Reputation: 1190
Service Principal Creation by Terraform doesn't provide password/secret in the output
when generating Service Principal in Azure manually, as a result of the operation I'm provided a password.
It's not the case however if I create service principal with Terraform, the password is not among the outputs of this module:
+ azuread_service_principal.k8s_principal
id: <computed>
application_id: "${azuread_application.app.application_id}"
display_name: <computed>
Is there anything I missed? Why does the Terraform behavior differs in the output compared to CLI?
Upvotes: 3
Views: 3877
Answers (3)
Reputation: 304
to who using newer version of Terraform, you don't need to preset the password, following code is working fine:
resource "azuread_service_principal_password" "auth_pwd" {
service_principal_id = azuread_service_principal.auth.id
}
output "auth_client_secret" {
value = azuread_service_principal_password.auth_pwd.value
description = "output password"
sensitive = true
}
then you can run the following cli to retrieve the password:
terraform output -raw auth_client_secret
tested on terraform 1.0.10, hashicorp/azuread provider 2.11
Upvotes: 4
Reputation: 1606
password is required INPUT to the azuread_service_principal_password block. As such, you can generate a random password and export it yourself. Complete Terraform code is something like this:
resource "azuread_application" "app" {
name = "${local.application_name}"
}
# Create Service Principal
resource "azuread_service_principal" "app" {
application_id = "${azuread_application.app.application_id}"
}
resource "random_string" "password" {
length = 32
special = true
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
end_date = "2299-12-30T23:00:00Z" # Forever
service_principal_id = "${azuread_service_principal.app.id}"
value = "${random_string.password.result}"
}
output "sp_password" {
value = "${azuread_service_principal_password.app.value}"
sensitive = true
}
Upvotes: 8
Reputation: 28274
In the terraform document, the azuread_service_principal block only defines the Argument application_id and Attributes id, display_name, So you only could see these resources. Also, the azuread_service_principal_password block allows you to export the Key ID for the Service Principal Password. You still could not see the real password.
In the Azure CLI az ad sp create-for-rbac has an optional parameter --Password. So you could see the password output.
Upvotes: 2
Related Questions
- Getting Insufficient privileges to complete the operation error while creating service principal from terraform
- using service principal password created in config later on in same config
- How to create client secret for Azure Service Principal using Terraform
- Azure Terraform Unable to Set secret in KeyVault during deployment
- AZURE Terraform Service Principal authentication Error
- Azure Service Principal gets "Authorization_RequestDenied" when used in Terraform
- Terraform - Trying to create resources in Azure with service principal and pulling that SPs key from keyvault
- How to create service principal in azure using azuread_application in terraform, Error Insufficient privileges to complete the operation
- How can I use Terraform to create a service principal and use that principal in a provider?
- Terraform fails using an Azure service principal for authentication