Reputation: 1
Set up notifications for Root Tenant Group assigments
Set up notifications for Root Tenant Group assigments azurerm_role_management_policy
I am trying to enable notification(email to slack channel) whenever someone requests for PIM role activiation. The slack channel contains the admins who can approve the request.
I am unable to fix this.
Here is the tf configs:
resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
scope = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"
eligible_assignment_rules {
expiration_required = false
}
active_assignment_rules {
expiration_required = false
require_justification = false
}
activation_rules {
maximum_duration = "PT8H"
require_multifactor_authentication = true
require_justification = true
require_ticket_info = true
require_approval = true
approval_stage {
primary_approver {
object_id = var.groups["ad.azure.admins"].id
type = "Group"
}
}
}
notification_rules {
# Purpose: Sends notifications when users request to activate their eligible roles # When: Triggers on every PIM activation request
eligible_activations {
# Notifies the person requesting activation
assignee_notifications {
notification_level = "All"
default_recipients = true # Include the requestor
additional_recipients = [var.pim_slack_email] # Also notify Slack channel
}
# Notifies the approvers who need to action the request
# approver_notifications {
# notification_level = "Critical"
# default_recipients = true # Include configured approvers
# additional_recipients = [var.pim_slack_email] # Also notify Slack channel
# }
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
# Purpose: Notifies when users are made eligible for roles
# When: Triggers when PIM eligible roles are assigned
eligible_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
# Purpose: Notifies when permanent role assignments are made # When: Triggers for direct (non-PIM) role assignments
active_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
}
}
Please advise how to enable the config ?
I am expecting this config should enable slack email when a user requests for PIM approval.
Upvotes: 0
Views: 53
Answers (1)
Reputation: 2261
Set up notifications for Root Tenant Group assigments
While configuring Azure Role Management Policy to enable PIM role activation notifications sent to a Slack email channel follow the mentioned steps below
Check the email mentioned should be properly set up in slack to verify the email. If this fails it results in blocker
Eligible_activations and Eligible_assignments blocks should be as per the correct Azure policy structure in Terraforms azurerm_role_management_policy.
Once you confirm the above two-point check with the group info provided is functional and available under the IntraID.
Demo configuration:
resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
scope = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"
eligible_assignment_rules {
expiration_required = false
}
active_assignment_rules {
expiration_required = false
require_justification = false
}
activation_rules {
maximum_duration = "PT8H"
require_multifactor_authentication = true
require_justification = true
require_ticket_info = true
require_approval = true
approval_stage {
primary_approver {
object_id = var.groups["ad.azure.admins"].id
type = "Group"
}
}
}
notification_rules {
eligible_activations {
assignee_notifications {
notification_level = "All"
default_recipients = true
additional_recipients = [var.pim_slack_email]
}
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
eligible_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
active_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
}
}
Refer:
Integration between slack and email: https://clearfeed.ai/blogs/a-short-guide-to-integrating-slack-with-email
Upvotes: 0
Related Questions
- Android Push Notifications: Icon not displaying in notification, white square shown instead
- Azure PIM Role Settings for Owner role
- I would like to run terraform only for a specific resource
- Powershell script to move the Azure Subscriptions from Tenant Root Group to Specified Management Group
- How to scope AAD enterprise app provisioning based on App Roles
- How to get the azure account tenant Id?
- Determine on iPhone if user has enabled push notifications
- Is it possible to use Azure Graph API to change Notifications in PIM
- Terraform pipeline times out and stops when deploying Azure Management Group, but management group does get deployed