7

For an integration, a service defines the following command to run

az ad sp create-for-rbac --role reader --scopes /subscriptions/{subscription_id}

Instead of running the command, I was wondering what the equivalent terraform code for az ad sp create-for-rbac was?

StephenG
  • 2,851
  • 1
  • 16
  • 36

2 Answers2

7
provider "azuread" {
  version = "=0.3.0"
}

resource "azuread_application" "auth" {
  name = "auth"
}

resource "azuread_service_principal" "auth" {
  application_id = "${azuread_application.auth.application_id}"
}

resource "random_string" "password" {
  length = 16
  special = true
  override_special = "/@\" "
}

resource "azuread_service_principal_password" "auth" {
  service_principal_id = "${azuread_service_principal.auth.id}"
  value                = "${random_string.password.result}"
  end_date_relative    = "240h"
}

output "client_secret" {
  value = "${random_string.password.result}"
  description = "Client Secret"
}

provider "azurerm" {
  version = "=1.24.0"
}

data "azurerm_subscription" "primary" {}

data "azurerm_client_config" "current" {}

resource "azurerm_role_assignment" "auth" {
  scope                = "${data.azurerm_subscription.primary.id}"
  role_definition_name = "Reader"
  principal_id         = "${azuread_service_principal.auth.id}"
}
StephenG
  • 2,851
  • 1
  • 16
  • 36
  • Does this actually work for you? For me the Application is created and Terraform ouputs the secret and no error message, however in the Azure portal there is no Client secret associated with the created app. I've tried both the provider versions of this post and the latest ones (0.4.0 and 0.30.1 respectively) – Mattias Jiderhamn Jun 10 '19 at 12:26
  • Works 100%, currently have a deployment running on this right now. Can you use the client ID, client secret, and tenant ID to auth into azure? You can try following this guide to test the creds that you've made: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-native-headless/ – StephenG Jun 10 '19 at 15:09
  • 1
    @MattiasJiderhamn I think this code is doing what it is supposed to, but I think you've misunderstood what that is. The azuread_service_principal_password is a password for the service principal account, but that isnt the same thing as the cllient secret on the Application. I'm trying to find a way of creating that with az cli or terraform but i dont think there is one yet. – bytejunkie Sep 11 '19 at 13:52
  • I don't believe these answers are applicable anymore. Plz see https://stackoverflow.com/questions/71025381/how-do-i-automatically-create-service-principals-or-msis-with-terraform-for-use and https://learn.microsoft.com/en-us/answers/questions/197819/34insufficient-privileges-to-complete-the-operatio.html Is there a way to do this now, automatically, without having to log in manually and perform the steps in the above link? – user658182 Feb 07 '22 at 21:53
0

I had to put an alias in the second provider for this to work for me. Terraform 0.12 doesn't allow me to have 2 azure different providers without the alias. Azure resource management and Azure active directory 


provider "azuread" {
 version = "~> 0.3"

}

provider "azurerm" {
 version = "~>1.44.0"
 alias   = "azure_rm"
}

data "azurerm_subscription" "primary" {
 provider = azurerm.azure_rm
}


resource "azuread_application" "auth" {
 name = "${var.application_name}"
}

resource "azuread_service_principal" "auth" {
 application_id = "${azuread_application.auth.application_id}"
}

resource "azuread_service_principal_password" "auth" {
 service_principal_id = "${azuread_service_principal.auth.id}"
 value                = "${random_string.password.result}"
 end_date_relative    = "240h" 
}

resource "random_string" "password" {
 length = "${var.password_length}"
 special = "${var.password_special}"
 override_special = "${var.password_override_special}"
}

resource "azurerm_role_assignment" "auth" {
 provider = azurerm.azure_rm
 scope                = "${data.azurerm_subscription.primary.id}"
 role_definition_name = "Contributor"
 principal_id         = "${azuread_service_principal.auth.id}"
}

output "subscription-id" {
 value = "${data.azurerm_subscription.primary.id}"
 description = "subscription"
}

output "tenant" {
 value = "${data.azurerm_subscription.primary.tenant_id}"
 description = "tenant"
}

output "password" {
 value = "${random_string.password.result}"
 description = "password"
}

output "name" {
 value = "${azuread_application.auth.application_id}"
 description = "name"
}
Daniela
  • 49
  • 2
  • 2
    I think you may have had a provider setting for provider "azurerm" elsewhere in a separate piece of code. provider "azurerm" and provider "azuread" are two different providers so you will not need an alias to differentiate between them. – Marcus Adams Jul 23 '20 at 22:24