3

when generating Service Principal in Azure manually, as a result of the operation I'm provided a password.

It's not the case however if I create service principal with Terraform, the password is not among the outputs of this module:

  + azuread_service_principal.k8s_principal
      id:                <computed>
      application_id:    "${azuread_application.app.application_id}"
      display_name:      <computed>

Is there anything I missed? Why does the Terraform behavior differs in the output compared to CLI?

4

2 回答 2

8

passwordazuread_service_principal_password块需要输入。因此,您可以生成一个随机密码并自行导出。完整的 Terraform 代码如下所示:

resource "azuread_application" "app" {
  name = "${local.application_name}"
}

# Create Service Principal
resource "azuread_service_principal" "app" {
  application_id = "${azuread_application.app.application_id}"
}

resource "random_string" "password" {
  length  = 32
  special = true
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  end_date             = "2299-12-30T23:00:00Z"                        # Forever
  service_principal_id = "${azuread_service_principal.app.id}"
  value                = "${random_string.password.result}"
}

output "sp_password" {
  value = "${azuread_service_principal_password.app.value}"
  sensitive = true
}
于 2019-05-13T13:07:08.223 回答
2

在 terraform 文档中,azuread_service_principal块仅定义了 Argumentapplication_id 和 Attributes iddisplay_name因此您只能看到这些资源。此外,azuread_service_principal_password块允许您导出服务主体密码的密钥 ID。你仍然看不到真正的密码。

在 Azure CLI az ad sp create-for-rbac中有一个可选参数 --Password。所以你可以看到密码输出。

于 2019-01-30T10:39:42.277 回答