Reputation: 1000
Terraform to create teams connection in Azure for a Service account (with username and password)
Using terramform api connection to create a Microsoft Teams connection with a Service Account (an account whose password would not expire), because using managed identity for teams is a big problem.
This is also highlighted in the following post, with the potential solution of using a "Service Account": here.
However, I do not see an option to pass on a user name and password when creating the api connection using terraform.
I looked around in some example where the argument parameter_values could be used. However, the examples I saw only refer to oauth grant credentials type.
So, what now happens is: an api connection gets created but it says "test connection fails" as there is "no access token". I can do the authorization manually after connection deployment, but I would like to avoid it.
Is it possible to pass on the username and password when creating api connection using terraform (or any other means)? The idea is to user "secret" variables in Devops (or even link to Azure Keyvault), so that sensitive info is not exposed and pass that on to terraform apply.
This is the state of the api connection after terraform apply
Terraform apply screenshot
P.S: Also to clarify again (which should be clarified if the links I referred to, is read)- Service account is an organization user (whose password will never expire), like an AD user , just that it is not human . It is not a service principal with client id and client secret .
Upvotes: 1
Views: 106
Answers (1)
Reputation: 8018
Is it possible to pass on the username and password when creating api connection using terraform: -
There is no default option to pass the username and password usingparameter_values block when creating an Api connection with terraform. Instead, you can use Azure key vault secrets to store the secured values (username & password), obtain them from the key vault and pass it to the Api connection which is clearly detailed below.
Reference SO for the similar workaround and also check this ARM template to pass the username and password parameter values directly using ARM as it supports there.
resource "azurerm_key_vault_secret" "example" {
name = "Username"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_key_vault_secret" "example1" {
name = "Password"
value = "szecasdsd1an"
key_vault_id = azurerm_key_vault.example.id
}
Complete terraform code:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example" {
name = "Jahnavi"
}
resource "azurerm_key_vault" "example" {
name = "jahkeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Get"
]
secret_permissions = [
"Set",
"Get",
"Delete"
]
}
}
resource "azurerm_key_vault_secret" "example" {
name = "Username"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_key_vault_secret" "example1" {
name = "Password"
value = "szecasdsd1an"
key_vault_id = azurerm_key_vault.example.id
}
data "azurerm_managed_api" "example" {
name = "servicebus"
location = data.azurerm_resource_group.example.location
}
resource "azurerm_servicebus_namespace" "example" {
name = "sbnj-conn-example"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
sku = "Basic"
}
resource "azurerm_api_connection" "example" {
name = "jah-connection"
resource_group_name = data.azurerm_resource_group.example.name
managed_api_id = data.azurerm_managed_api.example.id
display_name = ""
parameter_values = {
connectionString = azurerm_servicebus_namespace.example.default_primary_connection_string
username = azurerm_key_vault_secret.example.value
password = azurerm_key_vault_secret.example1.value
}
lifecycle {
ignore_changes = ["parameter_values"]
}
}
If the above workaround still throws conflicts, use Invoke-RestMethod PowerShell approach along with the required parameters to get an oauth token with the service account and connect it.
Upvotes: 1
Related Questions
- Cannot create secret scope: Azure KeyVault is not available. Terraform
- Cannot Create Azure AD Application with Azure DevOps + Terraform
- Storing and retrieving secrets in Azure keyvault with variable Groups in Azure Devops pipeline
- How to create client secret for Azure Service Principal using Terraform
- Grant Keyvault access policy to service principal using terraform
- Terraform and Azure DevOps pipelines
- Updating Service Principle Password with Terraform
- Azure DevOps Release - terraform import fails with 'Authenticate using a Service Principal'