fix: remove dynamic user membership type for au

malhussan · malhussan · commit a5748a2f5a14 · 2025-08-06T14:51:08.000+02:00
When using Dynamic User as membership type for an Administrative Unit, it is not possible anymore to add groups to the AU. We therefore use the default "assigned" membership type.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.13.1]
+
+### Changed
+
+- Remove administrative unit membership rule input
+- Remove some permissions that are not needed when using administrative units
+
 ## [v0.13.0]
 
 ### Added
@@ -105,7 +112,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Initial Release
 
-[unreleased]: https://github.com/meshcloud/terraform-azure-meshplatform/compare/v0.13.0...HEAD
+[unreleased]: https://github.com/meshcloud/terraform-azure-meshplatform/compare/v0.13.1...HEAD
+[v0.13.1]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.1
 [v0.13.0]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.13.0
 [v0.12.0]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.12.0
 [v0.11.0]: https://github.com/meshcloud/terraform-azure-meshplatform/releases/tag/v0.11.0
diff --git a/README.md b/README.md
@@ -119,14 +119,13 @@ Please include the following `additional_permission` when configuring this terra
 
 ### Using Azure Administrative Units
 
-To use Azure Administrative Units with this module, you can set the `administrative_unit_name` and `administrative_unit_membership_rule` variables.
+To use Azure Administrative Units with this module, you can set the `administrative_unit_name` variable.
 
 ```hcl
 module "meshplatform" {
   source = "meshcloud/meshplatform/azure"
   # required inputs
   administrative_unit_name              = "my-administrative-unit"
-  administrative_unit_membership_rule   = "(user.accountEnabled -eq true)" # Include all active users
 }
 ```
 
@@ -248,7 +247,6 @@ Before opening a Pull Request, please do the following:
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the Service Principal needs. | `list(string)` | `[]` | no |
 | <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the replicator Service Principal needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
-| <a name="input_administrative_unit_membership_rule"></a> [administrative\_unit\_membership\_rule](#input\_administrative\_unit\_membership\_rule) | Dynamic membership rule for the Administrative Unit. Required when administrative\_unit\_name is set.<br><br>Suggested default: "(user.accountEnabled -eq true)"<br>NOTE: This rule will include ALL active users in your tenant. Consider more restrictive rules for production use.<br><br>Examples for more restrictive rules:<br>- "(user.companyName -eq \"MyCompany\") and (user.accountEnabled -eq true)" - Active users from specific company<br>- "(user.userType -eq \"Member\") and (user.accountEnabled -eq true)" - Active member users only<br><br>For more information on membership rules, see:<br>https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership | `string` | `null` | no |
 | <a name="input_administrative_unit_name"></a> [administrative\_unit\_name](#input\_administrative\_unit\_name) | Display name of the adminstration-unit name where the user groups are managed. | `string` | `null` | no |
 | <a name="input_application_owners"></a> [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the created service principals. | `list(string)` | `[]` | no |
 | <a name="input_can_cancel_subscriptions_in_scopes"></a> [can\_cancel\_subscriptions\_in\_scopes](#input\_can\_cancel\_subscriptions\_in\_scopes) | The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | `[]` | no |
diff --git a/main.tf b/main.tf
@@ -62,8 +62,7 @@ module "replicator_service_principal" {
   can_cancel_subscriptions_in_scopes = var.can_cancel_subscriptions_in_scopes
   can_delete_rgs_in_scopes           = var.can_delete_rgs_in_scopes
 
-  administrative_unit_name            = var.administrative_unit_name
-  administrative_unit_membership_rule = var.administrative_unit_membership_rule
+  administrative_unit_name = var.administrative_unit_name
 
   additional_required_resource_accesses = var.additional_required_resource_accesses
   additional_permissions                = var.additional_permissions
diff --git a/modules/meshcloud-replicator-service-principal/README.md b/modules/meshcloud-replicator-service-principal/README.md
@@ -35,7 +35,6 @@ No modules.
 | [azurerm_role_definition.meshcloud_replicator_rg_deleter](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.meshcloud_replicator_subscription_canceler](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [terraform_data.allowed_assignments](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
-| [terraform_data.patch_admin_unit](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [time_rotating.replicator_secret_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
 | [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
 | [azuread_application_template.enterprise_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_template) | data source |
@@ -47,7 +46,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_permissions"></a> [additional\_permissions](#input\_additional\_permissions) | Additional Subscription-Level Permissions the Service Principal needs. | `list(string)` | `[]` | no |
 | <a name="input_additional_required_resource_accesses"></a> [additional\_required\_resource\_accesses](#input\_additional\_required\_resource\_accesses) | Additional AAD-Level Resource Accesses the Service Principal needs. | `list(object({ resource_app_id = string, resource_accesses = list(object({ id = string, type = string })) }))` | `[]` | no |
-| <a name="input_administrative_unit_membership_rule"></a> [administrative\_unit\_membership\_rule](#input\_administrative\_unit\_membership\_rule) | Dynamic membership rule for the Administrative Unit. Required when administrative\_unit\_name is set.<br><br>Suggested default: "(user.accountEnabled -eq true)"<br>NOTE: This rule will include ALL active users in your tenant. Consider more restrictive rules for production use.<br><br>Examples for more restrictive rules:<br>- "(user.companyName -eq \"MyCompany\") and (user.accountEnabled -eq true)" - Active users from specific company<br>- "(user.userType -eq \"Member\") and (user.accountEnabled -eq true)" - Active member users only<br><br>For more information on membership rules, see:<br>https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership | `string` | `null` | no |
 | <a name="input_administrative_unit_name"></a> [administrative\_unit\_name](#input\_administrative\_unit\_name) | Display name of the adminstration-unit name where the user groups are managed. | `string` | `null` | no |
 | <a name="input_application_owners"></a> [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the replicator service principal. | `list(string)` | `[]` | no |
 | <a name="input_assignment_scopes"></a> [assignment\_scopes](#input\_assignment\_scopes) | The scopes to which Service Principal permissions is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`. | `list(string)` | n/a | yes |
diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf
@@ -310,42 +310,6 @@ resource "azuread_administrative_unit" "meshcloud_replicator_au" {
   display_name = var.administrative_unit_name
 }
 
-//--------------------------------------------------------------------------
-// Update AU properties via Microsoft Graph API using az rest
-//--------------------------------------------------------------------------
-
-resource "terraform_data" "patch_admin_unit" {
-  count = var.administrative_unit_name == null ? 0 : 1
-
-  lifecycle {
-    precondition {
-      condition     = var.administrative_unit_membership_rule != null
-      error_message = "When administrative_unit_name is set, administrative_unit_membership_rule must also be provided. Suggested value: \"(user.accountEnabled -eq true)\""
-    }
-  }
-
-  provisioner "local-exec" {
-    command = <<-EOT
-      az rest \
-        --method PATCH \
-        --url "https://graph.microsoft.com/v1.0/directory/administrativeUnits/${azuread_administrative_unit.meshcloud_replicator_au[0].object_id}" \
-        --body '{
-          "displayName": "${var.administrative_unit_name}",
-          "membershipType": "Dynamic",
-          "membershipRule": "${var.administrative_unit_membership_rule}",
-          "membershipRuleProcessingState": "On"
-        }'
-    EOT
-  }
-
-  triggers_replace = {
-    au_id           = azuread_administrative_unit.meshcloud_replicator_au[0].object_id
-    display_name    = var.administrative_unit_name
-    membership_rule = var.administrative_unit_membership_rule
-  }
-
-  depends_on = [azuread_administrative_unit.meshcloud_replicator_au]
-}
 //--------------------------------------------------------------------------
 // Custom AU-scoped Role
 //--------------------------------------------------------------------------
@@ -361,13 +325,11 @@ resource "azuread_custom_directory_role" "meshcloud_replicator_au_role" {
   permissions {
     allowed_resource_actions = [
       "microsoft.directory/users/standard/read",
-      "microsoft.directory/groups/create",
       "microsoft.directory/groups/standard/read",
+      "microsoft.directory/groups/create",
       "microsoft.directory/groups/members/update",
       "microsoft.directory/groups/members/read",
       "microsoft.directory/groups/memberOf/read",
-      "microsoft.directory/administrativeUnits/members/read",
-      "microsoft.directory/administrativeUnits/members/update",
     ]
   }
 }
diff --git a/modules/meshcloud-replicator-service-principal/variables.tf b/modules/meshcloud-replicator-service-principal/variables.tf
@@ -65,21 +65,3 @@ variable "application_owners" {
   description = "List of user principals that should be added as owners to the replicator service principal."
   default     = []
 }
-
-variable "administrative_unit_membership_rule" {
-  type        = string
-  default     = null
-  description = <<-EOT
-    Dynamic membership rule for the Administrative Unit. Required when administrative_unit_name is set.
-
-    Suggested default: "(user.accountEnabled -eq true)"
-    NOTE: This rule will include ALL active users in your tenant. Consider more restrictive rules for production use.
-
-    Examples for more restrictive rules:
-    - "(user.companyName -eq \"MyCompany\") and (user.accountEnabled -eq true)" - Active users from specific company
-    - "(user.userType -eq \"Member\") and (user.accountEnabled -eq true)" - Active member users only
-
-    For more information on membership rules, see:
-    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
-  EOT
-}
diff --git a/variables.tf b/variables.tf
@@ -44,25 +44,6 @@ variable "administrative_unit_name" {
   default     = null
 }
 
-variable "administrative_unit_membership_rule" {
-  type        = string
-  default     = null
-  description = <<-EOT
-    Dynamic membership rule for the Administrative Unit. Required when administrative_unit_name is set.
-
-    Suggested default: "(user.accountEnabled -eq true)"
-    NOTE: This rule will include ALL active users in your tenant. Consider more restrictive rules for production use.
-
-    Examples for more restrictive rules:
-    - "(user.companyName -eq \"MyCompany\") and (user.accountEnabled -eq true)" - Active users from specific company
-    - "(user.userType -eq \"Member\") and (user.accountEnabled -eq true)" - Active member users only
-
-    For more information on membership rules, see:
-    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
-  EOT
-}
-
-
 # SSO inputs
 
 variable "sso_enabled" {
