Reputation: 353
I am fairly new in Azure and Terraform, and am trying to create a secret client for Azure Service Principal using Terraform. I am unable to figure this out.
This is what I have right now:
provider "azuread" {
version = "=0.7.0"
client_id = var.aws_client_id
subscription_id = var.aws_subscription_id
tenant_id = var.aws_tenant_id
client_secret = var.aws_client_secret
}
# Create an application
resource "azuread_application" "app" {
name = var.azurerd_app_name
}
# Create a service principal
resource "azuread_service_principal" "app" {
application_id = azuread_application.app.application_id
}
This is what I was trying(Not very sure about it):
resource "random_string" "password" {
length = 32
special = true
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
end_date = "2299-12-30T23:00:00Z" # Forever
service_principal_id = azuread_service_principal.app.id
value = random_string.password.result
}
This, obviously, doesn't work. This is not giving any error, but, no secret is visible on Azure console. Looks like this is for attaching some password to service principal but I am not very sure what it is doing.
Please let me know what could be done regarding this. Any help would be appreciated. Thanks
Upvotes: 8
Views: 17144
Reputation: 166
You can let Terraform and Azure create the password for you and then use terraform output
to retrieve it. You probably want it to be marked as sensitive though.
# Create Azure AD App Registration
resource "azuread_application" "app" {
display_name = "my-app"
}
# Create Service Principal
resource "azuread_service_principal" "app" {
application_id = azuread_application.app.application_id
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
service_principal_id = azuread_service_principal.app.id
}
# Output the Service Principal and password
output "sp" {
value = azuread_service_principal.app.id
sensitive = true
}
output "sp_password" {
value = azuread_service_principal_password.app.value
sensitive = true
}
Then terraform output sp_password
will get it for you and you won't have it getting printed out to the console on every plan
and apply
.
Upvotes: 0
Reputation: 7483
Actually, azuread_service_principal_password
worked well, but the password did not show in the portal.
You could use azuread_application_password
to manage a Password associated with an Application within Azure AD. see the NOTE, make sure the application have the permissions mentioned.
Upvotes: 9
Reputation: 2603
The client secret for the service principle created in your example will work. The client secret will have the value of random_string.password.result
as you're assigning that to azuread_service_principal_password.app.value
which is the client secret.
If you'd like to output the client secret to the console to see it, you can either create a terraform output:
output "client_secret" {
value = random_string.password.result
sensitive = false # Note that you might not want to print this in out in the console all the time
}
You can also ask whenever you wish for terraform to print out the value from its state:
$ terraform state show random_string.password.result
Upvotes: 4