Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_service_principal_password.rotate_when_changed replaces credential instead of creating a new additional credential. #1599

Open
rquackenbush opened this issue Dec 19, 2024 · 0 comments
Open

azuread_service_principal_password.rotate_when_changed replaces credential instead of creating a new additional credential. #1599

rquackenbush opened this issue Dec 19, 2024 · 0 comments

Comments

@rquackenbush
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform -v

Terraform v1.10.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.53.1
+ provider registry.terraform.io/hashicorp/random v3.6.3
+ provider registry.terraform.io/hashicorp/time v0.12.1

Affected Resource(s)

  • azuread_service_principal_password

Terraform Configuration Files

resource "random_uuid" "oauth2_scope" {}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_application" "example" {

  display_name            = "Terraform Password Repro Application"
  identifier_uris         = ["api://foo"]
  owners                  = [data.azuread_client_config.current.object_id]
  group_membership_claims = ["SecurityGroup"]

  feature_tags {
    hide = true
  }

  web {
    homepage_url = "https://foo.com"
    implicit_grant {
      access_token_issuance_enabled = true
    }
  }

  public_client {
    redirect_uris = ["https://foo.com"]
  }

  fallback_public_client_enabled = true

  # Access to this API.
  api {
    known_client_applications = [data.azuread_application_published_app_ids.well_known.result.MicrosoftAzureCli]
    oauth2_permission_scope {
      admin_consent_description  = "Allow AZ CLI to access the application on behalf of the signed-in user."
      admin_consent_display_name = "Allow access from CLI"
      enabled                    = true
      id                         = random_uuid.oauth2_scope.id
      type                       = "User"
      user_consent_description   = "Allow CLI to access example on your behalf."
      user_consent_display_name  = "Allow access from CLI"
      value                      = "user_impersonation"
    }
  }
}

# SP (aka "enterprise app") for the registered app
resource "azuread_service_principal" "example" {

  description = "Service Principal for '${azuread_application.example.display_name}'"
  client_id   = azuread_application.example.client_id
  owners      = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal_password" "example" {

  service_principal_id = azuread_service_principal.example.id
  end_date_relative    = "${2 * 24 * 365}h" # 2 years in hours

  rotate_when_changed = {
    rotation = "1"
  }
}

output "sp_client_id" {
  value = azuread_service_principal.example.client_id
}

Debug Output

https://gist.github.com/rquackenbush/c51cb7658d4724709b980a590c9f7353

Panic Output

Expected Behavior

I would expect a new credential to be created for the SP, and the old one to be left in place so that applications can continue to run correctly until they pick up the new credential.

The nomenclature "rotation" suggests that the old credential will be left intact.

Actual Behavior

The old credential was deleted and a new one was created.
  

Steps to Reproduce

  1. terraform apply

  2. List the credentials for this SP (using the SP id in the output):

 az ad sp credential list --id 0092bcc0-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[
  {
    "customKeyIdentifier": null,
    "displayName": null,
    "endDateTime": "2026-12-19T00:42:06.2182111Z",
    "hint": "1Zx",
    "keyId": "670007de-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "secretText": null,
    "startDateTime": "2024-12-19T00:42:06.2182111Z"
  }
]

  1. Change azuread_service_principal_password.example.rotate_when_changed.rotation to 2.

  2. terraform apply

  3. List the credentials again

az ad sp credential list --id 0092bcc0-xxxx-xxxx-xxxx-xxxxxxxxxxxx
[
  {
    "customKeyIdentifier": null,
    "displayName": null,
    "endDateTime": "2026-12-19T00:51:12.4838138Z",
    "hint": "vQ7",
    "keyId": "6f3db624-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "secretText": null,
    "startDateTime": "2024-12-19T00:51:12.4838138Z"
  }
]

Note that the old SP credential is destroyed and a new one is created.

Important Factoids

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rquackenbush