Azure Service Principal

Azure terraform module to create an Azure AD Service Principal and assign specified role(s) to choosen Azure scope(s).

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "sp" {
  source  = "claranet/service-principal/azurerm"
  version = "x.x.x"

  display_name = "claranet-tools"
  owners       = data.azuread_users.owners.object_ids

  scope_assignment = [
    {
      scope     = data.azurerm_subscription.main.id
      role_name = null
      role_id   = azurerm_role_definition.example.role_definition_resource_id
    },
    {
      scope     = data.azurerm_resource_group.main.id
      role_name = "Contributor"
    }
  ]

  groups_member = {
    (data.azuread_group.readers.display_name) = data.azuread_group.readers.object_id
  }

  entra_app_tags = ["foo", "bar"]

  # az ad sp list --display-name "Microsoft Graph" --query '[].{appDisplayName:appDisplayName, appId:appId}'
  required_resource_access = {
    # Azure Healthcare APIs
    "4f6778d8-5aef-43dc-a1ff-b073724b9495" = [{
      resource_access_id   = "4f6778d8-5aef-43dc-a1ff-b073724b9495" # user_impersonation - Application
      resource_access_type = "Role"
    }]
    # Microsoft.Graph
    "00000003-0000-0000-c000-000000000000" = [{
      resource_access_id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - Delegated
      resource_access_type = "Scope"
      },
      {
        resource_access_id   = "19dbc75e-c2e2-444c-a770-ec69d8559fc7" # Directory.ReadWrite.All - Delegated
        resource_access_type = "Scope"
      }
    ]
  }
}

Providers

Name	Version
azuread	~> 3.0
azurerm	~> 4.0
random	~> 3.5

Modules

No modules.

Resources

Name	Type
azuread_application.main	resource
azuread_group_member.main	resource
azuread_service_principal.main	resource
azuread_service_principal_password.main	resource
azurerm_role_assignment.main	resource
random_uuid.api_settings	resource

Inputs

Name	Description	Type	Default	Required
api_settings	Settings for the APIs you need to define using this Service Principal.	object({ known_client_applications = optional(list(string), []) mapped_claims_enabled = optional(bool, false) requested_access_token_version = optional(number, 1) oauth2_permission_scopes = optional(list(object({ admin_consent_description = string admin_consent_display_name = string enabled = optional(bool, true) id = optional(string) type = optional(string, "User") user_consent_description = optional(string) user_consent_display_name = optional(string) value = optional(string) })), []) })	{}	no
display_name	Azure Service Principal (and AAD application) display name.	string	n/a	yes
entra_app_tags	A set of tags to apply to the application. Tag values also propagate to any linked service principals.	list(string)	[]	no
groups_member	Map of Entra ID Groups (group name => object ID) to add this Service Principal.	map(string)	{}	no
identifier_uris	A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant.	list(string)	[]	no
owners	A set of object IDs of principals that will be granted ownership of both the Entra ID Application and associated Service Principal. Supported object types are users or service principals.	list(string)	[]	no
required_resource_access	List of Service Principal Application OAuth permission scopes configuration. See documentation.	map(list(object({ resource_access_id = string resource_access_type = string })))	{}	no
scope_assignment	List of object representing the scopes and roles to assign the Service Principal with.	list(object({ scope = string role_name = optional(string) role_id = optional(string) delegated_managed_identity_resource_id = optional(string) skip_service_principal_aad_check = optional(bool, false) }))	[]	no
token_validity_duration	Azure Service Principal token/password duration before it expires. Defaults to 2 years. See documentation.	string	"17520h"	no
web_settings	Configuration for web related settings for this Service Principal.	object({ homepage_url = optional(string, null) logout_url = optional(string, null) redirect_uris = optional(list(string), []) access_token_issuance_enabled = optional(bool) id_token_issuance_enabled = optional(bool) })	{}	no

Outputs

Name	Description
app_id	Azure Service Principal App ID.
entra_groups	Azure Service Principal Entra ID groups membership.
id	Azure Service Principal ID.
name	Azure Service Principal name.
object_id	Azure Service Principal Object ID.
required_resource_access	Azure Service Principal required resource access.
resource	Azure Service Principal resource object.
role_scope_assignment	Azure Service Principal assigned roles and scopes.
secret_key	Azure Service Principal secret key/password.
validity_end_date	Azure Service Principal validity date.