Privileged Access Management
Source code & Installation
The source code of this kit module can be found here
Run the following command to install the kit module:
collie kit import azure/pam
This kit provides a basic terraform-based approach for managing privileged roles used to administrate your landing zones.
This is a good solution for cloud foundation teams that start in greenfield Azure environments and without a strong backing of established enterprise IAM integration into Entra ID (Azure AD).
For production use, cloud foundation teams should strongly consider implementing group membership management using existing Enterprise IAM processes as well as leveraging Entra ID PIM and Conditional Access features to increase security.
This module is meant to be used with modules like azure/billing or azure/logging that implement important administrative capabilities and also introduce relevant security groups and security roles for managing these capabilities.
Thee purpose of this kit module is then to collect the various PAM groups and permissions together and provide a central and cohesive overview.
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| azuread | ~> 2.41.0 |
| azurerm | ~> 3.71.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| azuread_group_member.pam_desired_memberships | resource |
| azuread_client_config.current | data source |
| azuread_group.pam_desired_groups | data source |
| azuread_group.pam_groups | data source |
| azuread_user.pam_desired_users | data source |
| azuread_user.pam_users | data source |
| azurerm_subscription.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| pam_group_members | Optional: manage members for cloud foundation PAM groups via terraform | list(object({ | n/a | yes |
| pam_group_object_ids | the object_ids of PAM groups used by the cloud foundation | list(string) | n/a | yes |
Outputs
| Name | Description |
|---|---|
| documentation_md | n/a |