Manages a password credential associated with an application within Azure Active Directory. These are also referred to as client secrets during authentication.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy
or Application.ReadWrite.All
When authenticated with a user principal, this resource requires one of the following directory roles: Application Administrator
or Global Administrator
Basic example
resource "azuread_application_registration" "example" {
display_name = "example"
}
resource "azuread_application_password" "example" {
application_id = azuread_application_registration.example.id
}
Time-based rotation
resource "azuread_application_registration" "example" {
display_name = "example"
}
resource "time_rotating" "example" {
rotation_days = 7
}
resource "azuread_application_password" "example" {
application_id = azuread_application_registration.example.id
rotate_when_changed = {
rotation = time_rotating.example.id
}
}
The following arguments are supported:
application_id
- (Required) The resource ID of the application for which this password should be created. Changing this field forces a new resource to be created.display_name
- (Optional) A display name for the password. Changing this field forces a new resource to be created.end_date
- (Optional) The end date until which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z
). Changing this field forces a new resource to be created.end_date_relative
- (Optional) A relative duration for which the password is valid until, for example 240h
(10 days) or 2400h30m
. Changing this field forces a new resource to be created.rotate_when_changed
- (Optional) A map of arbitrary key/value pairs that will force recreation of the password when they change, enabling password rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.start_date
- (Optional) The start date from which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z
). If this isn't specified, the current date is used. Changing this field forces a new resource to be created.In addition to all arguments above, the following attributes are exported:
key_id
- A UUID used to uniquely identify this password credential.value
- The password for this application, which is generated by Azure Active Directory.This resource does not support importing.