From 712e2362d91a84794c2b3c8ceb18a6e7652a0af7 Mon Sep 17 00:00:00 2001
From: Julie Ng <me@julie.io>
Date: Thu, 13 Jan 2022 10:07:29 +0100
Subject: [PATCH] feat(aad): add owners to application objects #49

---
 main.tf                                | 8 ++++----
 modules/service-principal/main.tf      | 1 +
 modules/service-principal/variables.tf | 9 +++++++++
 variables.tf                           | 6 ++++++
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index 754aaf8..2e16b35 100644
--- a/main.tf
+++ b/main.tf
@@ -13,10 +13,9 @@ resource "random_string" "suffix" {
 }
 
 locals {
-  suffix = random_string.suffix.result
-
-  # Default to current ARM client
-  superadmins_aad_object_id = var.superadmins_aad_object_id == "" ? data.azurerm_client_config.current.object_id : var.superadmins_aad_object_id
+  suffix                    = random_string.suffix.result
+  application_owners_ids    = length(var.application_owners_ids) == 0 ? [data.azurerm_client_config.current.object_id] : var.application_owners_ids
+  superadmins_aad_object_id = var.superadmins_aad_object_id == "" ? data.azurerm_client_config.current.object_id : var.superadmins_aad_object_id # Default to current ARM client
 }
 
 # ---------------
@@ -40,6 +39,7 @@ module "service_principals" {
   for_each = var.environments
   source   = "./modules/service-principal"
   name     = "${each.value.team}-${each.value.env}-${local.suffix}-ci-sp"
+  owners   = local.application_owners_ids
 }
 
 # ------------------------------
diff --git a/modules/service-principal/main.tf b/modules/service-principal/main.tf
index 813902a..6abfc17 100644
--- a/modules/service-principal/main.tf
+++ b/modules/service-principal/main.tf
@@ -4,6 +4,7 @@
 
 resource "azuread_application" "app" {
   display_name = local.name
+  owners       = var.owners
 }
 
 resource "azuread_application_password" "workspace_sp_secret" {
diff --git a/modules/service-principal/variables.tf b/modules/service-principal/variables.tf
index bc14c9a..c9b6b1b 100644
--- a/modules/service-principal/variables.tf
+++ b/modules/service-principal/variables.tf
@@ -23,6 +23,15 @@ variable "password_lifetime" {
   default     = "4380h"
 }
 
+variable "owners" {
+  type        = list(string)
+  description = "A set of object IDs of principals that will be granted ownership of the application (service principal)."
+  validation {
+    condition     = length(var.owners) > 0
+    error_message = "Every Application must have an owner. Owners cannot be empty."
+  }
+}
+
 # Normalize Values
 # ----------------
 
diff --git a/variables.tf b/variables.tf
index 34562c9..8ecdf7a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -5,6 +5,12 @@ variable "superadmins_aad_object_id" {
   default     = ""
 }
 
+variable "application_owners_ids" {
+  type        = list(string)
+  description = "A set of object IDs of principals that will be granted ownership of the application (service principal). Supported object types are users or service principals. It is best practice to specify one or more owners, incl. the principal used to execute Terraform"
+  default     = []
+}
+
 # AAD Groups
 variable "groups" {
   type = map(string)