Service Principal Creation by Terraform doesn't provide password/secret in the output

Question

when generating Service Principal in Azure manually, as a result of the operation I'm provided a password.

It's not the case however if I create service principal with Terraform, the password is not among the outputs of this module:

  + azuread_service_principal.k8s_principal
      id:                <computed>
      application_id:    "${azuread_application.app.application_id}"
      display_name:      <computed>

Is there anything I missed? Why does the Terraform behavior differs in the output compared to CLI?

wire password into other place, or get password as data to be wired into other places, or look at state file - here it is. you cannot export it, it will give <sensitive> — Dzmitry Lahoda

Derek Derek · Accepted Answer · 2019-05-13T13:07:08

password is required INPUT to the azuread_service_principal_password block. As such, you can generate a random password and export it yourself. Complete Terraform code is something like this:

resource "azuread_application" "app" {
  name = "${local.application_name}"
}

# Create Service Principal
resource "azuread_service_principal" "app" {
  application_id = "${azuread_application.app.application_id}"
}

resource "random_string" "password" {
  length  = 32
  special = true
}

# Create Service Principal password
resource "azuread_service_principal_password" "app" {
  end_date             = "2299-12-30T23:00:00Z"                        # Forever
  service_principal_id = "${azuread_service_principal.app.id}"
  value                = "${random_string.password.result}"
}

output "sp_password" {
  value = "${azuread_service_principal_password.app.value}"
  sensitive = true
}

Service Principal Creation by Terraform doesn't provide password/secret in the output

2 Answers