Feature/entra id groups#195
Open
younGihan wants to merge 5 commits into
Open
Conversation
Contributor
Scorecard Check
📊 meshstack-hub Module Scorecard
📋 Per-Module Category SummaryScore per category per building block.
Core Structure — ✅ all passingBasic module file structure and documentation — applies to 1 modules
Core Structure — Summary
Integration — ✅ all passingmeshstack_integration.tf conventions — applies to 1 modules
Integration — Summary
Azure Backplane — ✅ all passingAzure UAMI-based automation principal conventions — applies to 1 modules
Azure Backplane — Summary
Testing — some checks failingEnd-to-end test coverage — applies to 1 modules
Testing — Summary
|
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
Contributor
|
📋 This PR has been linked to the [Feature Shipping Tracker: Self-service Entra SSO (CU-86c7t51na)] (meshcloud/janny#736). It addresses DoD item 6 (Reference Examples and Implementations Updated) — adding a hub reference example for Entra ID groups setup via the meshObject API. |
grubmeshi
approved these changes
Jun 10, 2026
| @@ -0,0 +1,44 @@ | |||
| resource "azurerm_resource_group" "backplane" { | |||
Collaborator
There was a problem hiding this comment.
f:
Suggested change
| resource "azurerm_resource_group" "backplane" { | |
| resource "azurerm_resource_group" "this" { |
würde das nich doppelt benennen, durch das module hat die resource address schon das wort backplane drin
| location = var.location | ||
| } | ||
|
|
||
| resource "azurerm_user_assigned_identity" "backplane" { |
Collaborator
There was a problem hiding this comment.
Suggested change
| resource "azurerm_user_assigned_identity" "backplane" { | |
| resource "azurerm_user_assigned_identity" "this" { |
| resource_group_name = azurerm_resource_group.backplane.name | ||
| } | ||
|
|
||
| resource "azurerm_federated_identity_credential" "backplane" { |
Collaborator
There was a problem hiding this comment.
Suggested change
| resource "azurerm_federated_identity_credential" "backplane" { | |
| resource "azurerm_federated_identity_credential" "this" { |
Comment on lines
+7
to
+8
| - **Resource Group** — hosts the UAMI in the configured Azure region. | ||
| - **User-Assigned Managed Identity (UAMI)** — the automation principal that runs the building block. No client secrets. |
Collaborator
There was a problem hiding this comment.
f: just swap to have acronum UAMI well defined:
Suggested change
| - **Resource Group** — hosts the UAMI in the configured Azure region. | |
| - **User-Assigned Managed Identity (UAMI)** — the automation principal that runs the building block. No client secrets. | |
| - **User-Assigned Managed Identity (UAMI)** — the automation principal that runs the building block. No client secrets. | |
| - **Resource Group** — hosts the UAMI in the configured Azure region. |
|
|
||
| ## Operational notes | ||
|
|
||
| - The UAMI principal ID maps to a service principal in Entra. The `User.Read.All`, `Group.ReadWrite.All`, and `AdministrativeUnit.ReadWrite.All` app role assignments require **admin consent** — ensure a Global Administrator or Privileged Role Administrator approves the assignments in the Entra portal after the first `apply`. |
Collaborator
There was a problem hiding this comment.
d: I remember having this admin consent thing automated in the past, as this can become really annoying as admins need to approve stuff. maybe worthwhile to discuss this f2f or at least mention it.
| required_providers { | ||
| azuread = { | ||
| source = "hashicorp/azuread" | ||
| version = "~> 3.8.0" |
| location = var.azure_location | ||
|
|
||
| workload_identity_federation = { | ||
| issuer = data.meshstack_integrations.integrations.workload_identity_federation.replicator.issuer |
Collaborator
There was a problem hiding this comment.
n: nice usage of the data source, thank you!
| required_providers { | ||
| meshstack = { | ||
| source = "meshcloud/meshstack" | ||
| version = "~> 0.21.0" |
| } | ||
| azurerm = { | ||
| source = "hashicorp/azurerm" | ||
| version = "~> 4.0" |
| } | ||
| azuread = { | ||
| source = "hashicorp/azuread" | ||
| version = "~> 3.8" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.