Search code examples
azureterraformpim

Azure PIM Role Settings for Owner role

Trying to set Azure PIM Role Settings for owner role via terraform includes Azure MFA, Activation hours, and also send notifications when eligible to activate this role via local_exec provider in terraform.

I tried this one:

resource "azurerm_role_assignment""pim_subscription_owner"{
    scope="/subscriptions/<sub id>"            
    role_definition_id ="/subscriptions/id/providers/Microsoft.Authorization/roleDefinitions/<sub           id>
    principal_id=<principal_id>
    lifecycle{
    ignore_changes=[
    role_definition_id,
    principal_id
    ]
    }
    }
    resource "azurerm_role_assignment""mfa_role_assignment"{
    scope=azurerm_role_assignment.pim_subscription_owner.scope
    role_definition_id="/providers/Microsoft.Authorization/roleDefinitions/"
    principal_id=azurerm_role_assignment.pim_subscription_owner.principal_id
    provisioner "local_exec" {
    command = <<EOT
    az ad sp mfa set --id ${azurerm_role_assignment.mfa_role_assignment.principal_id) --auth-type      MFA
    EOT
    interpreter=["bash","-c"]
    }
    }
Solution

  • Azure PIM Role Settings for Owner role

    There is no direct way via Terraform to update the Azure PIM role settings, but you can use a PowerShell script inside Terraform by using null_resource.

    Here is the PowerShell script that updates the PIM role settings, such as justification and MFA requirement on activation.

    PIMRole.ps1

        $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule"
        id = "Enablement_EndUser_Assignment"
        enabledRules = @(
            "Justification"
            "MultiFactorAuthentication"
            "Ticketing"
        )
        target = @{
            "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
            caller = "EndUser"
            operations = @(
                "All"
            )
            level = "Assignment"
            inheritableSettings = @(
            )
            enforcedSettings = @(
            )
        }
    }
    
    Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params

    Terraform file

    Please ensure that the PowerShell script is in the same folder as the Terraform code before executing it.

    provider "azurerm" {
      features {}
    }
    resource "null_resource" "Powershell_script" {
      provisioner "local-exec" {
        command = <<-EOT
          powershell -ExecutionPolicy Bypass -File ${path.module}/PIMRole.ps1
        EOT
      }
    }

    Reference: Update the justification, MFA, and ticketing rules required on activation

    Get-AzureADMSPrivilegedRoleSetting