Admin access issues

Trying to see what i am doing wrong here, i cant seem to get admin access


terraform {
    required_version = "~> 1.0.0"
  
    required_providers {
      vault = {
        source  = "hashicorp/vault"
        version = "~> 3.0"
      }
      boundary = {
        source  = "hashicorp/boundary"
        version = "~> 1.0"
      }
    }
  
    backend "remote" {
      hostname     = "app.terraform.io"
      organization = "sebank"
  
      workspaces {
        name = "boundary-config"
      }
    }
  }
  
  provider "vault" {
    address         = "https://vault.istio.sbx.seb-int.cloud"
    skip_tls_verify = "true"
  }
  
  provider "boundary" {
    addr             = "https://boundary.istio.sbx.seb-int.cloud"
    recovery_kms_hcl = <<EOT
  kms "transit" {
      purpose   = "recovery"
      address         = "https://vault.istio.sbx.seb-int.cloud"
      disable_renewal = "false"
      key_name   = "boundary"
      mount_path = "transit/"
      namespace  = "root/"
  }
  EOT
  }
  
  output "auth_method_id" {
    value = boundary_auth_method_oidc.provider.id
  }
  
  resource "boundary_scope" "global" {
    scope_id     = "global"
    name         = "Global"
    global_scope = true
  }
  
  resource "boundary_scope" "org" {
    scope_id    = "global"
    name        = "sebank"
    description = "sebank Org"
  
    auto_create_admin_role   = false
    auto_create_default_role = false
  }
  
  
  resource "boundary_role" "boundaryadmin" {
    scope_id       = "global"
    grant_strings  = [
      "id=*;type=*;actions=*"
      ] 
    principal_ids  = [boundary_managed_group.azuread.id]
  }

  
resource "boundary_scope" "Azure" {
  scope_id = boundary_scope.org.id
  name     = "Azure"

  auto_create_admin_role   = false
  auto_create_default_role = false
}

resource "boundary_auth_method_oidc" "provider" {
  name                 = "Azure AD"
  description          = "oidc"
  scope_id             = boundary_scope.global.id
  issuer               = "https://login.microsoftonline.com/9bdb6f0a134/v2.0"
  client_id            = "ed1cc944-1d8fec936"
  client_secret        = "6JM7dk8dk5Nz"
  callback_url         = "https://boundary.istio.sbx.seb-int.cloud/v1/auth-methods/oidc:authenticate:callback"
  signing_algorithms   = ["RS256"]
  api_url_prefix       = "https://boundary.istio.sbx.seb-int.cloud"
  is_primary_for_scope = true
  state                = "active-public"
}

resource "boundary_managed_group" "azuread" {
  auth_method_id = boundary_auth_method_oidc.provider.id
  description    = "Boundary Admins managed group"
  name           = "boundary-admins"
  filter         = "\"${var.adgroups}\" in \"/token/groups\""
}


output "managed-group-id" {
  value = boundary_managed_group.azuread.id
}

output "role-id" {
  value = boundary_role.boundaryadmin.id
}

variable "adgroups" {
    type    = string
    default = "7fdd539963d4d896"
  }

When you say you can’t get admin access, do you mean to the scopes you’re creating? If so, note that you are disabling default/admin role creation. This is fine but you’ll need to either use the recovery method to create roles in the scopes that grant admin access, or you’ll need to create roles in the global scope and set grant_scope_id to the scopes you’re creating to provide the required access.