-
Notifications
You must be signed in to change notification settings - Fork 1
[Examples] Deploy Azure service principal
MJ edited this page Sep 21, 2023
·
5 revisions
Before you begin, please ensure that you have the necessary API permissions to create a service principal in Azure.
- Execute the following terraform module (also available as a building block under azure\azuread\service-principal)
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "2.39.0"
}
}
}
provider "azuread" {
# Configuration options
}
data "azuread_client_config" "current" {}
# Create an Azure AD application
resource "azuread_application" "building_blocks_spn" {
display_name = var.spn_name
owners = [data.azuread_client_config.current.object_id]
}
# Create a Service principal for previous application
resource "azuread_service_principal" "building_blocks_spn" {
application_id = azuread_application.building_blocks_spn.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
feature_tags {
enterprise = true
}
}
# Adding a password for that SPN
resource "azuread_service_principal_password" "service_principal_pw" {
service_principal_id = azuread_service_principal.building_blocks_spn.id
end_date = var.spn_password_expiration
}
output "client_id" {
value = azuread_application.building_blocks_spn.application_id
}
output "client_secret" {
value = azuread_service_principal_password.service_principal_pw.value
sensitive = true
}
output "tenant_id" {
value = data.azuread_client_config.current.tenant_id
}
variable "spn_name" {
type = string
description = "Name of the application"
default = "building-blocks-spn"
}
variable "spn_password_expiration" {
type = string
description = "Expiration date of the service principal password"
default = "2999-01-01T01:02:03Z"
validation {
condition = can(formatdate("", var.timestamp))
error_message = "The timestamp argument requires a valid RFC 3339 timestamp ('2999-01-01T01:02:03Z')"
}
}
- Run
terraform output -json
to export required values - Assign desired IAM role like 'contributor' on the required scope