Terraform module to create service principal resource on AZURE.
We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.
This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.
This module has a few dependencies:
- Terraform 1.x.x
- Go
- github.com/stretchr/testify/assert
- github.com/gruntwork-io/terratest/modules/terraform
IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.
Here are some examples of how you can use this module in your inventory structure:
module "service-principal" {
source = "clouddrove/service-principal/azure"
version = "1.0.0"
name = "app"
environment = "test"
password_rotation_in_years = 1
end_date = "2024-05-01T01:02:03Z"
# Adding roles and scope to service principal
assignments = [
{
scope = "/subscriptions/068245XXXXXXXXXXe1cabc60c"
role_definition_name = "owner"
},
]
} module "virtual-machine" {
source = "clouddrove/service-principal/azure"
version = "1.0.0"
name = "app"
environment = "test"
enable_service_principal_certificate = true
end_date = "2024-05-01T01:02:03Z"
certificate_value = <<EOF
MIIC5jCCAc6gAwIBAgIIUeUhLYf6UNwwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
AxMGVlBOIENBMB4XDTIyMTExMTE0MzA1NFoXDTI1MTExMDE0MzA1NFowETEPMA0G
A1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6bxr
s1kwbRztA7mH7hxzcxzcbbhcdIXV8ehbzNIank1ByOqtBpQK1Xvde1z6rjL1hzCn
XD6xjW+xfF+yQ/zMyc6udrK2OvtuFmAsBYL5Bbb+Nf7U6Rp9IWZA6f/HO+XLft6q
sC0UD1wEK6LSn/1u+fCfT3UCMCjpskAtE3ossZCuhUjJ8jGNUb07Z84dQEQf0s3n
13V0kqNfpaxAhttttttttWlEGigoTqk6NcTNAzUEGR1b4Rt8qNzIwk8DhODfiOwT
ILsB3XWyA/IOv2eL3Eqx/lkykIBSEJALPE7j6igyTMoSPHtQA7NWrgYeWgiWh1AQ
VJpuY1vAIm3gfMAEoQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBBjAdBgNVHQ4EFgQUiEbr34wufRJ6+1Fh5am89bxRCuswDQYJKoZIhvcN
AQELBQADggEBABHs7e6X2uLpUPkfv0r8TH3MnskPEGObcqGDS8WWH0FO7hsbSMeZ
bTxJue6WTUvwrxYrmfqRZU/K+TtDregsa+GAYsl0wbl82nu2gBivpARLXYenfmwc
Zgul+ZwQPw7FB9rLugW7qKMhGUxYYnywTyfZI1EjP6ZAjYn7xB9G7zOGpkVCErPn
LIO1Knhk7J2XIXs6wCw1OcLJfXhjEEbnYZaHYA3LCTot9LM+3ecloILUo7rQgooB
4/YOgmo7Q3Qv0ahFvsEI/ZqSop6NpLlzIQ/T3hC/6m4aG/1u+yaac4E9ygZNg184
Mb0BNzEPxRFt+L8A72gd/nTcxGrxEcQlqEc=
EOF
password_rotation_in_years = 1
# Adding roles and scope to service principal
assignments = [
{
scope = "/subscriptions/06824XXXXXXXXXXXXXXe5ebc60c"
role_definition_name = "owner"
},
]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_enabled | Whether or not the service principal account is enabled. Defaults to true. | bool |
true |
no |
| alternative_names | A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. | list(string) |
[] |
no |
| app_role_assignment_required | Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false. | bool |
false |
no |
| application | Application (e.g. cd or clouddrove). |
string |
"" |
no |
| assignments | The list of role assignments to this service principal | list(object({ |
[] |
no |
| azure_role_description | The description for this Role Assignment | any |
null |
no |
| azure_role_name | A unique UUID/GUID for this Role Assignment - one will be generated if not specified. | any |
null |
no |
| certificate_encoding | Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex |
string |
"pem" |
no |
| certificate_path | The path to the certificate for this Service Principal | string |
"" |
no |
| certificate_type | The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric | string |
"AsymmetricX509Cert" |
no |
| certificate_value | The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument. | string |
"" |
no |
| description | A description of the service principal provided for internal end-users. | any |
null |
no |
| device_only_auth_enabled | Specifies whether this application supports device authentication without a user. Defaults to false. | bool |
false |
no |
| display_name | Specifies a friendly name for the certificate. Must start with CN=. Changing this field forces a new resource to be created. | string |
"example.com" |
no |
| enable_service_principal_certificate | Manages a Certificate associated with a Service Principal within Azure Active Directory | bool |
false |
no |
| end_date | The end date until which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created. | string |
"" |
no |
| environment | Environment (e.g. prod, dev, staging). |
string |
"" |
no |
| fallback_public_client_enabled | Specifies whether the application is a public client. Appropriate for apps using token grant flows that don't use a redirect URI. Defaults to false. | bool |
false |
no |
| group_membership_claims | Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All. | list(string) |
[] |
no |
| identifier_uris | A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. | list(any) |
[] |
no |
| key_id | A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. | any |
null |
no |
| label_order | Label order, e.g. name,application. |
list(any) |
[ |
no |
| login_url | The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. | string |
null |
no |
| logo_image | A logo image to upload for the application, as a raw base64-encoded string. The image should be in gif, jpeg or png format. Note that once an image has been uploaded, it is not possible to remove it without replacing it with another image. | string |
null |
no |
| managedby | ManagedBy, eg 'CloudDrove' or 'AnmolNagpal'. | string |
"[email protected]" |
no |
| name | Name (e.g. app or cluster). |
string |
"" |
no |
| notes | A free text field to capture information about the service principal, typically used for operational purposes. | string |
null |
no |
| notification_email_addresses | A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. | list(any) |
[] |
no |
| password_end_date | The relative duration or RFC3339 rotation timestamp after which the password expire | any |
null |
no |
| password_rotation_in_days | Number of days to add to the base timestamp to configure the rotation timestamp. When the current time has passed the rotation timestamp, the resource will trigger recreation.Conflicts with password_end_date, password_rotation_in_years and either one must be specified, not all |
any |
null |
no |
| password_rotation_in_years | Number of years to add to the base timestamp to configure the password rotation timestamp. Conflicts with password_end_date and either one is specified and not the both | any |
null |
no |
| preferred_single_sign_on_mode | The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset. | string |
"" |
no |
| relay_state | The relative URI the service provider would redirect to after completion of the single sign-on flow. | string |
null |
no |
| repository | Terraform current module repo | string |
"" |
no |
| role_definition_name | The name of a Azure built-in Role for the service principal | any |
null |
no |
| service_principal_name | The name of the service principal | string |
"" |
no |
| sign_in_audience | The Microsoft account types that are supported for the current application. Must be one of AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount |
string |
"AzureADMyOrg" |
no |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ). |
map(any) |
{} |
no |
| use_existing | When true, any existing service principal linked to the same application will be automatically imported. When false, an import error will be raised for any pre-existing service principal. | bool |
false |
no |
| Name | Description |
|---|---|
| client_id | The application id of AzureAD application created. |
| client_secret | Password for service principal. |
| service_principal_application_id | The object id of service principal. Can be used to assign roles to user. |
| service_principal_name | The object id of service principal. Can be used to assign roles to user. |
| service_principal_object_id | The object id of service principal. Can be used to assign roles to user. |
| service_principal_password | Password for service principal. |
In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.
You need to run the following command in the testing folder:
go test -run TestIf you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].
If you have found it worth your time, go ahead and give us a ★ on our GitHub!
At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
We are The Cloud Experts!
We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.