Created
August 12, 2021 14:51
-
-
Save jayunit100/c518fd36f6e527165b093230b71da616 to your computer and use it in GitHub Desktop.
terraform azure notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azuread_application" "main" { | |
| display_name = var.service_principal_name | |
| identifier_uris = ["http://${var.service_principal_name}"] | |
| available_to_other_tenants = false | |
| oauth2_allow_implicit_flow = false | |
| } | |
| resource "azuread_service_principal" "main" { | |
| application_id = azuread_application.main.application_id | |
| } | |
| resource "time_rotating" "main" { | |
| rotation_rfc3339 = var.password_end_date | |
| rotation_years = var.password_rotation_in_years | |
| triggers = { | |
| end_date = var.password_end_date | |
| years = var.password_rotation_in_years | |
| } | |
| } | |
| resource "random_password" "passwd" { | |
| count = var.enable_service_principal_certificate != true ? 1 : 0 | |
| length = 32 | |
| min_upper = 4 | |
| min_lower = 2 | |
| min_numeric = 4 | |
| keepers = { | |
| service_principal_password = time_rotating.main.id | |
| } | |
| } | |
| # Create an Azure AD inside of a subscription for hacking | |
| # Solution 1: | |
| ### hack: give terraform god account global access to Azure AD 'ApplicationAdministrator' (through the azure UI) | |
| ### have terraform make new account | |
| ### [optional] create a service principal or use God account | |
| ### | |
| ### have terraform make a RG | |
| # Solution 2: | |
| ### create a custom role in azure with specific service account permissions | |
| ### have terraform make new account | |
| ### have terraform make a RG | |
| ### assign a contributor to the RG | |
| ### set spending limits in the RG | |
| # Tenant T1 ~ O365 [email protected] | |
| ## AppRegistration <==> Service Accounts <-- Azure AD == Tenant ... Auth+Ident | |
| # Subscription X | |
| ## 1) create things in azure (vm, storage, ...) <-- infrastructure CRUD (mgmt plane) | |
| ## 2) s3 bucket access policies <-- infrastructure policies RBAC (dataplane) | |
| # Subscription Y | |
| ## | |
| ## | |
| ## | |
| # this is like a service account (an az service account, can make any azure resource) | |
| # service accounts can make other service accounts which operate in arbitrary Resource Groups | |
| # typically: | |
| ## azure contributor on a subscription | |
| ## 1) contributor runs tf commands by hand | |
| ## or | |
| ## 2) create a service principal by hand "tf1" (through the azure UI) | |
| ## 2.1) give Azure AD permissions to tf1 so that | |
| resource "azuread_service_principal_password" "main" { | |
| count = var.enable_service_principal_certificate != true ? 1 : 0 | |
| service_principal_id = azuread_service_principal.main.id | |
| value = random_password.passwd[count.index].result | |
| end_date = time_rotating.main.rotation_rfc3339 | |
| } | |
| resource "azurerm_role_assignment" "main" { | |
| count = length(var.assignments) | |
| scope = var.assignments[count.index].scope | |
| role_definition_name = var.assignments[count.index].role_definition_name | |
| principal_id = azuread_service_principal.main.object_id | |
| } | |
| resource "azuread_service_principal_certificate" "main" { | |
| count = var.enable_service_principal_certificate == true ? 1 : 0 | |
| service_principal_id = azuread_service_principal.main.id | |
| type = var.certificate_type | |
| value = file(var.certificate_path) | |
| end_date = time_rotating.main.rotation_rfc3339 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment