chore: remove redundant user administrator role for au

malhussan · malhussan · commit 914d1fa348ee · 2025-08-06T23:34:40.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.13.3]
+
+### Changed
+
+- Remove User Administrator role assignment for replicator in administrative units.
+
 ## [v0.13.2]
 
 ### Changed
@@ -119,7 +125,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Initial Release
 
-[unreleased]: https://github.com/meshcloud/terraform-azure-meshplatform/compare/v0.13.2...HEAD
+[unreleased]: https://github.com/meshcloud/terraform-azure-meshplatform/compare/v0.13.3...HEAD
+[v0.13.3]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.3
 [v0.13.2]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.2
 [v0.13.1]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.1
 [v0.13.0]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.0
diff --git a/modules/meshcloud-replicator-service-principal/README.md b/modules/meshcloud-replicator-service-principal/README.md
@@ -17,7 +17,6 @@ No modules.
 |------|------|
 | [azuread_administrative_unit.meshcloud_replicator_au](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit) | resource |
 | [azuread_administrative_unit_role_member.groups_admin_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_role_member) | resource |
-| [azuread_administrative_unit_role_member.user_admin_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_role_member) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-administrativeunit](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
 | [azuread_app_role_assignment.meshcloud_replicator-group](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
@@ -27,7 +26,6 @@ No modules.
 | [azuread_application_federated_identity_credential.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_application_password.application_pw](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
 | [azuread_directory_role.groups_administrator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role) | resource |
-| [azuread_directory_role.user_administrator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role) | resource |
 | [azuread_service_principal.meshcloud_replicator](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azurerm_management_group_policy_assignment.privilege-escalation-prevention](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
 | [azurerm_policy_definition.privilege_escalation_prevention](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf
@@ -329,25 +329,14 @@ There is an issue when assigning the replicator a custom role in the AU scope, w
 
 See https://github.com/hashicorp/terraform-provider-azuread/issues/1546.
 
-For now we assign User Administrator and Groups Administrator roles as that is already restricted to the AU scope.
+For now we assign Groups Administrator role as that is already restricted to the AU scope.
 */
-resource "azuread_directory_role" "user_administrator" {
-  count        = var.administrative_unit_name == null ? 0 : 1
-  display_name = "User Administrator"
-}
 
 resource "azuread_directory_role" "groups_administrator" {
   count        = var.administrative_unit_name == null ? 0 : 1
   display_name = "Groups Administrator"
 }
 
-resource "azuread_administrative_unit_role_member" "user_admin_assignment" {
-  count                         = var.administrative_unit_name == null ? 0 : 1
-  role_object_id                = azuread_directory_role.user_administrator[0].object_id
-  administrative_unit_object_id = azuread_administrative_unit.meshcloud_replicator_au[0].object_id
-  member_object_id              = azuread_service_principal.meshcloud_replicator.object_id
-}
-
 resource "azuread_administrative_unit_role_member" "groups_admin_assignment" {
   count                         = var.administrative_unit_name == null ? 0 : 1
   role_object_id                = azuread_directory_role.groups_administrator[0].object_id
