Skip to content

Latest commit

 

History

History
89 lines (60 loc) · 3.56 KB

service_principal_password.md

File metadata and controls

89 lines (60 loc) · 3.56 KB
Raw
subcategory
Service Principals

Resource: azuread_service_principal_password

Manages a password credential associated with a service principal within Azure Active Directory. See also the azuread_application_password resource.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy or Application.ReadWrite.All

-> When using the Application.ReadWrite.OwnedBy application role, the principal being used to run Terraform must be an owner of both the linked application registration, and the service principal being managed.

When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator or Global Administrator

Example Usage

Basic example

resource "azuread_application" "example" {
  display_name = "example"
}

resource "azuread_service_principal" "example" {
  client_id = azuread_application.example.client_id
}

resource "azuread_service_principal_password" "example" {
  service_principal_id = azuread_service_principal.example.id
}

Time-based rotation

resource "azuread_application" "example" {
  display_name = "example"
}

resource "azuread_service_principal" "example" {
  client_id = azuread_application.example.client_id
}

resource "time_rotating" "example" {
  rotation_days = 7
}

resource "azuread_service_principal_password" "example" {
  service_principal_id = azuread_service_principal.example.id
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

Argument Reference

The following arguments are supported:

  • display_name - (Optional) A display name for the password.
  • end_date - (Optional) The end date until which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
  • end_date_relative - (Optional) A relative duration for which the password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.
  • rotate_when_changed - (Optional) A map of arbitrary key/value pairs that will force recreation of the password when they change, enabling password rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
  • service_principal_id - (Required) The ID of the service principal for which this password should be created. Changing this field forces a new resource to be created.
  • start_date - (Optional) The start date from which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn't specified, the current date is used. Changing this field forces a new resource to be created.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • key_id - A UUID used to uniquely identify this password credential.
  • value - The password for this service principal, which is generated by Azure Active Directory.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 5 minutes) Used when creating the resource.
  • read - (Defaults to 5 minutes) Used when retrieving the resource.
  • delete - (Defaults to 5 minutes) Used when deleting the resource.

Import

This resource does not support importing.