Reputation: 719
How do I import an Azure AD Service Principal Password into Terraform?
We're using Terraform to build our cloud infrastructure. Previously we had a few service principals created without Terraform that are being used right now on production and can't be changed. Now we want to move to Terraform the creation of that service principals, but we're unable to import the previous ones while keeping a structure to create new ones using random_string.
resource "azuread_service_principal_password" "service-images" {
for_each = toset(var.profiles)
service_principal_id = azuread_service_principal.service-images[each.value].id
end_date = "2222-01-01T23:00:00Z"
value = random_string.images_password[each.value].result
}
resource "random_string" "images_password" {
for_each = toset(var.profiles)
length = 32
special = true
}
When we create a new service principal (by adding an element to var.profiles list) it works fine, but when it's a already used service principal, we're worried that Terraform will smash the previous value and go down in production.
Also, Terraform seems to have an import interface for azuread_service_principal_password:
terraform import azuread_service_principal_password.test 00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111
Where first part is ServicePrincipalObjectId and second part is ServicePrincipalPasswordKeyId, however I can't find that latter value on Azure Portal (where is it?).
How would you proceed?
Upvotes: 2
Views: 2221
Answers (1)
Reputation: 31424
Unfortunately, as I know the service principal can only have one password. So you cannot keep the password for the old profile and also generate a new password for the new profile.
I will recommend you use the application registry secret for the authentication. The secrets of the application registry associated with the service principal can also be used for the service principal, and the application registry can have multiple secrets. So you need to create the resource azuread_application_password instead of the resource azuread_service_principal_password.
Here is an example:
data "azuread_application" "example" {
name = "My First AzureAD Application"
}
resource "azuread_application_password" "example" {
application_object_id = "${data.azuread_application.example.id}"
value = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
end_date = "2020-01-01T01:02:03Z"
}
Upvotes: 1
Related Questions
- How to add Azure User Assigned Managed Identity to Azure AD group in Terraform?
- Azure: How to setup multi factor authentication policy in Azure using Terraform?
- Service Principal Creation by Terraform doesn't provide password/secret in the output
- How to create client secret for Azure Service Principal using Terraform
- Bootstraping an Azure service account in Terraform
- How to create a Client Secret using Terraform?
- Terraform not detecting imported Azure SQL Server administrator_login_password
- Importing Existing Azure Storage Account Into Terraform Resource
- Turn on 'App Service Authentication' for Azure Active Directory from terraform script
- Terraform fails using an Azure service principal for authentication