Admin access issues

Boundary
1

Trying to see what i am doing wrong here, i cant seem to get admin access


terraform {
    required_version = "~> 1.0.0"
  
    required_providers {
      vault = {
        source  = "hashicorp/vault"
        version = "~> 3.0"
      }
      boundary = {
        source  = "hashicorp/boundary"
        version = "~> 1.0"
      }
    }
  
    backend "remote" {
      hostname     = "app.terraform.io"
      organization = "sebank"
  
      workspaces {
        name = "boundary-config"
      }
    }
  }
  
  provider "vault" {
    address         = "https://vault.istio.sbx.seb-int.cloud"
    skip_tls_verify = "true"
  }
  
  provider "boundary" {
    addr             = "https://boundary.istio.sbx.seb-int.cloud"
    recovery_kms_hcl = <<EOT
  kms "transit" {
      purpose   = "recovery"
      address         = "https://vault.istio.sbx.seb-int.cloud"
      disable_renewal = "false"
      key_name   = "boundary"
      mount_path = "transit/"
      namespace  = "root/"
  }
  EOT
  }
  
  output "auth_method_id" {
    value = boundary_auth_method_oidc.provider.id
  }
  
  resource "boundary_scope" "global" {
    scope_id     = "global"
    name         = "Global"
    global_scope = true
  }
  
  resource "boundary_scope" "org" {
    scope_id    = "global"
    name        = "sebank"
    description = "sebank Org"
  
    auto_create_admin_role   = false
    auto_create_default_role = false
  }
  
  
  resource "boundary_role" "boundaryadmin" {
    scope_id       = "global"
    grant_strings  = [
      "id=*;type=*;actions=*"
      ] 
    principal_ids  = [boundary_managed_group.azuread.id]
  }

  
resource "boundary_scope" "Azure" {
  scope_id = boundary_scope.org.id
  name     = "Azure"

  auto_create_admin_role   = false
  auto_create_default_role = false
}

resource "boundary_auth_method_oidc" "provider" {
  name                 = "Azure AD"
  description          = "oidc"
  scope_id             = boundary_scope.global.id
  issuer               = "https://login.microsoftonline.com/9bdb6f0a134/v2.0"
  client_id            = "ed1cc944-1d8fec936"
  client_secret        = "6JM7dk8dk5Nz"
  callback_url         = "https://boundary.istio.sbx.seb-int.cloud/v1/auth-methods/oidc:authenticate:callback"
  signing_algorithms   = ["RS256"]
  api_url_prefix       = "https://boundary.istio.sbx.seb-int.cloud"
  is_primary_for_scope = true
  state                = "active-public"
}

resource "boundary_managed_group" "azuread" {
  auth_method_id = boundary_auth_method_oidc.provider.id
  description    = "Boundary Admins managed group"
  name           = "boundary-admins"
  filter         = "\"${var.adgroups}\" in \"/token/groups\""
}


output "managed-group-id" {
  value = boundary_managed_group.azuread.id
}

output "role-id" {
  value = boundary_role.boundaryadmin.id
}

variable "adgroups" {
    type    = string
    default = "7fdd539963d4d896"
  }
2

When you say you can’t get admin access, do you mean to the scopes you’re creating? If so, note that you are disabling default/admin role creation. This is fine but you’ll need to either use the recovery method to create roles in the scopes that grant admin access, or you’ll need to create roles in the global scope and set grant_scope_id to the scopes you’re creating to provide the required access.

3

I am also facing the same issue. I am using the admin in global scope to create a scope but using the same connection with terraform provider I am not able create a project or any other resource inside the newly created scope. Is there a way to achieve it so I can compile all steps in a single terraform module of mine.

4

What you probably need to do is create a new role at the global level that gives your Boundary global admin permissions in the new scope. Then you can create projects/etc. in that scope and create roles in it that give you acess to create things in those projects, etc. If you have the references between the roles and scopes correct, most of the necessary ordering will happen automatically; for the things that don’t, you can use an explicit depends_on to force things to be created in the necessary order.