Bootstraping an Azure service account in Terraform-CodePudding

I am trying to write the Terraform to create an Azure "service account" and am getting quite confused by the distinction between what Azure AD calls "Applications" and "Service Principals". Effectively, I'm trying to mimic the following Azure CLI call:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${subscription_id}"

The idea would be for a human administrator to run the Terraform, to set it up once, then those credentials could later be used to authenticate for the remaining IaC. (i.e., It's a bootstrapping exercise.)

I wish to do it in Terraform, rather than a Bash script, as it seems more explicit and fits with the rest of my IaC. This is what I have so far:

data "azurerm_subscription" "current" {}

data "azuread_client_config" "current" {}

resource "azuread_application" "terraform" {
  display_name = "Terraform"
  owners       = [data.azuread_client_config.current.object_id]
}

resource "azuread_application_password" "terraform" {
  application_object_id = azuread_application.terraform.object_id
}

# resource "azuread_service_principal" "terraform" {
#   application_id = azuread_application.terraform.application_id
#   owners         = [data.azuread_client_config.current.object_id]
# }
# 
# resource "azuread_service_principal_password" "terraform" {
#   service_principal_id = azuread_service_principal.terraform.object_id
# }

resource "local_file" "azurerc" {
  filename        = ".azurerc"
  file_permission = "0600"
  content         = <<EOF
export ARM_ENVIRONMENT="public"
export ARM_SUBSCRIPTION_ID="${data.azurerm_subscription.current.subscription_id}"
export ARM_TENANT_ID="${data.azuread_client_config.current.tenant_id}"
export ARM_CLIENT_ID="${azuread_application.terraform.application_id}"
export ARM_CLIENT_SECRET="${azuread_application_password.terraform.value}"
EOF
}

This runs, but later authenticating with the generated credentials gives an authentication error. Specifically, Terraforms says:

If you are accessing as application please make sure service principal is properly created in the tenant.

Clearly I haven't done that -- it's commented out in the above snippet -- but that's because this is where my understanding starts to break down. Why do I need both? Why do both the application and the service principal have password resources? If I generate passwords for both, which is the ARM_CLIENT_SECRET (I think the application password is the right one)? Then there's the role assignment: I see there's an azuread_app_role_assignment resource, but I'm having trouble unpicking it.

CodePudding user response：

I am trying to write the Terraform to create an Azure "service account" and am getting quite confused by the distinction between what Azure AD calls "Applications" and "Service Principals".

Applications can be seen from Azure AD App registrations blade Where as Service Principals are other wise know as Enterprise Applications. The difference is well documented in this

Using the above details I created a reosurce group in the subscription :

provider "azurerm" { features{} subscription_id = "88073b30-cadd-459e-b90b-8442c93573ae" tenant_id = "ab078f81-xxxx-xxxx-xxxx-620b694ded30" client_id = "c022ec46-xxxx-xxxx-xxxx-c72a9b82f429" client_secret = "wdV7Q~8Grxxxxxxxxxxxxxx~SCwbRrKIq9" } resource "azurerm_resource_group" "name" { name = "testansterraform" location = "west us 2" }