9

I am fairly new in Azure and Terraform, and am trying to create a secret client for Azure Service Principal using Terraform. I am unable to figure this out.

This is what I have right now:

provider "azuread" {
  version = "=0.7.0"
  client_id = var.aws_client_id
  subscription_id = var.aws_subscription_id
  tenant_id = var.aws_tenant_id
  client_secret = var.aws_client_secret
}

# Create an application
resource "azuread_application" "app" {
  name = var.azurerd_app_name
}

# Create a service principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

This is what I was trying(Not very sure about it):

resource "random_string" "password" {
  length  = 32
  special = true
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  end_date             = "2299-12-30T23:00:00Z"                        # Forever
  service_principal_id = azuread_service_principal.app.id
  value                = random_string.password.result
}

This, obviously, doesn't work. This is not giving any error, but, no secret is visible on Azure console. Looks like this is for attaching some password to service principal but I am not very sure what it is doing.

Please let me know what could be done regarding this. Any help would be appreciated. Thanks

Improve this question

3 Answers 3

Reset to default
9

Actually, azuread_service_principal_password worked well, but the password did not show in the portal.

You could use azuread_application_password to manage a Password associated with an Application within Azure AD. see the NOTE, make sure the application have the permissions mentioned.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Does the service principal even show up for you in the Azure portal? I can't find it. I have to use terraform output to get the password when I have this resource "azuread_service_principal_password" "app" { service_principal_id = azuread_service_principal.app.id } output "sp_password" { value = azuread_service_principal_password.app.value sensitive = true }
I believe the link is now azuread_application_password.
4

The client secret for the service principle created in your example will work. The client secret will have the value of random_string.password.result as you're assigning that to azuread_service_principal_password.app.value which is the client secret.

If you'd like to output the client secret to the console to see it, you can either create a terraform output:

output "client_secret" {
  value = random_string.password.result
  sensitive = false # Note that you might not want to print this in out in the console all the time
}

You can also ask whenever you wish for terraform to print out the value from its state:

$ terraform state show random_string.password.result
Improve this answer

Comments

0

You can let Terraform and Azure create the password for you and then use terraform output to retrieve it. You probably want it to be marked as sensitive though.

# Create Azure AD App Registration
resource "azuread_application" "app" {
  display_name = "my-app"
}

# Create Service Principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  service_principal_id = azuread_service_principal.app.id
}

# Output the Service Principal and password
output "sp" {
  value     = azuread_service_principal.app.id
  sensitive = true
}

output "sp_password" {
  value     = azuread_service_principal_password.app.value
  sensitive = true
}

Then terraform output sp_password will get it for you and you won't have it getting printed out to the console on every plan and apply.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.