Home > database >  using service principal password created in config later on in same config
using service principal password created in config later on in same config

Time:08-16

I have the following code:

resource "random_string" "password" {
  length               = 16
  special              = true
  override_special     = "_%@"
}

resource "azuread_service_principal_password" "auth" {
  service_principal_id = azuread_service_principal.auth.id
  value                = random_string.password.result
  end_date_relative    = "240h"
}

I want to use the password in a resource to create an AKS cluster:

resource "azurerm_kubernetes_cluster" "default" {
  name                = "${random_pet.prefix.id}-aks"
  location            = azurerm_resource_group.default.location
  resource_group_name = azurerm_resource_group.default.name
  dns_prefix          = "${random_pet.prefix.id}-k8s"

  default_node_pool {
    name            = var.node_pool
    node_count      = var.node_count
    vm_size         = var.vm_size
    os_disk_size_gb = 30
  }

  service_principal {
    client_id     = azuread_service_principal.auth.application_id
    client_secret = azuread_service_principal_password.auth.value
  }

  role_based_access_control {
    enabled = true
  }

  tags = {
    environment = "Demo"
  }
}

However, when I run terraform apply, I get:

Error: Value for unconfigurable attribute
│ 
│   with azuread_service_principal_password.auth,
│   on aks-cluster.tf line 26, in resource "azuread_service_principal_password" "auth":
│   26:   value                = random_string.password.result
│ 
│ Can't configure a value for "value": its value will be decided automatically based on the result of applying this
│ configuration.

Is there a way of generating the service principal password in my config and then using it later on in the same configuration ?

CodePudding user response:

Is there a way of generating the service principal password in my config and then using it later on in the same configuration?

If your question is to set a user defined password/secret for a Service Principal, then it is not possible to do so.

azuread_service_principal_password is essentially a wrapper over servicePrincipal: addPassword Graph API call which does not allow you to specify your own password/secret.

CodePudding user response:

You need to use azuread_application_password instead of azuread_service_principal_password so you can specify the random string value.

  • Related