From c00fc85e989c595d61a378ce60acc361379f8e57 Mon Sep 17 00:00:00 2001 From: "pablo.sanchez" Date: Thu, 5 Feb 2026 13:10:24 +0100 Subject: [PATCH 1/5] docs(azure-application): update docs and added examples --- modules/azure-application/.terrafom-docs.yaml | 48 +++++++++++ modules/azure-application/README.md | 86 +++++++++++++++++-- .../_examples/basic/example.tf | 34 ++++++++ .../_examples/basic/example.yaml | 23 +++++ modules/azure-application/docs/footer.md | 18 ++++ modules/azure-application/docs/header.md | 55 ++++++++++++ 6 files changed, 259 insertions(+), 5 deletions(-) create mode 100644 modules/azure-application/.terrafom-docs.yaml create mode 100644 modules/azure-application/_examples/basic/example.tf create mode 100644 modules/azure-application/_examples/basic/example.yaml create mode 100644 modules/azure-application/docs/footer.md create mode 100644 modules/azure-application/docs/header.md diff --git a/modules/azure-application/.terrafom-docs.yaml b/modules/azure-application/.terrafom-docs.yaml new file mode 100644 index 000000000..bce3ca3a9 --- /dev/null +++ b/modules/azure-application/.terrafom-docs.yaml @@ -0,0 +1,48 @@ +formatter: "markdown" # this is required + +version: "" + +header-from: docs/header.md +footer-from: docs/footer.md + +recursive: + enabled: false + path: modules + include-main: true + +sections: + hide: [] + show: [] + +content: "" + +output: + file: "README.md" + mode: inject + template: |- + + {{ .Content }} + + +output-values: + enabled: false + from: "" + +sort: + enabled: true + by: name + +settings: + anchor: true + color: true + default: true + description: false + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true \ No newline at end of file diff --git a/modules/azure-application/README.md b/modules/azure-application/README.md index d787b678e..8ed83359d 100644 --- a/modules/azure-application/README.md +++ b/modules/azure-application/README.md @@ -1,9 +1,65 @@ + +# Azure Application Registration Terraform Module + +## Overview + +Este módulo de Terraform permite crear y gestionar un registro de aplicación en Azure Active Directory (Azure AD), incluyendo: +- Creación de la aplicación y service principal. +- Asignación de roles y permisos (incluyendo Microsoft Graph). +- Configuración de credenciales federadas y secretos. +- Soporte para redirecciones y miembros. +- Integración opcional con Azure Key Vault para almacenar secretos. + +## Características principales +- Registro de aplicación y service principal en Azure AD. +- Asignación de roles personalizados y de Microsoft Graph. +- Soporte para credenciales federadas (OIDC, GitHub Actions, etc). +- Gestión de secretos con rotación y almacenamiento seguro en Key Vault. +- Configuración flexible de redirecciones y miembros. + +## Ejemplo básico de uso + +```hcl +module "azure_application" { + source = "./modules/azure-application" + name = "my-app" + members = ["user1@dominio.com", "user2@dominio.com"] + msgraph_roles = ["User.Read.All"] + redirects = [{ + platform = "web" + redirect_uris = ["https://myapp.com/auth/callback"] + }] + client_secret = { + enabled = true + rotation_days = 90 + keyvault = { + id = azurerm_key_vault.example.id + key_name = "my-app-secret" + } + } +} +``` + +## Estructura de archivos + +``` +. +├── main.tf +├── variables.tf +├── outputs.tf +├── versions.tf +├── README.md +├── CHANGELOG.md +└── docs/ + ├── header.md + └── footer.md +``` + ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.7.0 | -| [azapi](#requirement\_azapi) | ~> 2.3.0 | | [azuread](#requirement\_azuread) | ~> 3.3.0 | | [azurerm](#requirement\_azurerm) | ~> 4.16.0 | @@ -11,9 +67,9 @@ | Name | Version | |------|---------| -| [azuread](#provider\_azuread) | 3.3.0 | -| [azurerm](#provider\_azurerm) | 4.16.0 | -| [time](#provider\_time) | 0.13.1 | +| [azuread](#provider\_azuread) | ~> 3.3.0 | +| [azurerm](#provider\_azurerm) | ~> 4.16.0 | +| [time](#provider\_time) | n/a | ## Modules @@ -45,7 +101,7 @@ No modules. | [extra\_role\_assignments](#input\_extra\_role\_assignments) | The list of extra role assignments to be added to the Azure App Registration. | 
list(object({
    role_definition_name = string
    scope                = string
  }))
| `[]` | no | | [federated\_credentials](#input\_federated\_credentials) | The federated credentials configuration for the Azure App Registration. | 
list(object({
    display_name = string
    audiences    = list(string)
    issuer       = string
    subject      = string
    description  = optional(string)
  }))
| `[]` | no | | [members](#input\_members) | The list of members to be added to the Azure App Registration. | `list(string)` | n/a | yes | -| [msgraph\_roles](#input\_msgraph\_roles) | The list of Microsoft Graph roles to be assigned to the Azure App Registration. e.g. User.Read.All | `list(string)` | n/a | yes | +| [msgraph\_roles](#input\_msgraph\_roles) | The list of Microsoft Graph roles to be assigned to the Azure App Registration. Each role includes a name and whether it is delegated. | 
list(object({
    id        = string
    delegated = bool
  }))
| n/a | yes | | [name](#input\_name) | The name of the Azure App Registration. | `string` | n/a | yes | | [redirects](#input\_redirects) | The redirect configuration for the Azure App Registration. | 
list(object({
    platform      = string
    redirect_uris = list(string)
  }))
| n/a | yes | @@ -55,3 +111,23 @@ No modules. |------|-------------| | [application\_client\_id](#output\_application\_client\_id) | The client ID of the Azure application | | [application\_object\_id](#output\_application\_object\_id) | The object ID of the Azure application | + +--- + +## Examples + +For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-application/_examples): + +- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-application/_examples/basic) - Azure AD App Registration with members, redirects, Microsoft Graph roles and client secret stored in Key Vault. + +## Recursos adicionales + +- [Azure Active Directory App Registration](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +- [Proveedor Terraform AzureAD](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) +- [Proveedor Terraform AzureRM](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) +- [Documentación oficial de Terraform](https://www.terraform.io/docs) + +## Soporte + +Para dudas, incidencias o contribuciones, utiliza el issue tracker del repositorio: [https://github.com/prefapp/tfm/issues](https://github.com/prefapp/tfm/issues) + \ No newline at end of file diff --git a/modules/azure-application/_examples/basic/example.tf b/modules/azure-application/_examples/basic/example.tf new file mode 100644 index 000000000..33c1cb0c7 --- /dev/null +++ b/modules/azure-application/_examples/basic/example.tf @@ -0,0 +1,34 @@ +// Basic example: Azure AD Application Registration using the module + +module "azure_application" { + source = "../../" + + name = "my-app" + members = [ + "user1@contoso.com", + "user2@contoso.com", + ] + + msgraph_roles = [ + { + id = "role-id-user-read-all" + delegated = true + } + ] + + redirects = [ + { + platform = "Web" + redirect_uris = ["https://myapp.com/auth/callback"] + } + ] + + client_secret = { + enabled = true + rotation_days = 90 + keyvault = { + id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.KeyVault/vaults/example-kv" + key_name = "my-app-secret" + } + } +} \ No newline at end of file diff --git a/modules/azure-application/_examples/basic/example.yaml b/modules/azure-application/_examples/basic/example.yaml new file mode 100644 index 000000000..7601a38ea --- /dev/null +++ b/modules/azure-application/_examples/basic/example.yaml @@ -0,0 +1,23 @@ +# Basic example values for Azure Application Registration module + +name: my-app + +members: + - user1@contoso.com + - user2@contoso.com + +msgraph_roles: + - id: role-id-user-read-all + delegated: true + +redirects: + - platform: Web + redirect_uris: + - https://myapp.com/auth/callback + +client_secret: + enabled: true + rotation_days: 90 + keyvault: + id: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.KeyVault/vaults/example-kv + key_name: my-app-secret \ No newline at end of file diff --git a/modules/azure-application/docs/footer.md b/modules/azure-application/docs/footer.md new file mode 100644 index 000000000..a5ac5a636 --- /dev/null +++ b/modules/azure-application/docs/footer.md @@ -0,0 +1,18 @@ +--- + +## Examples + +For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-application/_examples): + +- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-application/_examples/basic) - Azure AD App Registration with members, redirects, Microsoft Graph roles and client secret stored in Key Vault. + +## Recursos adicionales + +- [Azure Active Directory App Registration](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +- [Proveedor Terraform AzureAD](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) +- [Proveedor Terraform AzureRM](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) +- [Documentación oficial de Terraform](https://www.terraform.io/docs) + +## Soporte + +Para dudas, incidencias o contribuciones, utiliza el issue tracker del repositorio: [https://github.com/prefapp/tfm/issues](https://github.com/prefapp/tfm/issues) diff --git a/modules/azure-application/docs/header.md b/modules/azure-application/docs/header.md new file mode 100644 index 000000000..70923d533 --- /dev/null +++ b/modules/azure-application/docs/header.md @@ -0,0 +1,55 @@ +# Azure Application Registration Terraform Module + +## Overview + +Este módulo de Terraform permite crear y gestionar un registro de aplicación en Azure Active Directory (Azure AD), incluyendo: +- Creación de la aplicación y service principal. +- Asignación de roles y permisos (incluyendo Microsoft Graph). +- Configuración de credenciales federadas y secretos. +- Soporte para redirecciones y miembros. +- Integración opcional con Azure Key Vault para almacenar secretos. + +## Características principales +- Registro de aplicación y service principal en Azure AD. +- Asignación de roles personalizados y de Microsoft Graph. +- Soporte para credenciales federadas (OIDC, GitHub Actions, etc). +- Gestión de secretos con rotación y almacenamiento seguro en Key Vault. +- Configuración flexible de redirecciones y miembros. + +## Ejemplo básico de uso + +```hcl +module "azure_application" { + source = "./modules/azure-application" + name = "my-app" + members = ["user1@dominio.com", "user2@dominio.com"] + msgraph_roles = ["User.Read.All"] + redirects = [{ + platform = "web" + redirect_uris = ["https://myapp.com/auth/callback"] + }] + client_secret = { + enabled = true + rotation_days = 90 + keyvault = { + id = azurerm_key_vault.example.id + key_name = "my-app-secret" + } + } +} +``` + +## Estructura de archivos + +``` +. +├── main.tf +├── variables.tf +├── outputs.tf +├── versions.tf +├── README.md +├── CHANGELOG.md +└── docs/ + ├── header.md + └── footer.md +``` From 2c2c2f6822e395d3a3a8d4f87847917221284e92 Mon Sep 17 00:00:00 2001 From: "pablo.sanchez" Date: Tue, 10 Feb 2026 10:16:51 +0100 Subject: [PATCH 2/5] docs(azuread-group): update Readme --- modules/azure-application/.terrafom-docs.yaml | 48 ------------------- 1 file changed, 48 deletions(-) delete mode 100644 modules/azure-application/.terrafom-docs.yaml diff --git a/modules/azure-application/.terrafom-docs.yaml b/modules/azure-application/.terrafom-docs.yaml deleted file mode 100644 index bce3ca3a9..000000000 --- a/modules/azure-application/.terrafom-docs.yaml +++ /dev/null @@ -1,48 +0,0 @@ -formatter: "markdown" # this is required - -version: "" - -header-from: docs/header.md -footer-from: docs/footer.md - -recursive: - enabled: false - path: modules - include-main: true - -sections: - hide: [] - show: [] - -content: "" - -output: - file: "README.md" - mode: inject - template: |- - - {{ .Content }} - - -output-values: - enabled: false - from: "" - -sort: - enabled: true - by: name - -settings: - anchor: true - color: true - default: true - description: false - escape: true - hide-empty: false - html: true - indent: 2 - lockfile: true - read-comments: true - required: true - sensitive: true - type: true \ No newline at end of file From caa62cfec2ad7a12fcddcc48b641646e132df961 Mon Sep 17 00:00:00 2001 From: pablosanchezpaz <76182461+pablosanchezpaz@users.noreply.github.com> Date: Tue, 10 Feb 2026 18:35:11 +0100 Subject: [PATCH 3/5] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- modules/azure-application/docs/header.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/azure-application/docs/header.md b/modules/azure-application/docs/header.md index 70923d533..7b24de5d2 100644 --- a/modules/azure-application/docs/header.md +++ b/modules/azure-application/docs/header.md @@ -23,7 +23,12 @@ module "azure_application" { source = "./modules/azure-application" name = "my-app" members = ["user1@dominio.com", "user2@dominio.com"] - msgraph_roles = ["User.Read.All"] + msgraph_roles = [ + { + id = "User.Read.All" + delegated = true + } + ] redirects = [{ platform = "web" redirect_uris = ["https://myapp.com/auth/callback"] From d6c7e5a608ae2ef6350be6094e8de4ab147a063f Mon Sep 17 00:00:00 2001 From: pablosanchezpaz <76182461+pablosanchezpaz@users.noreply.github.com> Date: Tue, 10 Feb 2026 18:35:27 +0100 Subject: [PATCH 4/5] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- modules/azure-application/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/azure-application/README.md b/modules/azure-application/README.md index 8ed83359d..f5089d3e2 100644 --- a/modules/azure-application/README.md +++ b/modules/azure-application/README.md @@ -24,7 +24,10 @@ module "azure_application" { source = "./modules/azure-application" name = "my-app" members = ["user1@dominio.com", "user2@dominio.com"] - msgraph_roles = ["User.Read.All"] + msgraph_roles = [{ + id = "User.Read.All" + delegated = true + }] redirects = [{ platform = "web" redirect_uris = ["https://myapp.com/auth/callback"] From 8c7264cdba8c93d90af04406ecd9bb0e2a701fc1 Mon Sep 17 00:00:00 2001 From: "pablo.sanchez" Date: Tue, 10 Feb 2026 18:36:52 +0100 Subject: [PATCH 5/5] docs(azure): update Readme --- modules/azure-application/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/azure-application/README.md b/modules/azure-application/README.md index f5089d3e2..69f0178a5 100644 --- a/modules/azure-application/README.md +++ b/modules/azure-application/README.md @@ -24,10 +24,12 @@ module "azure_application" { source = "./modules/azure-application" name = "my-app" members = ["user1@dominio.com", "user2@dominio.com"] - msgraph_roles = [{ - id = "User.Read.All" - delegated = true - }] + msgraph_roles = [ + { + id = "User.Read.All" + delegated = true + } + ] redirects = [{ platform = "web" redirect_uris = ["https://myapp.com/auth/callback"]