Add azuread_service_principal_token_signing_certificate to simplify certificate management #732
Comments
|
Hi @dhohengassner, thanks for requesting this feature! Looking through the linked walkthrough, it looks like a few additional pieces are needed here?
Does this look right to you? |
|
@manicminer that is exactly what I had in mind 👍 I will try to come up with PRs for that. Thanks for the fast feedback! |
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 10, 2022
This commit adds support to create the certificiate for Azure AD signed certs. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 14, 2022
This commit adds support to create the certificiate for Azure AD signed certs. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 15, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 15, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 15, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 15, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 15, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
|
created a PR to add support for the preferredTokenSigningKeyThumbprint field for service principals |
|
@manicminer Experimented today with certification creation on service principal. It seems the Graph API supports adding a certificate but there is no option to remove them. I can see the generated keys and passwords but I cannot remove them via Ref: https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate I am able to remove the certs on Enterprise apps but this is using a different internal API. Therefore I would suggest not create an own terraform resource for that feature. Instead use an optional field on the Does that make sense for you? Or do you prefer having a seperate resource for the created certificate. |
|
Hi @dhohengassner, thanks for looking into it. That's unfortunate - using ForceNew as a workaround on the service_principal resource may be an option, but I'd like to reach out first and find out whether that API might be expanded with full CRD support that we can make a proper resource of it. |
|
Hey @manicminer good idea! So I understood right that you will contact Microsoft to ask for a new API feature? |
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 17, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 17, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/terraform-provider-azuread
that referenced
this issue
Feb 17, 2022
We do like to add support to the provider to create a token signing certificate. This commit adds a new field `token_signing_certificate_name` to the resource `azuread_service_principal`. If this is set a ceritificate will be generated and the thumbprint will be stored in a computed field called `preferred_token_signing_key_thumbprint`. Issue: hashicorp#732
This was referenced Feb 17, 2022
dhohengassner
added a commit
to o11n/terraform-provider-azuread
that referenced
this issue
Feb 18, 2022
We do like to add support to the provider to create a token signing certificate. This commit adds a new field `token_signing_certificate_name` to the resource `azuread_service_principal`. If this is set a ceritificate will be generated and the thumbprint will be stored in a computed field called `preferred_token_signing_key_thumbprint`. Issue: hashicorp#732
dhohengassner
added a commit
to o11n/hamilton
that referenced
this issue
Feb 22, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
dhohengassner
added a commit
to o11n/terraform-provider-azuread
that referenced
this issue
Feb 22, 2022
We do like to add support to the provider to create a token signing certificate. This commit adds a new field `token_signing_certificate_name` to the resource `azuread_service_principal`. If this is set a ceritificate will be generated and the thumbprint will be stored in a computed field called `preferred_token_signing_key_thumbprint`. Issue: hashicorp#732
dhohengassner
added a commit
to o11n/terraform-provider-azuread
that referenced
this issue
Feb 23, 2022
We do like to add support to the provider to create a token signing certificate. This commit adds new optional fields `token_signing_certificate_name` and `token_signing_certificate_end_date` to the resource `azuread_service_principal`. If both of these fields are set a token signing ceritificate for the service principal gets created and attached. The certificate thumbprint will be stored in a computed field called `preferred_token_signing_key_thumbprint`. There is now way to update or rotate the certificate because of missing API support. Therefore in case of an adjustment the principal will be replaced. Issue: hashicorp#732
manicminer
pushed a commit
to manicminer/hamilton
that referenced
this issue
Apr 14, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
manicminer
pushed a commit
to manicminer/hamilton
that referenced
this issue
Apr 14, 2022
…erredTokenSigningKeyThumbprint This commit adds support to create the certificiate for Azure AD signed certs and set the preferred token thumbprint on the service principal. This will allow to follow the steps described in https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate using hamilton SDK. Currently Microsoft does not support a method to remove the created certificate key from the service principal. https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate Also manual removal via `removePassword` and `removekey` API calls are not supported and fail with an internal server error. This SDK extension is the base to extend the `terraform-provider-azuread`. Issue: hashicorp/terraform-provider-azuread#732
This comment was marked as off-topic.
This comment was marked as off-topic.
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 10, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 10, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 11, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 12, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 12, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
tagur87
added a commit
to tagur87/terraform-provider-azuread
that referenced
this issue
Jan 12, 2023
This adds a new resource called `service_principal_token_signing_certificate` that is used to manage the whole lifecycle of token signing certificates used for SAML authentication. This resource makes use of the `AddTokenSigningCertificate` function that was added to hamilton previously here: manicminer/hamilton#158 MS Graphs Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addtokensigningcertificate?view=graph-rest-1.0&tabs=http As documented in the docs above, when the `AddTokenSigningCertificate` function is invoked, 3 individual objects are created... - Verify `keyCredential` (Public Cert) - Sign `keyCredential` (Private Key) - `passwordCredential` (Private Key Password) When the object is returned, it includes the thumbprint, the public key pem value, and a `keyId`. However, we found an odd behavior that the `keyId` that is returned is actually for the Sign `keyCredential`. Since the Verify certificate is the one that we acutally care about, we used the `customKeyIdentifier`, which is the same for all 3 values, to get the Verify `keyId`, which we then use in building the resource ID. We additionally had to "calculate" the thumbprint value from the actual value of the Verify cert, as this value is not returned from the API, except after initial creation in the Create step. We did this by getting pem value of the Verify cert by adding the `$select=keyCredential` odata query to the GET of the service principal. By combining this value with the PEM header/footer, we can calculate the SHA-1 fingerprint, which matches up to the appropriate thumbprint. Finally, to delete the certificate, we have to PATCH the service principal with all 3 objects mentioned previously removed. To gather this, we used the `customKeyIdentifier` value in a loop. Closes hashicorp#732 And part of hashicorp#823
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Community Note
Description
Azure API provides a method (addTokenSigningCertificate) to create a self signed certificate for a service principal: https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#create-a-signing-certificate
This option avoids managing a certificate by yourself and is currently not supported via terraform.
New or Affected Resource(s)
References
https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api#step-4-configure-a-signing-certificate
This is a different request than #410 because I do not want to manage the certificate myself.
Thanks for your feedback!
The text was updated successfully, but these errors were encountered: