Generate Azure Entra Groups with map type and multiple owners for each Entra Group

Hi Folks,

Looking for some advice here with Terraform and creating Entra Groups in Azure programmatically and adding different owners to each group when creating these groups.

I received an Excel file that has one record for each Entra group to be generated and its respective attributes. Please see the structure below.

GroupName
GroupDescription
GroupOwners
GroupMember

The plan so far is to convert the Excel file into the map type in Terraform below and iterate over this to drive the creation of the group and assign the different owners and member.

variable “Entra_Groups” {
type = map(any)
default = {
Group_1 = {
Group_name=“Group_1”
Group_Desc=“Desc of Group 100”
Group_Owner_Of=[“user1@test.onmicrosoft.com”,
user2@test.onmicrosoft.com”]
Group_Member_Of=“ParentGroup”
}
Group_2= {
Group_name= “Group_2”
Group_Desc=“Desc of Group 2”
Group_Owner_Of=[“another user email”,
“another user email”]
Group_Member_Of=“ParentGroup”
}
}

The member in that case is easy because it is always the same no matter what group and just one other group. So, no pain there.

The challenge currently is the group owners. This can be one or multiple users for each group and basically, we need to add them dynamically to each group.

So, it is a nested loop structure when thinking of how this gets done in terraform. How can one iterate over the list of emails that itself is an attribute of the map? There could be up to 10 owners or just 2 for the different Entra groups in the Excel file.

I am able to create the groups without the owners but can’t get it to work including the owners. With multiple owners(User_Principals) I need another loop to iterate through the items of emails/user_principals and assign this dynamically to each group as it gets created.

Basically, the question is how can we iterate through an attribute within a map that consists of a multiple items and use the individual items to add them as owners.

These user principals also need to be converted to IDs since the use of just emails isn’t working.

Below some code from my main.tf.
I got this code initially from a sample for a single group using a list and tried to fit it to the map type.

locals {
admin_users={for owner in var.Entra_Groups[“Group_Owner_Of”] : owner => owner}
comb = data.azuread_user.group_owners.*.object_id
}

data “azuread_user” “group_owners” {
count = length(var.Entra_Groups[“Group_Owner_Of”])

#Above line does not work. Need to get the number of emails in the owner attribute
user_principal_name = var.Entra_Groups[count.index]
}

data “azuread_client_config” “current” {}

resource “azuread_group” “example1” {
for_each = var.Entra_Groups
display_name =each.value[“Group_name”]
description =each.value[“Group_Desc”]
#owners = local.comb – This does not work currently.
}

Any hints on how this can be done elegantly would be great.
If there is a better approach to do this, I am eager to hear more.

Thanks again for any help,
Lewis