Manages a password credential associated with a service principal within Azure Active Directory. See also the azuread_application_password resource.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy
or Application.ReadWrite.All
When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator
or Global Administrator
Basic example
resource "azuread_application" "example" {
display_name = "example"
}
resource "azuread_service_principal" "example" {
client_id = azuread_application.example.client_id
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.object_id
}
Time-based rotation
resource "azuread_application" "example" {
display_name = "example"
}
resource "azuread_service_principal" "example" {
client_id = azuread_application.example.client_id
}
resource "time_rotating" "example" {
rotation_days = 7
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.object_id
rotate_when_changed = {
rotation = time_rotating.example.id
}
}
The following arguments are supported:
display_name
- (Optional) A display name for the password.end_date
- (Optional) The end date until which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z
). Changing this field forces a new resource to be created.end_date_relative
- (Optional) A relative duration for which the password is valid until, for example 240h
(10 days) or 2400h30m
. Changing this field forces a new resource to be created.rotate_when_changed
- (Optional) A map of arbitrary key/value pairs that will force recreation of the password when they change, enabling password rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.service_principal_id
- (Required) The object ID of the service principal for which this password should be created. Changing this field forces a new resource to be created.start_date
- (Optional) The start date from which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z
). If this isn't specified, the current date is used. Changing this field forces a new resource to be created.In addition to all arguments above, the following attributes are exported:
key_id
- A UUID used to uniquely identify this password credential.value
- The password for this service principal, which is generated by Azure Active Directory.This resource does not support importing.