entra-id
Requirements
The following requirements are needed by this module:
- azuread (~> 3.0)
Providers
The following providers are used by this module:
- azuread (~> 3.0)
Modules
No modules.
Resources
The following resources are used by this module:
- azuread_application.cloudflare_access (resource)
- azuread_application.gcp_workforce (resource)
- azuread_application.github_saml (resource)
- azuread_application.google_workspace (resource)
- azuread_application_password.cloudflare_access (resource)
- azuread_application_password.gcp_workforce (resource)
- azuread_conditional_access_policy.admin_phishing_resistant_mfa (resource)
- azuread_conditional_access_policy.admin_portal_hardening (resource)
- azuread_conditional_access_policy.block_legacy_auth (resource)
- azuread_conditional_access_policy.device_compliance (resource)
- azuread_conditional_access_policy.require_mfa_all (resource)
- azuread_conditional_access_policy.trusted_location (resource)
- azuread_group.bitcain_admins (resource)
- azuread_group.break_glass (resource)
- azuread_group.cloudflare_admins (resource)
- azuread_group.gcp_admins (resource)
- azuread_group.github_admins (resource)
- azuread_group.github_developers (resource)
- azuread_named_location.trusted_network (resource)
- azuread_service_principal.cloudflare_access (resource)
- azuread_service_principal.gcp_workforce (resource)
- azuread_service_principal.github_saml (resource)
- azuread_service_principal.google_workspace (resource)
- azuread_service_principal_token_signing_certificate.github_saml (resource)
- azuread_service_principal_token_signing_certificate.google_workspace (resource)
- azuread_user.break_glass (data source)
Required Inputs
The following input variables are required:
environment
Description: Environment name
Type: string
Optional Inputs
The following input variables are optional (have default values):
admin_user_principal_name
Description: Primary admin UPN (must be @bitcain.net)
Type: string
Default: "cain@bitcain.net"
break_glass_upn
Description: Break-glass account UPN excluded from all CA policies
Type: string
Default: ""
device_compliance_enabled
Description: Enable device compliance CA policy (CA-06). Requires Intune.
Type: bool
Default: false
entra_p1_enabled
Description: Enable Conditional Access policies (requires Entra ID P1 license)
Type: bool
Default: false
entra_tenant_id
Description: Entra ID tenant ID. Leave empty to skip all Entra resources (skeleton mode).
Type: string
Default: ""
fido2_enabled
Description: Enable FIDO2 auth strength policy and CA-02 (phishing-resistant MFA for admins). Requires FIDO2 keys registered + Policy.ReadWrite.AuthenticationMethod permission.
Type: bool
Default: false
trusted_location_cidrs
Description: CIDR ranges for trusted network locations (CA-05). Leave empty to skip CA-05.
Type: list(string)
Default: []
Outputs
The following outputs are exported:
admins_group_id
Description: Bitcain admins group object ID
auth_strength_policy_id
Description: Phishing-resistant authentication strength policy ID (built-in)
break_glass_group_id
Description: Break-glass exclusion group object ID
cloudflare_access_app
Description: Cloudflare Access application registration details
conditional_access_policy_ids
Description: Conditional Access policy IDs (null when P1 not enabled)
gcp_workforce_app
Description: GCP Workforce Federation application registration details
github_saml_app
Description: GitHub SAML SSO application registration details
github_saml_metadata
Description: GitHub SAML SSO metadata for configuring GitHub Enterprise
google_workspace_app
Description: Google Workspace SAML application registration details
google_workspace_saml_metadata
Description: Google Workspace SAML metadata for configuring Google Admin Console
groups
Description: Entra ID security group IDs