Skip to content

stacklet/terraform-msteams-bot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
.tool-versions
.tool-versions
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
justfile
justfile
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
provider.tf
provider.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Microsoft Teams Bot Terraform Module

This Terraform module creates the Azure infrastructure required for Stacklet's Teams integration, including an Azure AD application with appropriate Microsoft Graph permissions and an Azure Bot Service configured for Teams.

Prerequisites

The identity which deploys this infrastructure will require permissions for:

Azure AD (Microsoft Entra ID):

  • Application Administrator role (recommended)
  • Or Global Administrator (if Application Administrator is not available)

Azure RBAC:

  • User Access Administrator + Contributor roles on the target subscription
  • Or Owner role (combines both above)

What This Module Creates

  • Azure AD Application with Microsoft Graph permissions for Teams operations
  • Federated Identity Credential for seamless authentication with Stacklet's platform
  • Azure Bot Service with Teams channel enabled
  • Resource Group to contain all resources

Microsoft Graph Permissions

The module automatically grants the following Microsoft Graph permissions required for Stacklet's Teams integration:

  • User.Read.All - Read user profiles to map from emails to identities
  • TeamsAppInstallation.ReadWriteSelfForTeam.All - Install/uninstall app for teams
  • TeamsAppInstallation.ReadWriteSelfForUser.All - Install/uninstall app for users
  • Team.ReadBasic.All - Read basic team information for mapping configuration
  • Channel.ReadBasic.All - Read basic channel information for mapping configuration
  • AppCatalog.Read.All - Discover uploaded Teams app identity

Admin consent is automatically granted during deployment (no manual step required).

Security

  • Passwordless authentication: Uses federated identity credentials with Stacklet's platform
  • No secrets stored: No application secrets are created or stored in Azure
  • Minimal permissions: Only the Microsoft Graph permissions required for Teams functionality
  • Automatic admin consent: Permissions are granted programmatically during deployment

Troubleshooting

Permission Denied Errors

  • Verify you have Application Administrator (or Global Administrator) role in Azure AD
  • Confirm you have User Access Administrator + Contributor (or Owner) roles in Azure
  • Check that you're authenticated with az login

Resource Provider Registration Issues

If you encounter errors about Microsoft.BotService provider registration taking too long or failing, this may be an issue with the AzureRM Terraform provider which can be remedied with:

az provider register --namespace Microsoft.BotService

Wait for registration to complete, then retry terraform apply.

Need Help?

Contact your Stacklet Customer Success team for assistance with:

  • Configuration issues
  • Deployment problems
  • Integration setup
  • Any other questions about your Stacklet Teams integration

Requirements

Name Version
terraform >= 1.0
azuread ~> 2.47
azurerm ~> 3.0
random ~> 3.0

Providers

Name Version
azuread ~> 2.47
azurerm ~> 3.0
random ~> 3.0

Modules

No modules.

Resources

Name Type
azuread_app_role_assignment.msgraph_permissions resource
azuread_application.teams_bot resource
azuread_application_federated_identity_credential.aws_wif resource
azuread_service_principal.teams_bot resource
azurerm_bot_channel_ms_teams.teams_channel resource
azurerm_bot_service_azure_bot.teams_bot resource
azurerm_resource_group.teams_bot resource
random_string.bot_suffix resource
azuread_client_config.current data source
azuread_service_principal.msgraph data source

Inputs

Name Description Type Default Required
bot_endpoint Bot webhook endpoint URL string n/a yes
prefix Prefix for all resource names (keep short to allow room for customer prefixes) string n/a yes
roundtrip_digest Token used by the Stacklet Platform to detect mismatch between customerConfig and accessConfig. string n/a yes
tags Tags to apply to all Azure resources map(string) {} no
trust_role_arn AWS IAM role ARN that will generate WIF tokens string n/a yes
wif_issuer_url AWS outbound identity federation issuer URL string n/a yes

Outputs

Name Description
access_blob Configuration for Stacklet platform - copy this value to Stacklet Teams configuration
client_id Teams bot application/client ID
roundtrip_digest Configuration validation token
tenant_id Your Azure AD tenant ID

About

Terraform module for setting up the Microsoft Teams bot for Stacklet

registry.terraform.io/modules/stacklet/bot/msteams/latest

Topics

terraform prod prod-public

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors 5

Languages