Resource: azuread_application_app_role

Manages an app role for an application registration.

This resource is analogous to the app_role block in the azuread_application resource. When using these resources together, you should use the ignore_changes lifecycle meta-argument (see example below).

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy or Application.ReadWrite.All

When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator or Global Administrator

Example Usage

resource "azuread_application_registration" "example" {
  display_name = "example"
}

resource "random_uuid" "example_administrator" {}

resource "azuread_application_app_role" "example_administer" {
  application_id = azuread_application_registration.example.id
  role_id        = random_uuid.example_administrator.id

  allowed_member_types = ["User"]
  description          = "My role description"
  display_name         = "Administer"
  value                = "admin"
}

Usage with azuread_application resource

resource "azuread_application" "example" {
  display_name = "example"

  lifecycle {
    ignore_changes = [
      app_role,
    ]
  }
}

resource "azuread_application_app_role" "example_administer" {
  application_id = azuread_application.example.id
  # ...
}

Argument Reference

The following arguments are supported:

Attributes Reference

No additional attributes are exported.

Import

Application App Roles can be imported using the object ID of the application and the ID of the app role, in the following format.

terraform import azuread_application_app_role.example /applications/00000000-0000-0000-0000-000000000000/appRoles/11111111-1111-1111-1111-111111111111