Feature Request: azurerm_service_principal
#16
Comments
|
This is unblocked. The Go SDK for Azure has everything needed to manage lifecycle of AAD Apps/ServicePrincipals, as well as the RBAC Client. |
|
Is there any way this could be picked up in the near future? The inability to provision anything user/access related using the provider is a huge show-stopper for organizations wanting to provision their Azure subscriptions with code. |
tombuildsstuff
changed the title
|
@tombuildsstuff what's the status on this one? |
|
Does Explicit MSI not change the story here? I assume with explicit MSI I'll be able to create an SP via ARM rather than having to go to Graph? That's what I had in mind when I filed this originally anyway. It also seems more fitting that "azure_rm" module for identity would use ARM/MSI rather than talking to AAD directly, maybe? |
|
@tombuildsstuff ping on status of this one? |
tombuildsstuff
changed the title
azurerm_service_principal
|
@achandmsft missed your ping here, given the above I'm re-scoping this to focus on Service Principals - which is available in the SDK - Role Assignments can already be managed via Terraform, so that should support this auth story (which can be used for both Users, Service Principals and Service Principals coming from MSI) |
|
Is there guidance from Azure on whether users should go through Graph or Explicit MSI for provisioning service account identities in Terraform-like workflows? @achandmsft ? |
|
@colemickens the guidance is to use Graph as Explicit MSI might not be integrated with all downstream services. However MSI is good to use where available such as with App Service for instance. |
|
I don't understand, isn't explicit MSI creating an AAD identity and app? That's how implict MSI works... I thought explicit MSI was just being able to provision the service account and then directly re-use it? Can we get docs for explicit MSI please? |
|
Ah, sorry, docs seem to be public under a slightly different name. :) https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview
I had wonder if maybe Explicit MSI would also expose SP/App as an ARM resource, but it seems this isn't the case. So I guess Terraform can only talk to Graph to provision identities. And then MSI only comes into play if you are using an MSI-enabled service and use a system-assigned identity or use a pre-provisioned Graph SP/App as a "system-assigned identity". Hopefully that's an accurate take on it. |
|
I don't know what the ARM API looks like, or if it exists, or if there are schemas/etc, but "identities" are now a first-rate concept support in the Azure CLI for EMSI scenarios. This is presumably what Terraform should be creating, rather than poking Graph directly. |
|
@tombuildsstuff Is this one up for grabs? I have a project coming up which would benefit from the functionality so I can look at building this out in a PR. On a related note we also want to create Azure AD Users too so I would probably look to create a provider for that functionality too as they're pretty closely related. |
|
@tombuildsstuff what is the current status of this one? |
|
@achandmsft this can be added once #1269 is merged (since it’s dependent on it) |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
This issue was originally opened by @colemickens as hashicorp/terraform#8094. It was migrated here as part of the provider split. The original body of the issue is below.
Feature request: Support creating AAD users and assigning RBAC roles.
Scenario: I want to automate creating Kubernetes clusters for Azure. We're doing this currently with Terraform + Ansible. It currently requires the user to provision a service account for the cluster manually and then feed those credentials into a config file that is used in a template_file data resource and then ultimately pushed into the VM and consumed by Ansible.
If I could have an
azurerm_aad_serviceprincipalthen I could automatically provision new service accounts, without needing to do it out of band. (Currently I'm considering using a local-exec provisioner to runazure-clito create the SP and assign it permissions to the resource group that Terraform is deploying/creating).Depends on: Azure/azure-sdk-for-go#378
The text was updated successfully, but these errors were encountered: