth.application_id
}
resource "azurerm_role_assignment" "receiver" {
scope = resource.azurerm_eventhub_namespace.hub.id
role_definition_name = "Azure Event Hubs Data Receiver"
principal_id = azuread_service_principal.eventhub.id
}