azureterraformentra

How to get the prinicipal_id from azuread_users data source using for each [Azure Entra] [Terraform]

I'm trying to set PIM for Entra groups using terraform.

variable "entra_groups" {
  description = "entra groups"
  type = map(object({
    display_name           = string
    security_enabled       = bool
    assignable_to_role     = bool
    security_group_owners  = list(string)
    security_group_members = list(string)
    assignment_type        = string
    # duration               = string
    users_pim = list(string)
  }))
  default = {}
}
resource "azuread_group" "group" {
  for_each           = var.entra_groups
  display_name       = each.value["display_name"]
  owners             = concat(data.azuread_users.group-owners[each.key].object_ids, [data.azuread_client_config.current.object_id])
  members            = data.azuread_service_principals.group-members[each.key].object_ids
  security_enabled   = each.value["security_enabled"]
  assignable_to_role = each.value["assignable_to_role"]
}

data "azuread_users" "group-owners" {
  for_each             = var.entra_groups
  user_principal_names = each.value["security_group_owners"]
  ignore_missing       = true
}

data "azuread_service_principals" "group-members" {
  for_each   = var.entra_groups
  object_ids = each.value["security_group_members"]
}

data "azuread_users" "group-members-users" {
  for_each             = var.entra_groups
  user_principal_names = each.value.users_pim
  #ignore_missing       = true
}

resource "azuread_privileged_access_group_assignment_schedule" "active-pim-assignment" {
  for_each = var.entra_groups

  
  group_id        = azuread_group.group[each.key].object_id
  principal_id    = data.azuread_users.group-members-users[each.key].object_id
  assignment_type = each.value["assignment_type"]
  duration        = "P180D"
  justification   = "as requested"
  # start_date      = "2025-03-06T01:02:03Z"
  # expiration_date = "2025-08-01T01:02:03Z"
}

Inputs

entra_grd_irc_groups = {
  group_01 = {
    display_name           = "test-grp"
    description            = "test"
    security_enabled       = true
    assignable_to_role     = true
    security_group_owners  = []
    security_group_members = []
  
    assignment_type = "member"
    # duration               = "P364D"
    users_pim = [abc@ms.com]
  }

}

I get the below error

╷ │ Error: Incorrect attribute value type │ │ on .terraform/modules/entra/groups/main.tf line 35, in resource "azuread_privileged_access_group_assignment_schedule" "group-pim-assignment": │ 35: principal_id = data.azuread_users.group-members-users[each.key] │ ├──────────────── │ │ data.azuread_users.group-members-users is object with 1 attributes │ │ each.key is "group_01" │ │ Inappropriate value for attribute "principal_id": string required.

Solution

  • Getting the prinicipal_id from azuread_users data source using for each while using terraform

    From the error descritpion "Inappropriate value for attribute principal_id" it seems to be principal ID from the resource "azuread_privileged_access_group_assignment_schedule" is fetching the info as list of objects but not as a single string.

    The princple ID always need a single string, not a list & since vice versa happening so data.azuread_users.group-members-users[each.key].object_ids returns a list, you need to extract the first element.

    Now change the Principal ID mentioned in resoruce plugin so that we extract the first element using [0]

    Demo configuration:

    resource "azuread_group" "group" {
  for_each           = var.entra_groups
  display_name       = each.value.display_name
  owners             = concat(data.azuread_users.group-owners[each.key].object_ids, [data.azuread_client_config.current.object_id])
  members            = data.azuread_service_principals.group-members[each.key].object_ids
  security_enabled   = each.value.security_enabled
  assignable_to_role = each.value.assignable_to_role
}


data "azuread_users" "group-owners" {
  for_each             = var.entra_groups
  user_principal_names = each.value.security_group_owners
  ignore_missing       = true
}


data "azuread_service_principals" "group-members" {
  for_each   = var.entra_groups
  object_ids = each.value.security_group_members
}


data "azuread_users" "group-members-users" {
  for_each             = var.entra_groups
  user_principal_names = each.value.users_pim
}


resource "azuread_privileged_access_group_assignment_schedule" "active-pim-assignment" {
  for_each = var.entra_groups

  group_id        = azuread_group.group[each.key].object_id
  principal_id    = data.azuread_users.group-members-users[each.key].object_ids[0]
  assignment_type = each.value.assignment_type
  duration        = "P180D"
  justification   = "As requested"
}

    Deployment:

    enter image description here

    Refer:

    https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_assignment_schedule

    https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users