update resource azuread_service_principal_token_signing_certificate to create standard PEM encoded certificates

[todd-dsm]

Please keep in mind that I'm learning Azure/Okta on the go, so I reserve the right to be completely wrong about all of this 😀

Background:

I’m attempting to automate the relationship between Azure AD (IdP) and Okta "Identity Providers" configuration. In the Okta docs a certificate must be generated manually in an Azure Enterprise App; that certificate is later downloaded from Azure, then uploaded to the Okta " Identity Providers" config.

I've followed #823 (comment) to generate/activate the SSO certificate; seems to work.

Description

The azuread_service_principal_token_signing_certificate does not appear to follow the Terraform principal for cross-provider operations; in this case, the certificate doesn't seem to be output in proper PEM encoding.

New or Affected Resource(s)

• azuread_service_principal (requires certificate)
• azuread_service_principal_token_signing_certificate (produces certificate)
• okta_idp_saml_key (consumes certificate)

Potential Terraform Configuration

# Create a Service Principal for the Enterprise Application
# TF: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal
resource "azuread_service_principal" "okta_sp" {
  application_id                = azuread_application.okta.application_id
  owners                        = [data.azurerm_client_config.current.object_id]
  app_role_assignment_required  = false
  preferred_single_sign_on_mode = "saml"

  saml_single_sign_on {}

  feature_tags {
    custom_single_sign_on = true
    enterprise            = true
    gallery               = false
    hide                  = false
  }
  notification_email_addresses = [
    "[email protected]",
  ]
}

# Create a Service Principal Certificate for the Enterprise Application
# TF: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_token_signing_certificate
# REF: https://github.com/hashicorp/terraform-provider-azuread/issues/823#issuecomment-1398060612
resource "azuread_service_principal_token_signing_certificate" "saml_signing_cert" {
  service_principal_id = azuread_service_principal.okta_sp.id
  display_name         = "CN=${var.myCo} SSO Certificate"
  end_date             = time_rotating.saml_certificate.rotation_rfc3339


  provisioner "local-exec" {
    command = <<-SHELL
      az ad sp update --id ${self.service_principal_id} \
        --set preferredTokenSigningKeyThumbprint=${self.thumbprint}
    SHELL
  }
}

# Rotate Certs on a prescribed timeline: 3 years # default
resource "time_rotating" "saml_certificate" {
  rotation_years = 3
}

resource "okta_idp_saml_key" "idp_signing_key" {
  x5c = [
    <<-EOT
    -----BEGIN CERTIFICATE-----
    ${azuread_service_principal_token_signing_certificate.saml_signing_cert.value}
    -----END CERTIFICATE-----
    EOT
  ]
}

References

• Terraform support
• Download Cert from Azure, Step 8
• Upwnload Cert to Okta, Step 6

TIA

[manicminer]

Hi @todd-dsm, thanks for requesting this. That's a very reasonable ask and I'm sure we can output this in a PEM compliant format.