Terraform module for automatically maintaining Azure DevOps variable group with app secret

Dropping a quick Terraform module that automatically rotates the password of an Azure AD application, outputting the value into an Azure DevOps variable group. This can be super handy when maintaining a tenant by code, allowing developers to “order” app secrets.

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
    }

    azuredevops = {
      source = "microsoft/azuredevops"
    }
  }
}

data "azuread_client_config" "current" {}

variable "application_id" {
    type = string
    description = "The application id of the service principal that will be used by the service connection."
}

variable "devops_project_name" {
    type = string
    description = "The Azure DevOps project name, output from the azuredevops_project resource."
}

variable "devops_project_id" {
    type = string
    description = "The Azure DevOps project id, output from the azuredevops_project resource."
}

variable "variable_group_name" {
    type = string
    description = "The name of the service connection in Azure DevOps"
}

variable "clientid_secret_name" {
    type = string
    description = "The name of the clientid secret"
    default = "clientid"
}

variable "tenantid_secret_name" {
    type = string
    description = "The name of the tenantid secret"
    default = "tenantid"
}

variable "clientsecret_secret_name" {
    type = string
    description = "The name of the clientsecret secret"
    default = "clientsecret"
}

# Get app registration as data resource
data "azuread_application" "app" {
    application_id = var.application_id
}

# Create life cycle
resource "time_rotating" "schedule" {
  rotation_days = 90
}

# Create key
resource "azuread_application_password" "key" {
  display_name          = "DevOps Variable Group '${var.variable_group_name}' in the project '${var.devops_project_name}'"
  application_object_id = data.azuread_application.app.object_id
  rotate_when_changed = {
    rotation = time_rotating.schedule.id
  }
}

resource "azuredevops_variable_group" "vg" {
  project_id   = var.devops_project_id
  name         = var.variable_group_name
  description  = "Managed by Terraform"

  variable {
    name  = var.clientid_secret_name
    value = data.azuread_application.app.application_id
  }

  variable {
    name         = var.clientsecret_secret_name
    secret_value = azuread_application_password.key.value
    is_secret    = true
  }

  variable {
    name         = var.tenantid_secret_name
    value = data.azuread_client_config.current.tenant_id
  }
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s