Azure terraform module to create an Azure AD Service Principal and assign specified role(s) to choosen Azure scope(s).
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
data "azurerm_subscription" "primary" {
}
data "azurerm_resource_group" "rg" {
name = "dsrg_test"
}
data "azuread_group" "readers" {
display_name = "Claranet Readers"
}
data "azuread_users" "owner_users" {
user_principal_names = ["jean.dupont@xxxx.clara.net", "owner.yyyy@contoso.com"]
}
resource "azurerm_role_definition" "example" {
name = "my-custom-role-definition"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.Resources/subscriptions/resourceGroups/read"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
module "sp" {
source = "claranet/service-principal/azurerm"
version = "x.x.x"
sp_display_name = "claranet-tools"
sp_owners = data.azuread_users.owner_users.object_ids
sp_scope_assignment = [
{
scope = data.azurerm_subscription.primary.id
role_name = null
role_id = azurerm_role_definition.example.role_definition_resource_id
},
{
scope = data.azurerm_resource_group.rg.id
role_name = "Contributor"
}
]
sp_groups_member = {
(data.azuread_group.readers.display_name) = data.azuread_group.readers.object_id
}
sp_aad_app_tags = ["foo", "bar"]
# az ad sp list --display-name "Microsoft Graph" --query '[].{appDisplayName:appDisplayName, appId:appId}'
sp_required_resource_access = {
# Azure Healthcare APIs
"4f6778d8-5aef-43dc-a1ff-b073724b9495" = [{
resource_access_id = "4f6778d8-5aef-43dc-a1ff-b073724b9495" # user_impersonation - Application
resource_access_type = "Role"
}]
# Microsoft.Graph
"00000003-0000-0000-c000-000000000000" = [{
resource_access_id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - Delegated
resource_access_type = "Scope"
},
{
resource_access_id = "19dbc75e-c2e2-444c-a770-ec69d8559fc7" # Directory.ReadWrite.All - Delegated
resource_access_type = "Scope"
}
]
}
}| Name | Version |
|---|---|
| azuread | ~> 2.44 |
| azurerm | ~> 3.0 |
| random | ~> 3.5 |
No modules.
| Name | Type |
|---|---|
| azuread_application.aad_app | resource |
| azuread_group_member.sp_group_member | resource |
| azuread_service_principal.sp | resource |
| azuread_service_principal_password.sp_pwd | resource |
| azurerm_role_assignment.sp_role | resource |
| random_uuid.api_settings | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_settings | Settings for the APIs you need to define using this Service Principal. | object({ |
{} |
no |
| identifier_uris | A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. | list(string) |
[] |
no |
| sp_aad_app_tags | A set of tags to apply to the application. Tag values also propagate to any linked service principals. | list(string) |
[] |
no |
| sp_display_name | Azure Service Principal (and AAD application) display name. | string |
n/a | yes |
| sp_groups_member | Map of AAD Groups (group name => object ID) to add this Service Principal. | map(string) |
{} |
no |
| sp_owners | A set of object IDs of principals that will be granted ownership of both the AAD Application and associated Service Principal. Supported object types are users or service principals. | list(string) |
[] |
no |
| sp_required_resource_access | List of Service Principal Application OAuth permission scopes configuration. https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#resource_access | map(list(object({ |
{} |
no |
| sp_scope_assignment | List of object representing the scopes and roles to assign the Service Principal with. | list(object({ |
[] |
no |
| sp_token_validity_duration | Azure Service Principal token/password duration before it expires. Defaults to 2 years. Notation documentation: https://pkg.go.dev/time#ParseDuration | string |
"17520h" |
no |
| web_settings | Configuration for web related settings for this Service Principal. | object({ |
{} |
no |
| Name | Description |
|---|---|
| sp_aad_groups | Azure Service Principal AAD groups membership. |
| sp_app_id | Azure Service Principal App ID. |
| sp_name | Azure Service Principal name. |
| sp_object_id | Azure Service Principal Object ID. |
| sp_required_resource_access | Azure Service Principal required resource access. |
| sp_role_scope_assignment | Azure Service Principal assigned roles and scopes. |
| sp_secret_key | Azure Service Principal secret key/password. |
| sp_validity_end_date | Azure Service Principal validity date. |