diff --git a/azuread/data_application.go b/azuread/data_application.go index 6ef2267e4d..fa31a49e2a 100644 --- a/azuread/data_application.go +++ b/azuread/data_application.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/terraform/helper/schema" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar" + "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/tf" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate" ) @@ -109,54 +110,7 @@ func dataApplication() *schema.Resource { }, }, - "oauth2_permissions": { - Type: schema.TypeList, - Optional: true, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), }, } } @@ -243,7 +197,7 @@ func dataApplicationRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting `group_membership_claims`: %+v", err) } - if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil { + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } diff --git a/azuread/data_service_principal.go b/azuread/data_service_principal.go index e9b8afa860..e5ba8de774 100644 --- a/azuread/data_service_principal.go +++ b/azuread/data_service_principal.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar" + "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate" "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" @@ -38,6 +39,8 @@ func dataServicePrincipal() *schema.Resource { ValidateFunc: validate.UUID, ConflictsWith: []string{"object_id", "display_name"}, }, + + "oauth2_permissions": graph.SchemaOauth2Permissions(), }, } } @@ -126,5 +129,9 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta d.Set("display_name", sp.DisplayName) d.Set("object_id", sp.ObjectID) + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(sp.Oauth2Permissions)); err != nil { + return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) + } + return nil } diff --git a/azuread/data_service_principal_test.go b/azuread/data_service_principal_test.go index f0a166d287..bf2a31afd8 100644 --- a/azuread/data_service_principal_test.go +++ b/azuread/data_service_principal_test.go @@ -24,6 +24,8 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) { resource.TestCheckResourceAttrSet(dataSourceName, "application_id"), resource.TestCheckResourceAttrSet(dataSourceName, "object_id"), resource.TestCheckResourceAttrSet(dataSourceName, "display_name"), + resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"), + resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))), ), }, }, diff --git a/azuread/helpers/graph/application.go b/azuread/helpers/graph/application.go new file mode 100644 index 0000000000..12f5f2dff5 --- /dev/null +++ b/azuread/helpers/graph/application.go @@ -0,0 +1,96 @@ +package graph + +import ( + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/hashicorp/terraform/helper/schema" +) + +func SchemaOauth2Permissions() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "admin_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "admin_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "id": { + Type: schema.TypeString, + Computed: true, + }, + + "is_enabled": { + Type: schema.TypeBool, + Computed: true, + }, + + "type": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "value": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + } +} + +func FlattenOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} { + if in == nil { + return []map[string]interface{}{} + } + + result := make([]map[string]interface{}, 0) + for _, p := range *in { + permission := make(map[string]interface{}) + if v := p.AdminConsentDescription; v != nil { + permission["admin_consent_description"] = v + } + if v := p.AdminConsentDisplayName; v != nil { + permission["admin_consent_display_name"] = v + } + if v := p.ID; v != nil { + permission["id"] = v + } + if v := p.IsEnabled; v != nil { + permission["is_enabled"] = *v + } + if v := p.Type; v != nil { + permission["type"] = v + } + if v := p.UserConsentDescription; v != nil { + permission["user_consent_description"] = v + } + if v := p.UserConsentDisplayName; v != nil { + permission["user_consent_display_name"] = v + } + if v := p.Value; v != nil { + permission["value"] = v + } + + result = append(result, permission) + } + + return result +} diff --git a/azuread/resource_application.go b/azuread/resource_application.go index d0fd8c3d2a..947f30b73f 100644 --- a/azuread/resource_application.go +++ b/azuread/resource_application.go @@ -130,53 +130,7 @@ func resourceApplication() *schema.Resource { }, }, - "oauth2_permissions": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), "object_id": { Type: schema.TypeString, @@ -366,7 +320,7 @@ func resourceApplicationRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting `required_resource_access`: %+v", err) } - if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil { + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } @@ -478,42 +432,3 @@ func flattenADApplicationResourceAccess(in *[]graphrbac.ResourceAccess) []interf return accesses } - -func flattenADApplicationOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} { - if in == nil { - return []map[string]interface{}{} - } - - result := make([]map[string]interface{}, 0) - for _, p := range *in { - permission := make(map[string]interface{}) - if v := p.AdminConsentDescription; v != nil { - permission["admin_consent_description"] = v - } - if v := p.AdminConsentDisplayName; v != nil { - permission["admin_consent_display_name"] = v - } - if v := p.ID; v != nil { - permission["id"] = v - } - if v := p.IsEnabled; v != nil { - permission["is_enabled"] = *v - } - if v := p.Type; v != nil { - permission["type"] = v - } - if v := p.UserConsentDescription; v != nil { - permission["user_consent_description"] = v - } - if v := p.UserConsentDisplayName; v != nil { - permission["user_consent_display_name"] = v - } - if v := p.Value; v != nil { - permission["value"] = v - } - - result = append(result, permission) - } - - return result -} diff --git a/azuread/resource_service_principal.go b/azuread/resource_service_principal.go index b3cd008fb8..44b50a381d 100644 --- a/azuread/resource_service_principal.go +++ b/azuread/resource_service_principal.go @@ -39,6 +39,8 @@ func resourceServicePrincipal() *schema.Resource { Computed: true, }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), + "object_id": { Type: schema.TypeString, Computed: true, @@ -116,6 +118,10 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro return fmt.Errorf("Error setting `tags`: %+v", err) } + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { + return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) + } + return nil } diff --git a/azuread/resource_service_principal_test.go b/azuread/resource_service_principal_test.go index 32cbba8381..d498557593 100644 --- a/azuread/resource_service_principal_test.go +++ b/azuread/resource_service_principal_test.go @@ -26,6 +26,8 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) { testCheckADServicePrincipalExists(resourceName), resource.TestCheckResourceAttrSet(resourceName, "display_name"), resource.TestCheckResourceAttrSet(resourceName, "application_id"), + resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"), + resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))), resource.TestCheckResourceAttrSet(resourceName, "object_id"), ), }, diff --git a/website/docs/d/service_principal.html.markdown b/website/docs/d/service_principal.html.markdown index c11ba4f923..0311777ab1 100644 --- a/website/docs/d/service_principal.html.markdown +++ b/website/docs/d/service_principal.html.markdown @@ -49,8 +49,30 @@ The following arguments are supported: -> **NOTE:** At least one of `application_id`, `display_name` or `object_id` must be specified. +* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below. + ## Attributes Reference The following attributes are exported: * `id` - The Object ID for the Service Principal. + +--- + +`oauth2_permission` block exports the following: + +* `id` - The unique identifier for one of the `OAuth2Permission` + +* `type` - The type of the permission + +* `admin_consent_description` - The description of the admin consent + +* `admin_consent_display_name` - The display name of the admin consent + +* `is_enabled` - Is this permission enabled? + +* `user_consent_description` - The description of the user consent + +* `user_consent_display_name` - The display name of the user consent + +* `value` - The name of this permission diff --git a/website/docs/r/service_principal.html.markdown b/website/docs/r/service_principal.html.markdown index a41b3cee52..3f1dcefd3a 100644 --- a/website/docs/r/service_principal.html.markdown +++ b/website/docs/r/service_principal.html.markdown @@ -52,6 +52,28 @@ The following attributes are exported: * `display_name` - The Display Name of the Azure Active Directory Application associated with this Service Principal. +* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below. + +--- + +`oauth2_permission` block exports the following: + +* `id` - The unique identifier for one of the `OAuth2Permission`. + +* `type` - The type of the permission. + +* `admin_consent_description` - The description of the admin consent. + +* `admin_consent_display_name` - The display name of the admin consent. + +* `is_enabled` - Is this permission enabled? + +* `user_consent_description` - The description of the user consent. + +* `user_consent_display_name` - The display name of the user consent. + +* `value` - The name of this permission. + ## Import Azure Active Directory Service Principals can be imported using the `object id`, e.g.