'How to create client secret for Azure Service Principal using Terraform
I am fairly new in Azure and Terraform, and am trying to create a secret client for Azure Service Principal using Terraform. I am unable to figure this out.
This is what I have right now:
provider "azuread" {
version = "=0.7.0"
client_id = var.aws_client_id
subscription_id = var.aws_subscription_id
tenant_id = var.aws_tenant_id
client_secret = var.aws_client_secret
}
# Create an application
resource "azuread_application" "app" {
name = var.azurerd_app_name
}
# Create a service principal
resource "azuread_service_principal" "app" {
application_id = azuread_application.app.application_id
}
This is what I was trying(Not very sure about it):
resource "random_string" "password" {
length = 32
special = true
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
end_date = "2299-12-30T23:00:00Z" # Forever
service_principal_id = azuread_service_principal.app.id
value = random_string.password.result
}
This, obviously, doesn't work. This is not giving any error, but, no secret is visible on Azure console. Looks like this is for attaching some password to service principal but I am not very sure what it is doing.
Please let me know what could be done regarding this. Any help would be appreciated. Thanks
Solution 1:[1]
The client secret for the service principle created in your example will work. The client secret will have the value of random_string.password.result as you're assigning that to azuread_service_principal_password.app.value which is the client secret.
If you'd like to output the client secret to the console to see it, you can either create a terraform output:
output "client_secret" {
value = random_string.password.result
sensitive = false # Note that you might not want to print this in out in the console all the time
}
You can also ask whenever you wish for terraform to print out the value from its state:
$ terraform state show random_string.password.result
Solution 2:[2]
You can let Terraform and Azure create the password for you and then use terraform output to retrieve it. You probably want it to be marked as sensitive though.
# Create Azure AD App Registration
resource "azuread_application" "app" {
display_name = "my-app"
}
# Create Service Principal
resource "azuread_service_principal" "app" {
application_id = azuread_application.app.application_id
}
# Create Service Principal password
resource "azuread_service_principal_password" "app" {
service_principal_id = azuread_service_principal.app.id
}
# Output the Service Principal and password
output "sp" {
value = azuread_service_principal.app.id
sensitive = true
}
output "sp_password" {
value = azuread_service_principal_password.app.value
sensitive = true
}
Then terraform output sp_password will get it for you and you won't have it getting printed out to the console on every plan and apply.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | pijemcolu |
| Solution 2 | Accidental Admin |