subcategory |
---|
Service Principals |
Manages a password credential associated with a service principal within Azure Active Directory. See also the azuread_application_password resource.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy
or Application.ReadWrite.All
-> When using the Application.ReadWrite.OwnedBy
application role, the principal being used to run Terraform must be an owner of both the linked application registration, and the service principal being managed.
When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator
or Global Administrator
Basic example
resource "azuread_application" "example" {
display_name = "example"
}
resource "azuread_service_principal" "example" {
client_id = azuread_application.example.client_id
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.id
}
Time-based rotation
resource "azuread_application" "example" {
display_name = "example"
}
resource "azuread_service_principal" "example" {
client_id = azuread_application.example.client_id
}
resource "time_rotating" "example" {
rotation_days = 7
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.id
rotate_when_changed = {
rotation = time_rotating.example.id
}
}
The following arguments are supported:
display_name
- (Optional) A display name for the password.end_date
- (Optional) The end date until which the password is valid, formatted as an RFC3339 date string (e.g.2018-01-01T01:02:03Z
). Changing this field forces a new resource to be created.end_date_relative
- (Optional) A relative duration for which the password is valid until, for example240h
(10 days) or2400h30m
. Changing this field forces a new resource to be created.rotate_when_changed
- (Optional) A map of arbitrary key/value pairs that will force recreation of the password when they change, enabling password rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.service_principal_id
- (Required) The ID of the service principal for which this password should be created. Changing this field forces a new resource to be created.start_date
- (Optional) The start date from which the password is valid, formatted as an RFC3339 date string (e.g.2018-01-01T01:02:03Z
). If this isn't specified, the current date is used. Changing this field forces a new resource to be created.
In addition to all arguments above, the following attributes are exported:
key_id
- A UUID used to uniquely identify this password credential.value
- The password for this service principal, which is generated by Azure Active Directory.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 5 minutes) Used when creating the resource.read
- (Defaults to 5 minutes) Used when retrieving the resource.delete
- (Defaults to 5 minutes) Used when deleting the resource.
This resource does not support importing.