Skip to content

Instantly share code, notes, and snippets.

@devops-adeel

devops-adeel/aad_oidc_grp.tf

Last active October 11, 2023 15:30
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save devops-adeel/f1bb4ee269b745d663dbffef1ea6411e to your computer and use it in GitHub Desktop.
Save devops-adeel/f1bb4ee269b745d663dbffef1ea6411e to your computer and use it in GitHub Desktop.
Download ZIP
Terraform snippet to setup AzureAD Auth Method.
Raw
aad_oidc_grp.tf
locals {
aad_group = var.aad_group
application = var.application_name
mount_accessor = var.mount_accessor
}
data "azuread_group" "default" {
display_name = local.aad_group
}
resource "vault_identity_group" "default" {
name = local.aad_group
type = "external"
external_policies = true
}
resource "vault_identity_group_alias" "default" {
name = data.azuread_group.default.object_id
mount_accessor = local.mount_accessor
canonical_id = vault_identity_group.default.id
}
resource "vault_identity_group_policies" "default" {
group_id = vault_identity_group.default.id
exclusive = false
policies = ["ns_admin"]
}
Raw
azure_ad_app.tf
data "azuread_application_published_app_ids" "default" {}
data "azuread_client_config" "default" {}
resource "azuread_service_principal" "graph" {
application_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "default" {
display_name = "hashicorp-vault-app"
prevent_duplicate_names = true
owners = [data.azuread_client_config.default.object_id]
group_membership_claims = ["SecurityGroup"]
web {
redirect_uris = [
"https://vault.com:8200/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback"
]
implicit_grant {
id_token_issuance_enabled = true
}
}
optional_claims {
id_token {
name = "groups"
additional_properties = []
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.graph.app_role_ids["GroupMember.Read.All"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "vault" {
application_id = azuread_application.default.application_id
owners = [data.azuread_client_config.default.object_id]
}
Raw
azuread_auth.tf
locals {
oidc_url = format(
"https://login.microsoftonline.com/%s/v2.0",
data.azuread_client_config.default.tenant_id
)
}
data "azuread_client_config" "default" {}
data "azuread_application" "default" {
display_name = var.application_name
}
resource "azuread_application_password" "default" {
display_name = var.application_name
application_object_id = data.azuread_application.default.object_id
end_date_relative = "17250h"
}
resource "vault_jwt_auth_backend" "default" {
description = "Vault OIDC Auth Method"
path = "oidc"
type = "oidc"
default_role = "default_deny"
provider_config = { provider = "azure" }
oidc_discovery_url = local.oidc_url
oidc_client_id = data.azuread_application.default.application_id
oidc_client_secret = azuread_application_password.default.client_secret
tune {
default_lease_ttl = "768h"
max_lease_ttl = "768h"
token_type = "default-service"
}
}
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.default.path
role_type = vault_jwt_auth_backend.default.path
role_name = "default_deny"
oidc_scopes = ["profile", "https://graph.microsoft.com/.default"]
allowed_redirect_uris = element(data.azuread_application.default.web[*].redirect_uris, 0)
user_claim = "email"
groups_claim = "groups"
token_no_default_policy = true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment