Reads Azure credentials from an Azure secret backend in Vault.
The Azure Active Directory data source exists to easily pull short-lived
credentials from Vault for use in Terraform. By default, it returns a
dynamically generated client_id
and client_secret
without testing
whether they've fully propagated for use in Azure Active Directory. However,
by activating validate_creds
, credentials will be tested before being
returned. This will, however, increase the time it takes for the credentials
to be returned, blocking Terraform's execution until they are ready.
If validate_creds
is used, by default, credentials will be validated by
making a test call to Azure every 1 seconds. When we have received 8
successes in a row, the credentials will be returned. We have seen propagation
times take up to 15 minutes, so the maximum length of time for the check defaults
to 20 minutes. However, propagation times will vary widely based on each company's Azure
usage, so all these settings are configurable.
Credentials are tested by attempting to refresh a client token with them.
data "vault_azure_access_credentials" "creds" {
role = "my-role"
validate_creds = true
num_sequential_successes = 8
num_seconds_between_tests = 1
max_cred_validation_seconds = 300
}
provider "azure" {
client_id = data.vault_azure_access_credentials.creds.client_id
client_secret = data.vault_azure_access_credentials.creds.client_secret
}
The validate_creds
option requires read-access to the backend
config endpoint.
If the effective Vault role does not have the required permissions then valid values
are required to be set for: subscription_id
, tenant_id
, environment
.
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The path to the Azure secret backend to
read credentials from, with no leading or trailing /
s.
role
- (Required) The name of the Azure secret backend role to read
credentials from, with no leading or trailing /
s.
validate_creds
- (Optional) Whether generated credentials should be
validated before being returned. Defaults to false
, which returns
credentials without checking whether they have fully propagated throughout
Azure Active Directory. Designating true
activates testing.
num_sequential_successes
- (Optional) If 'validate_creds' is true,
the number of sequential successes required to validate generated
credentials. Defaults to 8.
num_seconds_between_tests
- (Optional) If 'validate_creds' is true,
the number of seconds to wait between each test of generated credentials.
Defaults to 1.
max_cred_validation_seconds
- (Optional) If 'validate_creds' is true,
the number of seconds after which to give up validating credentials. Defaults
to 300.
subscription_id
- (Optional) The subscription ID to use during credential
validation. Defaults to the subscription ID configured in the Vault backend
.
See the caveats section for more information on this field.
tenant_id
- (Optional) The tenant ID to use during credential validation.
Defaults to the tenant ID configured in the Vault backend
.
See the caveats section for more information on this field.
environment
- (Optional) The Azure environment to use during credential validation.
Defaults to the environment configured in the Vault backend.
Some possible values: AzurePublicCloud
, AzureGovernmentCloud
See the caveats section for more information on this field.
In addition to the arguments above, the following attributes are exported:
client_id
- The client id for credentials to query the Azure APIs.
client_secret
- The client secret for credentials to query the Azure APIs.
lease_id
- The lease identifier assigned by Vault.
lease_duration
- The duration of the secret lease, in seconds relative
to the time the data was requested. Once this time has passed any plan
generated with this data may fail to apply.
lease_start_time
- As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
lease_duration
, though users must allow for any clock drift and response
latency relative to the Vault server.
lease_renewable
- true
if the lease can be renewed using Vault's
sys/renew/{lease-id}
endpoint. Terraform does not currently support lease
renewal, and so it will request a new lease each time this data source is
refreshed.