There have been some pretty big changes with TerraForm v2.0, including removing all of the Azure AD elements and moving them to their own provider, and the question becomes “How does that change my template?” In this post, you will see an example of that, an updated form of code that generates a service principal with a random password and how to connect this with your code to assign this service principal to a keyvault access policy.
So by using TerraForm, you gain a lot of benefits, including being able to manage all parts of your infrastructure using HCL languages to make it rather easy to manage.
A key part of that is not only being able to manage the resources you create, but also access to them, by creating and assigning storage principals. In older versions of TerraForm, this was possible using the azurerm_azuread_application and other elements. I had previously done this in the Kubernetes template I have on github.
Now, with TerraForm v2.0, there have been some pretty big changes, including removing all of the Azure AD elements and moving them to their own provider, and the question becomes “How does that change my template?”
Below is an example, it shows the creation of a service principal, with a random password, and creating an access policy for a keyvault.
resource "random_string" "kub-rs-pd-kv" {
length = 32
special = true
}
data "azurerm_subscription" "current" {
subscription_id = "${var.subscription_id}"
}
resource "azurerm_azuread_application" "kub-ad-app-kv1" {
name = "${format("%s%s%s-KUB1", upper(var.environment_code),
upper(var.deployment_code), upper(var.location_code))}"
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
resource "azurerm_azuread_service_principal" "kub-ad-sp-kv1" {
application_id = "${azurerm_azuread_application.kub-ad-app-kv1.application_id}"
}
resource "azurerm_azuread_service_principal_password" "kub-ad-spp-kv" {
service_principal_id = "${azurerm_azuread_service_principal.kub-ad-sp-kv1.id}"
value = "${element(random_string.kub-rs-pd-kv.*.result, count.index)}"
end_date = "2020-01-01T01:02:03Z"
}
resource "azurerm_key_vault" "kub-kv" {
name = "${var.environment_code}${var.deployment_code}${var.location_code}lkub-kv1"
location = "${var.azure_location}"
resource_group_name = "${azurerm_resource_group.management.name}"
sku {
name = "standard"
}
tenant_id = "${var.keyvault_tenantid}"
access_policy {
tenant_id = "${var.keyvault_tenantid}"
object_id = "${azurerm_azuread_service_principal.kub-ad-sp-kv1.id}"
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
}
access_policy {
tenant_id = "${var.keyvault_tenantid}"
object_id = "${azurerm_azuread_service_principal.kub-ad-sp-kv1.id}"
key_permissions = [
"create",
]
secret_permissions = [
"set",
]
}
depends_on = ["azurerm_role_assignment.kub-ad-sp-ra-kv1"]
}
Now as I mentioned, with the change to the new provider, you will see a new version of this code be implemented. Below is an updated form of code that generates a service principal with a random password.
provider "azuread" {
version = "=0.7.0"
}
resource "random_string" "cds-rs-pd-kv" {
length = 32
special = true
}
resource "azuread_application" "cds-ad-app-kv1" {
name = format("%s-%s%s-cds1",var.project_name,var.deployment_code,var.environment_code)
oauth2_allow_implicit_flow = true
}
resource "azuread_service_principal" "cds-ad-sp-kv1" {
application_id = azuread_application.cds-ad-app-kv1.application_id
}
resource "azuread_service_principal_password" "cds-ad-spp-kv" {
service_principal_id = azuread_service_principal.cds-ad-sp-kv1.id
value = random_string.cds-rs-pd-kv.result
end_date = "2020-01-01T01:02:03Z"
}
Notice how much cleaner the code is, first we aren’t doing the ${} to do string interpolation, and ultimately the resources are much cleaner. So the next question is how do I connect this with my code to assign this service principal to a keyvault access policy.
You can accomplish that with the following code, which is in a different file in the same directory:
resource "azurerm_resource_group" "cds-configuration-rg" {
name = format("%s-Configuration",var.group_name)
location = var.location
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "cds-kv" {
name = format("%s-%s%s-kv",var.project_name,var.deployment_code,var.environment_code)
location = var.location
resource_group_name = azurerm_resource_group.cds-configuration-rg.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_enabled = true
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
]
secret_permissions = [
"set",
"get",
"delete",
]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azuread_service_principal.cds-ad-sp-kv1.id
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
}
}
Notice that I am able to reference the “azuread_service_principal.cds-ad-sp-kv1.id” to access the newly created service principal without issue.
