Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for eligible authorizations within Azure Lighthouse #15311

Open
DaZzLa09 opened this issue Feb 8, 2022 · 2 comments
Open

Support for eligible authorizations within Azure Lighthouse #15311

DaZzLa09 opened this issue Feb 8, 2022 · 2 comments
Labels
enhancement service/lighthouse

Comments

@DaZzLa09
Copy link

DaZzLa09 commented Feb 8, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Microsoft introduced eligible authorizations for Azure Lighthouse, which makes the features of PIM usable within Lighthouse.
Eligible authorizations can be defined to allow users to elevate their permissions temporarily, just like with PIM in a native Azure tenant.

Right now it's not possible to define these eligible authorizations inside of the azurerm_lighthouse_definition ressource.
I'd love to have the possibility to add a block for "eligible_authorizations" in addition to the permanent "authorizations".

Eligible authorizations are currently in public preview state.

New or Affected Resource(s)

  • azurerm_lighthouse_definition

Potential Terraform Configuration

Below an example how the definition could look like with supported eligible authorizations.
The Tier 1 Support group has permanent Reader permissions and is eligible to elevate to the Contributor role.
I have copied the parameters from the ARM template which i have generated with the Lighthouse GUI in the Portal.

resource "azurerm_lighthouse_definition" "example" {
  name               = "Sample definition"
  description        = "This is a lighthouse definition created via Terraform"
  managing_tenant_id = "00000000-0000-0000-0000-000000000000"
  scope              = "/subscriptions/00000000-0000-0000-0000-000000000000"

  authorization {
    principal_id           = "00000000-0000-0000-0000-000000000000"
    role_definition_id  = // For example "Reader"
    principal_display_name = "Tier 1 Support - Reader"
  }

  eligible_authorization {
    multiFactorAuthProvider = "Azure"
    maximumActivationDuration = "PT4H"
    managedByTenantApprovers = null
    principal_id           = "00000000-0000-0000-0000-000000000000"
    role_definition_id  = // For example "Contributor"
    principal_display_name = "Tier 1 Support - Contributor"
  }

}

References

  • #0000
@DaZzLa09
Copy link
Author

Hi,

still no news on this HashiCorp?
I think its a very important feature to leverage the security features Azure is offering.

@jkroepke
Copy link
Contributor

jkroepke commented Jul 16, 2024
edited
Loading

Duplicate of #25183 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/lighthouse
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkroepke @stephybun @DaZzLa09