7

I am fairly new in Azure and Terraform, and am trying to create a secret client for Azure Service Principal using Terraform. I am unable to figure this out.

This is what I have right now:

provider "azuread" {
  version = "=0.7.0"
  client_id = var.aws_client_id
  subscription_id = var.aws_subscription_id
  tenant_id = var.aws_tenant_id
  client_secret = var.aws_client_secret
}

# Create an application
resource "azuread_application" "app" {
  name = var.azurerd_app_name
}

# Create a service principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

This is what I was trying(Not very sure about it):

resource "random_string" "password" {
  length  = 32
  special = true
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  end_date             = "2299-12-30T23:00:00Z"                        # Forever
  service_principal_id = azuread_service_principal.app.id
  value                = random_string.password.result
}

This, obviously, doesn't work. This is not giving any error, but, no secret is visible on Azure console. Looks like this is for attaching some password to service principal but I am not very sure what it is doing.

Please let me know what could be done regarding this. Any help would be appreciated. Thanks

Shikhar Ambashta
  • 195
  • 3
  • 10

3 Answers3

8

Actually, azuread_service_principal_password worked well, but the password did not show in the portal.

You could use azuread_application_password to manage a Password associated with an Application within Azure AD. see the NOTE, make sure the application have the permissions mentioned.

unknown
  • 6,778
  • 1
  • 5
  • 14
  • Does the service principal even show up for you in the Azure portal? I can't find it. I have to use `terraform output` to get the password when I have this `resource "azuread_service_principal_password" "app" { service_principal_id = azuread_service_principal.app.id } output "sp_password" { value = azuread_service_principal_password.app.value sensitive = true }` – Accidental Admin Feb 21 '22 at 14:48
  • I believe the link is now [azuread_application_password](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password). – Accidental Admin Feb 21 '22 at 15:04
3

The client secret for the service principle created in your example will work. The client secret will have the value of random_string.password.result as you're assigning that to azuread_service_principal_password.app.value which is the client secret.

If you'd like to output the client secret to the console to see it, you can either create a terraform output:

output "client_secret" {
  value = random_string.password.result
  sensitive = false # Note that you might not want to print this in out in the console all the time
}

You can also ask whenever you wish for terraform to print out the value from its state:

$ terraform state show random_string.password.result
pijemcolu
  • 2,257
  • 22
  • 36
0

You can let Terraform and Azure create the password for you and then use terraform output to retrieve it. You probably want it to be marked as sensitive though.

# Create Azure AD App Registration
resource "azuread_application" "app" {
  display_name = "my-app"
}

# Create Service Principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  service_principal_id = azuread_service_principal.app.id
}

# Output the Service Principal and password
output "sp" {
  value     = azuread_service_principal.app.id
  sensitive = true
}

output "sp_password" {
  value     = azuread_service_principal_password.app.value
  sensitive = true
}

Then terraform output sp_password will get it for you and you won't have it getting printed out to the console on every plan and apply.

Accidental Admin
  • 126
  • 6