terraform-provider-azuread: azuread_service_principal_password: Password not set correctly
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave โ+1โ or โme tooโ comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Terraform v0.11.13
- provider.azuread v0.2.0
Affected Resource(s)
azuread_service_principal_password
Terraform Configuration Files
provider "azuread" {
version = "~> 0.2.0"
}
resource "azuread_application" "test" {
name = "test"
available_to_other_tenants = false
}
resource "azuread_service_principal" "test-service-principal" {
application_id = "${azuread_application.test.application_id}"
}
resource "azuread_service_principal_password" "service-principal-password" {
service_principal_id = "${azuread_service_principal.test-service-principal.id}"
value = "test123"
end_date = "2020-01-01T00:00:00Z"
}
Debug Output
Expected Behavior
The service principal is created, and the password for it is set.
Actual Behavior
This bug is the same as the one explained in the issue linked below, but because it was locked I created a new issue here.
Using az CLI, I discovered the following error:
az ad sp credential list --id $(terraform output service_principal)
Parameter 'application_object_id' can not be None.
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 328, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 386, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 377, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 356, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 171, in __call__
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 452, in default_command_handler
return op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1018, in list_service_principal_credentials
return _get_service_principal_credentials(graph_client, app_object_id, cert)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1025, in _get_service_principal_credentials
app_creds = list(graph_client.applications.list_password_credentials(app_object_id))
File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 143, in __next__
self.advance_page()
File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 129, in advance_page
self._response = self._get_next(self.next_link)
File "/opt/az/lib/python3.6/site-packages/azure/graphrbac/operations/applications_operations.py", line 669, in internal_paging
'applicationObjectId': self._serialize.url("application_object_id", application_object_id, 'str'),
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 592, in url
data = self.validate(data, name, required=True, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 662, in validate
raise ValidationError("required", name, True)
msrest.exceptions.ValidationError: Parameter 'application_object_id' can not be None.
Steps to Reproduce
terraform apply- az ad sp credential list --id $(terraform output service_principal)
Important Factoids
References
- terraform-providers/terraform-provider-azurerm#2084
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 25
- Comments: 23 (2 by maintainers)
This works for me:
I then use it to create a kubernetes cluster:
In the portal, I donโt see a client secret against the application but the Kubernetes cluster deploys successfully.
Interestingly, I had to add depends_on for azuread_service_principal.main despite it being referenced in kubernetes resource.
I had the same problem as the person who originally raised the issue but upgrading Azure CLI has resolved it for me.
Edit: After further investigation, the reason why the secret isnโt showing in the Azure portal is because those are the application secrets and not service principal secrets.
I have just tried this:
and then this, in the kubernetes cluster definition:
and it works fine. The secret is also showing in the portal. In fact, this is probably the better way to do it as it allows for importing of clusters created via the portal into TF.
Using: azurerm = โ=1.36.1โ azuread = โ=0.6.0โ
you can NOT see service principal passwords in the portal AFAIK, only application secrets/passwords. they are slightly different in a single tenant app scenario and WAAAAY different in the multi tenant scenario
@poddm, which azuread provider version did you use? I tried with v0.4 and v0.6, using deprecated azurerm_azuread_service_principal and azurerm_azuread_service_principal_password, doesnโt work, even with additional deprecated azurerm_azuread_application, still no application password was created.
I was able to work around this using the deprecated azurerm_azuread_service_principal and azurerm_azuread_service_principal_password resources.