Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managing JIT Eligibility for Subscription-Level Roles via PIM in Terraform #1564

Open
mariekekortsmit opened this issue Nov 6, 2024 · 1 comment
Open

Managing JIT Eligibility for Subscription-Level Roles via PIM in Terraform #1564

mariekekortsmit opened this issue Nov 6, 2024 · 1 comment

Comments

@mariekekortsmit
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, there is no native support in the Terraform Azure Provider for managing Just-in-Time (JIT) access to subscription-level roles (e.g., Owner, Contributor, etc.) through Privileged Identity Management (PIM). These roles are critical for managing Azure resources and can pose significant security risks if assigned permanently without appropriate controls.

This feature request proposes adding support for managing JIT eligibility of subscription-level roles via PIM, allowing users to be made eligible for specific roles at the subscription or resource group level. Activation would then be possible by azurerm_pim_active_role_assignment.

By implementing this feature, organizations would be able to automate the assignment of eligible roles to users (e.g., Owner, Contributor) within Azure subscriptions and resource groups, and enforce a temporary activation process for those roles to minimize the risk of excessive privileges and improve security. Currently a role assignment can be given, via azurerm_role_assignment, however, for security reasons it would be better to prevent granting privileges permanently.

New or Affected Resource(s)

  • azurerm_pim_eligible_role_assignment

Potential Terraform Configuration

resource "azurerm_pim_eligible_role_assignment" "example" {
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = "${data.azurerm_subscription.primary.id}${data.azurerm_role_definition.example.id}"
  principal_id       = data.azurerm_client_config.example.object_id
}
@ngrande
Copy link

ngrande commented Nov 26, 2024

Hi,

Actuall you can use the Azure provider for this: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/pim_eligible_role_assignment

Since the Azure AD provider is only for Entra / Azure AD i think the PIM role management for resources is out of scope and better handled in the Azure RM provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ngrande @mariekekortsmit