Add equivalent of CLI "--create-cert" option in azuread_service_principal

[wawrzek]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to have azuread_service_principal option to create a certificate when creating SP. I don't see such option in https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal

CLI examples:
https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac-examples

New or Affected Resource(s)

• azuread_1.4.0

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[manicminer]

Hi @wawrzek, thanks for requesting. Are you perhaps looking for the azuread_service_principal_certificate resource, or more likely the azuread_application_certificate resource?

[wawrzek]

@manicminer AFAIK none of them allows to create a certificate, only load one. Maybe Terraform native workaround would be to create self sign TLS certificate (starting from here https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) and load it to Azure SP.

[manicminer]

As you note there is already an official tls provider which can readily be used for this purpose, so this is not something that we'll look to implement in the AzureAD provider. For example, you can do something like this, which is not a workaround but is rather the intended use pattern if you don't want to manage your own certificates:

provider "azuread" {}
provider "tls" {}

resource "azuread_application" "example" {
  display_name = "example"
}

resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

resource "azuread_application_certificate" "example" {
  application_object_id = azuread_application.example.object_id
  type                  = "AsymmetricX509Cert"
  end_date_relative     = "4320h"
  value                 = tls_self_signed_cert.example.cert_pem
}

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "RSA"
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = azuread_application.example.name
    organization = "Example Corp"
  }

  allowed_uses          = ["client_auth", "server_auth"]
  validity_period_hours = 4320
}

resource "tls_private_key" "example" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

output "private_key" {
  value = tls_private_key.example.private_key_pem
}

Hope this helps! Generally speaking, we don't just mirror Azure CLI, Powershell or Azure Portal features in Terraform as they often do not translate well.

[wawrzek]

@manicminer thanks for help. I had to change only one line:
from
validity_period_hours = 4320
to
validity_period_hours = 365 * 24

Otherwise, I would get:

graphrbac.ApplicationsClient#UpdateKeyCredentials: Failure responding to
request: StatusCode=400 -- Original Error: autorest/azure: Service returned an
error. Status=400 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Request_BadRequest","date":"2021-03-04T15:55:00","message":{"lang":"en","value":"Key
credential end date is
invalid."},"requestId":"0632c746-72a7-445e-a0ea-d732fead7dfb","values":[{"item":"PropertyName","value":"keyCredentials.endDate"},{"item":"PropertyErrorCode","value":"InvalidKeyEndDate"}]}}]

[manicminer]

@wawrzek Great! I've also added this to the create-for-rbac example in the repo as it's a useful pattern. I'll close this one for now, but if you have any problems with this please feel free to comment further. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!