Login/Register
How to create client secret for Azure Service Principal using Terraform
Asked Answered
Solved azureazure-active-directoryterraformterraform-provider-azureazure-service-principal
Y

3

8

I am fairly new in Azure and Terraform, and am trying to create a secret client for Azure Service Principal using Terraform. I am unable to figure this out.

This is what I have right now:

provider "azuread" {
  version = "=0.7.0"
  client_id = var.aws_client_id
  subscription_id = var.aws_subscription_id
  tenant_id = var.aws_tenant_id
  client_secret = var.aws_client_secret
}

# Create an application
resource "azuread_application" "app" {
  name = var.azurerd_app_name
}

# Create a service principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

This is what I was trying(Not very sure about it):

resource "random_string" "password" {
  length  = 32
  special = true
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  end_date             = "2299-12-30T23:00:00Z"                        # Forever
  service_principal_id = azuread_service_principal.app.id
  value                = random_string.password.result
}

This, obviously, doesn't work. This is not giving any error, but, no secret is visible on Azure console. Looks like this is for attaching some password to service principal but I am not very sure what it is doing.

Please let me know what could be done regarding this. Any help would be appreciated. Thanks

Young answered 22/7, 2020 at 6:54 Comment(0)
L
8

Actually, azuread_service_principal_password worked well, but the password did not show in the portal.

You could use azuread_application_password to manage a Password associated with an Application within Azure AD. see the NOTE, make sure the application have the permissions mentioned.

Lallation answered 22/7, 2020 at 7:26 Comment(2)
Does the service principal even show up for you in the Azure portal? I can't find it. I have to use terraform output to get the password when I have this resource "azuread_service_principal_password" "app" { service_principal_id = azuread_service_principal.app.id } output "sp_password" { value = azuread_service_principal_password.app.value sensitive = true }Aracelyaraceous
I believe the link is now azuread_application_password.Aracelyaraceous
S
4

The client secret for the service principle created in your example will work. The client secret will have the value of random_string.password.result as you're assigning that to azuread_service_principal_password.app.value which is the client secret.

If you'd like to output the client secret to the console to see it, you can either create a terraform output:

output "client_secret" {
  value = random_string.password.result
  sensitive = false # Note that you might not want to print this in out in the console all the time
}

You can also ask whenever you wish for terraform to print out the value from its state:

$ terraform state show random_string.password.result
Standice answered 22/7, 2020 at 7:32 Comment(0)
A
0

You can let Terraform and Azure create the password for you and then use terraform output to retrieve it. You probably want it to be marked as sensitive though.

# Create Azure AD App Registration
resource "azuread_application" "app" {
  display_name = "my-app"
}

# Create Service Principal
resource "azuread_service_principal" "app" {
  application_id = azuread_application.app.application_id
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  service_principal_id = azuread_service_principal.app.id
}

# Output the Service Principal and password
output "sp" {
  value     = azuread_service_principal.app.id
  sensitive = true
}

output "sp_password" {
  value     = azuread_service_principal_password.app.value
  sensitive = true
}

Then terraform output sp_password will get it for you and you won't have it getting printed out to the console on every plan and apply.

Aracelyaraceous answered 21/2, 2022 at 15:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.