Using Terraform provider to add member to a predefined Azure AD Group

Question

I want to use azuread provider in Terraform to add a resource into an AzureAD Group after the creation of that resource.

The script I am running in an Azure Devops Pipeline using the CLI and an Windows Agent. For this we have of course a service principal dedicated to the DevOps who has the permission to add into that group. Running the terraform plan I am getting this error 'Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).'

The error is clear but is there any way to workaround this or am I missing someting? I can only use a Service Principal for this.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.56.0"
    }
   azuread =  {
      version = "~>0.8"
      }     
  }

resource "azuread_group_member" "example" {
      group_object_id  = "xxx-xxx-xxxxx"
      member_object_id = azurerm_data_factory.adf.id
    }

Answer 1

You should add service provider credentials into enevironment. Refer to this document.

You could use Azure CLI task with addSpnToEnvironment.

Use like this:

- task: AzureCLI@2
        displayName: "Terraform"
        inputs:
          azureSubscription:  shared-${{ parameters.environment }}-001
          scriptType: bash
          addSpnToEnvironment: true
          scriptLocation: inlineScript
          inlineScript: |
            export ARM_CLIENT_ID=$servicePrincipalId
            export ARM_CLIENT_SECRET=$servicePrincipalKey
            export ARM_TENANT_ID=$tenantId
            export ARM_SUBSCRIPTION_ID=$subscriptionId