Skip to content

Instantly share code, notes, and snippets.

@zawyelwin

zawyelwin/az-aad-rbac.tf

Created November 19, 2020 11:58
Show Gist options
  • Save zawyelwin/3af3aaab50deff93680bfc3787007654 to your computer and use it in GitHub Desktop.
Save zawyelwin/3af3aaab50deff93680bfc3787007654 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
az-aad-rbac.tf
######################################################################### SERVER
resource "azuread_application" "server" {
name = "k8s_server"
reply_urls = ["http://k8s_server"]
type = "webapp/api"
# this is important, as stated by the documentation
group_membership_claims = "All"
required_resource_access {
# Windows Azure Active Directory API
resource_app_id = "00000002-0000-0000-c000-000000000000"
resource_access {
# DELEGATED PERMISSIONS: "Sign in and read user profile":
# 311a71cc-e848-46a1-bdf8-97ff7156d8e6
id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
type = "Scope"
}
}
required_resource_access {
# MicrosoftGraph API
resource_app_id = "00000003-0000-0000-c000-000000000000"
# APPLICATION PERMISSIONS: "Read directory data":
# 7ab1d382-f21e-4acd-a863-ba3e13f7da61
resource_access {
id = "7ab1d382-f21e-4acd-a863-ba3e13f7da61"
type = "Role"
}
# DELEGATED PERMISSIONS: "Sign in and read user profile":
# e1fe6dd8-ba31-4d61-89e7-88639da4683d
resource_access {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
type = "Scope"
}
# DELEGATED PERMISSIONS: "Read directory data":
# 06da0dbc-49e2-44d2-8312-53f166ab848a
resource_access {
id = "06da0dbc-49e2-44d2-8312-53f166ab848a"
type = "Scope"
}
}
}
resource "azuread_service_principal" "server" {
application_id = azuread_application.server.application_id
}
resource "azuread_service_principal_password" "server" {
service_principal_id = azuread_service_principal.server.id
value = random_string.application_server_password.result
end_date = timeadd(timestamp(), "87600h") # 10 years
# The end date will change at each run (terraform apply), causing a new password to
# be set. So we ignore changes on this field in the resource lifecyle to avoid this
# behaviour.
# If the desired behaviour is to change the end date, then the resource must be
# manually tainted.
lifecycle {
ignore_changes = ["end_date"]
}
}
resource "random_string" "application_server_password" {
length = 16
special = true
keepers = {
service_principal = azuread_service_principal.server.id
}
}
######################################################################### CLIENT
resource "azuread_application" "client" {
name = "k8s_client"
reply_urls = ["http://k8s_client"]
# This is necessary that the client app is of type "native".
# Only allowed since the 0.4.0 version of the azuread Terraform provider.
type = "native"
required_resource_access {
# Windows Azure Active Directory API
resource_app_id = "00000002-0000-0000-c000-000000000000"
resource_access {
# DELEGATED PERMISSIONS: "Sign in and read user profile":
# 311a71cc-e848-46a1-bdf8-97ff7156d8e6
id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
type = "Scope"
}
}
# This is where we allow the client app to do requets to the server app.
required_resource_access {
# AKS ad application server
resource_app_id = azuread_application.server.application_id
resource_access {
# Server app Oauth2 permissions id
id = lookup(azuread_application.server.oauth2_permissions[0], "id")
type = "Scope"
}
}
}
resource "azuread_service_principal" "client" {
application_id = azuread_application.client.application_id
}
resource "azuread_service_principal_password" "client" {
service_principal_id = azuread_service_principal.client.id
value = random_string.application_client_password.result
end_date = timeadd(timestamp(), "87600h") # 10 years
# Same justification as the server service principal.
lifecycle {
ignore_changes = ["end_date"]
}
}
resource "random_string" "application_client_password" {
length = 16
special = true
keepers = {
service_principal = azuread_service_principal.client.id
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment