Fixes lint errors after template updates (#44)

* realign to template

* fix linting

* lint fix

* fix lint

* fix linting

* fix lint

* fix lint

* fix lint

* lint fix

* fix lint

* grp creation

* fmt

* recreate main

* fix lint

* rm extra local

* update doc

* template updates

* template updates

* lint fix

* lint fix

* lint fix

* lint fix

* fix lint

* fix lint

* fix lint

* update doc and example

* fix lint

* update example

* lint fix

* lint fix

* lint fix

* fix lint

* lint fix

* update doc and remoteapp

* fix lint

* resync with new version

* fix lint

* fix lint

* fix fmt

* fix lint

* fix lint

* lint fix

* lint fix

* lint fix

* lint fix

README.md

@@ -29,6 +29,7 @@ The following providers are used by this module:
 
 The following resources are used by this module:
 
+- [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
 - [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
 - [azurerm_resource_group_template_deployment.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) (resource)
 - [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
@@ -40,12 +41,6 @@ The following resources are used by this module:
 
 The following input variables are required:
 
-### <a name="input_user_group_name"></a> [user\_group\_name](#input\_user\_group\_name)
-
-Description: Microsoft Entra ID User Group for AVD users
-
-Type: `string`
-
 ### <a name="input_virtual_desktop_application_group_host_pool_id"></a> [virtual\_desktop\_application\_group\_host\_pool\_id](#input\_virtual\_desktop\_application\_group\_host\_pool\_id)
 
 Description: (Required) Resource ID for a Virtual Desktop Host Pool to associate with the Virtual Desktop Application Group. Changing the name forces a new resource to be created.
@@ -142,36 +137,20 @@ object({
 
 Default: `null`
 
-### <a name="input_role_assignment_timeouts"></a> [role\_assignment\_timeouts](#input\_role\_assignment\_timeouts)
-
-Description: - `create` - (Defaults to 30 minutes) Used when creating the Role Assignment.
-- `delete` - (Defaults to 30 minutes) Used when deleting the Role Assignment.
-- `read` - (Defaults to 5 minutes) Used when retrieving the Role Assignment.
-
-Type:
-
-```hcl
-object({
-    create = optional(string)
-    delete = optional(string)
-    read   = optional(string)
-  })
-```
-
-Default: `null`
-
 ### <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments)
 
-Description:   A map of role assignments to create on the resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
+Description: A map of role assignments to create on the <RESOURCE>. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
 
-  - `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
-  - `principal_id` - The ID of the principal to assign the role to.
-  - `description` - The description of the role assignment.
-  - `skip_service_principal_aad_check` - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
-  - `condition` - The condition which will be used to scope the role assignment.
-  - `condition_version` - The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'.
+- `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
+- `principal_id` - The ID of the principal to assign the role to.
+- `description` - (Optional) The description of the role assignment.
+- `skip_service_principal_aad_check` - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
+- `condition` - (Optional) The condition which will be used to scope the role assignment.
+- `condition_version` - (Optional) The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'.
+- `delegated_managed_identity_resource_id` - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
+- `principal_type` - (Optional) The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
 
-  > Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
+> Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
 
 Type:
 
@@ -184,6 +163,7 @@ map(object({
     condition                              = optional(string, null)
     condition_version                      = optional(string, null)
     delegated_managed_identity_resource_id = optional(string, null)
+    principal_type                         = optional(string, null)
   }))
 ```
 
@@ -273,6 +253,10 @@ The following outputs are exported:
 
 Description: This output is the full output for the resource to allow flexibility to reference all possible values for the resource. Example usage: module.<modulename>.resource.id
 
+### <a name="output_resource_id"></a> [resource\_id](#output\_resource\_id)
+
+Description: The ID of the Azure Virtual Desktop application group
+
 ## Modules
 
 No modules.

examples/default/README.md

@@ -82,6 +82,7 @@ data "azuread_group" "existing" {
   security_enabled = true
 }
 
+
 # Assign the Azure AD group to the application group
 resource "azurerm_role_assignment" "this" {
   principal_id                     = data.azuread_group.existing.id
@@ -103,7 +104,6 @@ module "appgroup" {
   virtual_desktop_application_group_resource_group_name          = azurerm_resource_group.this.name
   virtual_desktop_application_group_name                         = var.virtual_desktop_application_group_name
   virtual_desktop_application_group_type                         = var.virtual_desktop_application_group_type
-  user_group_name                                                = var.user_group_name
 }
 ```
 
@@ -161,14 +161,6 @@ Type: `string`
 
 Default: `"avdhostpool"`
 
-### <a name="input_user_group_name"></a> [user\_group\_name](#input\_user\_group\_name)
-
-Description: Microsoft Entra ID User Group for AVD users
-
-Type: `string`
-
-Default: `"avdgroup"`
-
 ### <a name="input_virtual_desktop_application_group_default_desktop_display_name"></a> [virtual\_desktop\_application\_group\_default\_desktop\_display\_name](#input\_virtual\_desktop\_application\_group\_default\_desktop\_display\_name)
 
 Description: (Optional) Option to set the display name for the default sessionDesktop desktop when `type` is set to `Desktop`.

examples/default/main.tf

@@ -71,6 +71,7 @@ data "azuread_group" "existing" {
   security_enabled = true
 }
 
+
 # Assign the Azure AD group to the application group
 resource "azurerm_role_assignment" "this" {
   principal_id                     = data.azuread_group.existing.id
@@ -92,5 +93,4 @@ module "appgroup" {
   virtual_desktop_application_group_resource_group_name          = azurerm_resource_group.this.name
   virtual_desktop_application_group_name                         = var.virtual_desktop_application_group_name
   virtual_desktop_application_group_type                         = var.virtual_desktop_application_group_type
-  user_group_name                                                = var.user_group_name
 }

examples/default/variables.tf

@@ -14,12 +14,6 @@ variable "host_pool" {
   description = "The name of the AVD Host Pool to assign the application group to."
 }
 
-variable "user_group_name" {
-  type        = string
-  default     = "avdgroup" # this should be replaced with your group. This is a sample group that is not supported.
-  description = "Microsoft Entra ID User Group for AVD users"
-}
-
 variable "virtual_desktop_application_group_default_desktop_display_name" {
   type        = string
   default     = null

examples/remoteapp/README.md

@@ -101,7 +101,6 @@ module "appgroup" {
   virtual_desktop_application_group_resource_group_name          = azurerm_resource_group.this.name
   virtual_desktop_application_group_name                         = var.virtual_desktop_application_group_name
   virtual_desktop_application_group_type                         = var.virtual_desktop_application_group_type
-  user_group_name                                                = var.user_group_name
 }
 
 # Sample applications
@@ -187,14 +186,6 @@ Type: `string`
 
 Default: `"avdhostpool"`
 
-### <a name="input_user_group_name"></a> [user\_group\_name](#input\_user\_group\_name)
-
-Description: Microsoft Entra ID User Group for AVD users
-
-Type: `string`
-
-Default: `"avdgroup"`
-
 ### <a name="input_virtual_desktop_application_group_default_desktop_display_name"></a> [virtual\_desktop\_application\_group\_default\_desktop\_display\_name](#input\_virtual\_desktop\_application\_group\_default\_desktop\_display\_name)
 
 Description: (Optional) Option to set the display name for the default sessionDesktop desktop when `type` is set to `Desktop`.

examples/remoteapp/main.tf

@@ -90,7 +90,6 @@ module "appgroup" {
   virtual_desktop_application_group_resource_group_name          = azurerm_resource_group.this.name
   virtual_desktop_application_group_name                         = var.virtual_desktop_application_group_name
   virtual_desktop_application_group_type                         = var.virtual_desktop_application_group_type
-  user_group_name                                                = var.user_group_name
 }
 
 # Sample applications

examples/remoteapp/variables.tf

@@ -14,12 +14,6 @@ variable "host_pool" {
   description = "The name of the AVD Host Pool to assign the application group to."
 }
 
-variable "user_group_name" {
-  type        = string
-  default     = "avdgroup" # this should be replaced with your group. This is a sample group that is not supported.
-  description = "Microsoft Entra ID User Group for AVD users"
-}
-
 variable "virtual_desktop_application_group_default_desktop_display_name" {
   type        = string
   default     = null

main.tf

@@ -34,6 +34,15 @@ resource "azurerm_role_assignment" "this" {
   skip_service_principal_aad_check       = each.value.skip_service_principal_aad_check
 }
 
+resource "azurerm_management_lock" "this" {
+  count = (var.lock != null) ? 1 : 0
+
+  lock_level = var.lock.kind
+  name       = coalesce(var.lock.name, "lock-${var.virtual_desktop_application_group_name}")
+  scope      = azurerm_virtual_desktop_application_group.this.id
+  notes      = var.lock.kind == "CanNotDelete" ? "Cannot delete the resource or its child resources." : "Cannot delete or modify the resource or its child resources."
+}
+
 # Create Diagnostic Settings for AVD application group
 resource "azurerm_monitor_diagnostic_setting" "this" {
   for_each = var.diagnostic_settings

outputs.tf

@@ -1,6 +1,9 @@
-# Module owners should include the full resource via a 'resource' output
-# https://azure.github.io/Azure-Verified-Modules/specs/terraform/#id-tffr2---category-outputs---additional-terraform-outputs
 output "resource" {
   description = "This output is the full output for the resource to allow flexibility to reference all possible values for the resource. Example usage: module.<modulename>.resource.id"
   value       = azurerm_virtual_desktop_application_group.this
 }
+
+output "resource_id" {
+  value       = azurerm_virtual_desktop_application_group.this.id
+  description = "The ID of the Azure Virtual Desktop application group"
+}

variables.tf

@@ -1,8 +1,3 @@
-variable "user_group_name" {
-  type        = string
-  description = "Microsoft Entra ID User Group for AVD users"
-}
-
 variable "virtual_desktop_application_group_host_pool_id" {
   type        = string
   description = "(Required) Resource ID for a Virtual Desktop Host Pool to associate with the Virtual Desktop Application Group. Changing the name forces a new resource to be created."
@@ -112,20 +107,6 @@ variable "lock" {
   }
 }
 
-variable "role_assignment_timeouts" {
-  type = object({
-    create = optional(string)
-    delete = optional(string)
-    read   = optional(string)
-  })
-  default     = null
-  description = <<-EOT
- - `create` - (Defaults to 30 minutes) Used when creating the Role Assignment.
- - `delete` - (Defaults to 30 minutes) Used when deleting the Role Assignment.
- - `read` - (Defaults to 5 minutes) Used when retrieving the Role Assignment.
-EOT
-}
-
 variable "role_assignments" {
   type = map(object({
     role_definition_id_or_name             = string
@@ -135,21 +116,24 @@ variable "role_assignments" {
     condition                              = optional(string, null)
     condition_version                      = optional(string, null)
     delegated_managed_identity_resource_id = optional(string, null)
+    principal_type                         = optional(string, null)
   }))
   default     = {}
-  description = <<DESCRIPTION
-  A map of role assignments to create on the resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
-  
-  - `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
-  - `principal_id` - The ID of the principal to assign the role to.
-  - `description` - The description of the role assignment.
-  - `skip_service_principal_aad_check` - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
-  - `condition` - The condition which will be used to scope the role assignment.
-  - `condition_version` - The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'.
-  
-  > Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
-  DESCRIPTION
   nullable    = false
+  description = <<DESCRIPTION
+A map of role assignments to create on the <RESOURCE>. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
+
+- `role_definition_id_or_name` - The ID or name of the role definition to assign to the principal.
+- `principal_id` - The ID of the principal to assign the role to.
+- `description` - (Optional) The description of the role assignment.
+- `skip_service_principal_aad_check` - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
+- `condition` - (Optional) The condition which will be used to scope the role assignment.
+- `condition_version` - (Optional) The version of the condition syntax. Leave as `null` if you are not using a condition, if you are then valid values are '2.0'.
+- `delegated_managed_identity_resource_id` - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
+- `principal_type` - (Optional) The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
+
+> Note: only set `skip_service_principal_aad_check` to true if you are assigning a role to a service principal.
+DESCRIPTION
 }
 
 variable "tags" {