Dropping a quick Terraform module that automatically rotates the password of an Azure AD application, outputting the value into an Azure DevOps variable group. This can be super handy when maintaining a tenant by code, allowing developers to “order” app secrets.
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
}
azuredevops = {
source = "microsoft/azuredevops"
}
}
}
data "azuread_client_config" "current" {}
variable "application_id" {
type = string
description = "The application id of the service principal that will be used by the service connection."
}
variable "devops_project_name" {
type = string
description = "The Azure DevOps project name, output from the azuredevops_project resource."
}
variable "devops_project_id" {
type = string
description = "The Azure DevOps project id, output from the azuredevops_project resource."
}
variable "variable_group_name" {
type = string
description = "The name of the service connection in Azure DevOps"
}
variable "clientid_secret_name" {
type = string
description = "The name of the clientid secret"
default = "clientid"
}
variable "tenantid_secret_name" {
type = string
description = "The name of the tenantid secret"
default = "tenantid"
}
variable "clientsecret_secret_name" {
type = string
description = "The name of the clientsecret secret"
default = "clientsecret"
}
# Get app registration as data resource
data "azuread_application" "app" {
application_id = var.application_id
}
# Create life cycle
resource "time_rotating" "schedule" {
rotation_days = 90
}
# Create key
resource "azuread_application_password" "key" {
display_name = "DevOps Variable Group '${var.variable_group_name}' in the project '${var.devops_project_name}'"
application_object_id = data.azuread_application.app.object_id
rotate_when_changed = {
rotation = time_rotating.schedule.id
}
}
resource "azuredevops_variable_group" "vg" {
project_id = var.devops_project_id
name = var.variable_group_name
description = "Managed by Terraform"
variable {
name = var.clientid_secret_name
value = data.azuread_application.app.application_id
}
variable {
name = var.clientsecret_secret_name
secret_value = azuread_application_password.key.value
is_secret = true
}
variable {
name = var.tenantid_secret_name
value = data.azuread_client_config.current.tenant_id
}
}