azuread_synchronization_job_provision_on_demand | Linked Users support for group. #1817
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
azuread_synchronization_job_provision_on_demand currently either support group or user provisioning on demand but doesnt support linked users provisioning together with groups that you can do through UI or az api calls.
For example:-
resource "azuread_synchronization_job_provision_on_demand" "example" {
service_principal_id = azuread_synchronization_job.example.service_principal_id
synchronization_job_id = azuread_synchronization_job.example.id
parameter {
# see specific synchronization schema for rule id https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationschema-get?view=graph-rest-beta
rule_id = ""
subject {
object_id = azuread_group.example.object_id
object_type_name = "Group"
}
}
}This immediately provisions the group but not the users within the group. And you will have to wait somewhere between 0-40mins for the next sync cycle to pick up this group and sync its members.
where as if i use something like this
locals {
provision_body = jsonencode({
parameters = [{
ruleId = var.github_sync_rule_id
subjects = [{
objectId = var.group_id
objectTypeName = "Group"
links = {
members = [
for member_id in data.azuread_group.example.members : {
objectId = member_id
objectTypeName = "User"
}
]
}
}]
}]
}) : "{}"
}
data "azuread_group" "example" {
include_transitive_members = true
object_id = var.group_id
security_enabled = true
}
resource "null_resource" "provision_group_with_members" {
triggers = {
group_id = var.group_id
members = join(",", data.azuread_group.example.members)
}
provisioner "local-exec" {
command = "az rest --method POST --uri \"$GRAPH_URI\" --headers \"Content-Type=application/json\" --body \"$BODY\""
environment = {
GRAPH_URI = "https://graph.microsoft.com/beta${local.sync_synchronization_job_id}/provisionOnDemand"
BODY = local.provision_body
}
}
}I can provision the group with its members.
It would be great if we can have the ability to define a member link for the groups in azuread_synchronization_job_provision_on_demand
New or Affected Resource(s)
Synced groups to the federated apps.
- azuread_3.7.0
Potential Terraform Configuration
sync_linked_resources option which can take a boolean value would be great. When object_type_name is set to Group and sync_linked_resources is set to True then terraform can change the payload to include the linked member resources for provisioning on demand.
resource "azuread_synchronization_job_provision_on_demand" "example" {
service_principal_id = azuread_synchronization_job.example.service_principal_id
synchronization_job_id = azuread_synchronization_job.example.id
parameter {
# see specific synchronization schema for rule id https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationschema-get?view=graph-rest-beta
rule_id = ""
subject {
object_id = azuread_group.example.object_id
object_type_name = "Group"
sync_linked_resources = boolean # <-------- Something like this that will fetch the members when object_type_name is set to Groups.
}
}
}