Resource for Azure_application_Client secrets

[kgopi05]

How to provision the Azure_application_Client secrets using the Terraform ?

Tried provisioning azuread_service_principal_password , but it is not provisioning the Client secrets.

Regards
Gopi

[davidtom]

I'm having the same issue. The client secret seems to exist because I can use the service principal, but it does not appear in the UI for some reason.

I believe #66 is related?

[katbyte]

Hi @kgopi05,

Could you possibly need to use the azuread_application_password resource?

[JayDoubleu]

@kgopi05

resource "azuread_application" "example" {
  name = "example-app"
}

resource "random_string" "not_so_secret_anymore" {
  length  = 33
  special = true
}

resource "azuread_application_password" "example" {
  application_id = azuread_application.example.id
  value          = random_string.not_so_secret_anymore.result
  end_date       = "2020-01-01T01:02:03Z"
}

resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

az ad sp credential -h
Group
az ad sp credential : Manage a service principal's credentials.
The credential update will be applied on the Application object the service principal is
associated with. In other words, you can accomplish the same thing using "az ad app
credential".

App secrets are just passwords acording to the API:

https://graph.windows.net/myorganization/applications/appid/addPassword?api-version=2.0
https://docs.microsoft.com/en-us/graph/api/application-add-password?view=graph-rest-beta

resource "azuread_service_principal_password" - Definitely needs fixing as it doesn't show up in app secrets tho.

[opticyclic]

It is partially displaying now.

This code outputs the client secret to the command line.
However, in the GUI there is no "Description" field populated and the password is marked as Hidden, whereas if you create it manually you are forced to put in a description and the secret is displayed.

Also, the date says: "12/31/2019" instead of 01/01/2020.

resource "random_string" "password" {
  length  = 33
  special = true
}

resource "azuread_application_password" "example" {
  application_id = azuread_application.client-app.id
  value          = random_string.password.result
  end_date       = "2020-01-01T01:00:00Z"
}

output "client_secret" {
  description = "Client Secret"
  value       = random_string.password.result
}

[JayDoubleu]

@opticyclic that's the reason I named it "not_so_secret_anymore" :) You could use local exec resource to silently generate password and then use the azuread_application_password password output which is marked as secret.

[opticyclic]

I'm more concerned with the fact that it doesn't automate the manual steps I am doing in the portal.

[JayDoubleu]

@opticyclic what do you mean ? It doesnt show "masked" values as this is coming straight from the API but otherwise works exactly the same.

[mattbowes]

Wouldnt it be better to use resource "random_password" instead of resource "random_string" for this?

Is there any fix for this not showing in the portal?

[alex-3sr]

Hi All,

Are there any break change recently about ressource azuread_application_password? I can't create anymore new one.

Error: Invalid resource type
on AzureAD.tf line 103, in resource "azuread_application_password" "aad_app_um_secret":
103: resource "azuread_application_password" "aad_app_um_secret" {
The provider provider.azuread does not support resource type
"azuread_application_password".

I use TF 12.10 and Azure Ad Provider 3.1 and Azure RM 1.35.

Thanks

[ronnie-webb]

Im trying to wrap my head around setting up client id and client secret in terraform using.

resource "azurerm_azuread_application" "example" {
  name                       = "example"
  homepage                   = "https://homepage"
  identifier_uris            = ["https://uri"]
  reply_urls                 = ["https://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azurerm_azuread_service_principal" "example" {
  application_id = "${azurerm_azuread_application.example.application_id}"
}

resource "azurerm_azuread_service_principal_password" "example" {
  service_principal_id = "${azurerm_azuread_service_principal.example.id}"
  value                = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
  end_date             = "2020-01-01T01:02:03Z"
}

It doesn't appear to produce a client ID and client secret. How do I use the password generated for a aks deployment.

  service_principal {
    client_id     = "00000000-0000-0000-0000-000000000000"
    client_secret = "00000000000000000000000000000000"
  }

[JayDoubleu]

@ronnie-webb

resource "random_uuid" "default" {}

resource "azuread_application" "default" {
  name                       = "aks-${random_uuid.default.result}"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

resource "random_password" "default" {
  length  = 33
  special = true
}

resource "azuread_application_password" "default" {
  application_object_id = azuread_application.default.id
  value                 = random_password.default.result
  end_date              = "2040-01-01T01:02:03Z"
}

resource "azuread_service_principal" "default" {
  application_id = azuread_application.default.application_id
  tags           = []
}

Then in AKS:

service_principal {
    client_id     = azuread_service_principal.default.application_id
    client_secret = random_password.default.result
  }

[ronnie-webb]

@JayDoubleu Thanks I'll give it a try.

[andrew-sumner]

The advice I found here got my password created, being unable to set the description is a annoyance.

Any advice on how I could look up the password? I have one terraform config to create base resources including the app registration and password. I'd like to look this password up from another terraform config to create a logic app connector and provide it the password but not sure how to store and retrieve it. I can see the password in the state file but azuread_application_password does not provide a data source. Each logic app could have it's own secret but given I cannot set the description I can't tell which one belongs to what so not much point.

[ronnie-webb]

@andrew-sumner I store the secret created in key-vault and retrieve it from there.. you can also create a data from backend config and just pull the secret from an output..

[andrew-sumner]

@ronnie-webb A big thanks for that - solution was obvious in hindsight as these things often are but you saved me a lot of head-scratching.

[ronnie-webb]

@andrew-sumner np

[ghost]

This has been released in version 0.10.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 0.10.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!