The Azure AD Application and Service Principal Terraform module streamlines the process of creating and configuring applications within Azure Active Directory (Azure AD)
- Azure AD Application Creation: The module automates the creation of applications within Azure AD
- Service Principal Association: Alongside application creation, the module establishes the necessary association with a service principal.
- Azure Web App Authentication Integration: The module goes beyond basic application setup by providing specialized support for Azure Web App authentication. It simplifies the integration of your application with Azure Web App authentication mechanisms.
module "app" {
source = "Redevaerk/application/azuread"
version = "x.x.x"
display_name = var.display_name
generate_password = true
}- Simple - This example will create application and generate a secret with default configuration.
- Build Image With Context - This example will create application with custom configuration.
- Web APP Authentication - This example create application with default configuration to work with Web Apps.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| azuread | >2.0.0 |
| random | >= 3.0.0 |
| Name | Version |
|---|---|
| azuread | >2.0.0 |
| random | >= 3.0.0 |
| Name | Source | Version |
|---|---|---|
| service_principal | ./modules/service-principal | n/a |
| service_principal_msgraph | ./modules/service-principal | n/a |
| Name | Type |
|---|---|
| azuread_application.this | resource |
| azuread_application_password.this | resource |
| azuread_service_principal_delegated_permission_grant.web_app_grant | resource |
| random_uuid.web_app_uuid | resource |
| azuread_application_published_app_ids.well_known | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api | An optional api block, which configures API related settings for this application. | object({ |
null |
no |
| app_role | A collection of app_role blocks. | any |
[] |
no |
| create_service_principal | Indicates if want to create a service principal for application. | bool |
true |
no |
| device_only_auth_enabled | Specifies whether this application supports device authentication without a user. | bool |
false |
no |
| display_name | The display name for the application. | string |
n/a | yes |
| end_date | The end date until which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). | string |
null |
no |
| end_date_relative | A relative duration for which the password is valid until, for example 240h (10 days) or 2400h30m. | string |
null |
no |
| fallback_public_client_enabled | Specifies whether the application is a public client. Appropriate for apps using token grant flows that don't use a redirect URI. | bool |
false |
no |
| generate_password | Indicates if want to generate a password for application | bool |
false |
no |
| group_membership_claims | Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are None, SecurityGroup or All. |
list(string) |
[ |
no |
| identifier_uris | A list of user-defined URI(s) that uniquely identify a Web application within it's Azure AD tenant, or within a verified custom domain if the application is multi-tenant. | list(string) |
[] |
no |
| logo_image | A logo image to upload for the application, as a raw base64-encoded string. The image should be in gif, jpeg or png format. Note that once an image has been uploaded, it is not possible to remove it without replacing it with another image. | string |
null |
no |
| marketing_url | The URL to the application's home page. If no homepage is specified this defaults to https://{name} |
string |
null |
no |
| oauth2_post_response_required | Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. | bool |
false |
no |
| optional_claims | An optional claim block. | any |
null |
no |
| owners | A set of object IDs of principals that will be granted ownership of the application. Supported object types are users or service principals. | list(string) |
[] |
no |
| prevent_duplicate_names | If true, will return an error if an existing application is found with the same name. | bool |
false |
no |
| privacy_statement_url | URL of the application's privacy statement. | string |
null |
no |
| public_client | To configure non-web app or non-web API application settings, for example mobile or other public clients such as an installed application running on a desktop device. Must be a valid https or ms-appx-web URL. | any |
null |
no |
| required_resource_access | A collection of required resource access for this application. | any |
null |
no |
| rotate_when_changed | A map of arbitrary key/value pairs that will force recreation of the password when they change, enabling password rotation based on external conditions such as a rotating timestamp. | map(string) |
null |
no |
| sign_in_audience | The Microsoft account types that are supported for the current application. Must be one of AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount. |
string |
"AzureADMyOrg" |
no |
| single_page_application | A single_page_application block, which configures single-page application (SPA) related settings for this application. Must be https. | any |
null |
no |
| sp_app_role_assignment_required | Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. | bool |
false |
no |
| sp_enterprise_tag | Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. | bool |
false |
no |
| sp_owners | A set of object IDs of principals that will be granted ownership of both the AAD Application and associated Service Principal. Supported object types are users or service principals. | list(string) |
[] |
no |
| start_date | The start date from which the password is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn't specified, the current date is used. | string |
null |
no |
| support_url | URL of the application's support page. | string |
null |
no |
| support_web_app_auth | Set it to true if want use the application to authentication Azure Web App via Active Directory. | bool |
false |
no |
| tags | A set of tags to apply to the application. Cannot be used together with the feature_tags block | list(string) |
[] |
no |
| template_id | Unique ID for a templated application in the Azure AD App Gallery, from which to create the application. | string |
null |
no |
| terms_of_service_url | URL of the application's terms of service statement. | string |
null |
no |
| web | Configures web related settings for this application. | object({ |
null |
no |
| web_app_add_default_redirect_uri | Whether to add the application's default URI to the list of redirect URIs. | bool |
true |
no |
| web_app_homepage | The URL to the application's home page. If no homepage is specified this defaults' | string |
null |
no |
| web_app_name | The name of the Azure Web App. | string |
null |
no |
| web_app_redirect_uris | A list of URIs that Azure AD should use to redirect users to the application's' | list(string) |
[] |
no |
| Name | Description |
|---|---|
| app_client_secret | App password of AzureAD application created |
| app_role_ids | A mapping of app role values to app role IDs, intended to be useful when referencing app roles in other resources in your configuration. |
| client_id | The application id of AzureAD application created. |
| disabled_by_microsoft | Whether Microsoft has disabled the registered application. If the application is disabled, this will be a string indicating the status/reason, e.g. DisabledDueToViolationOfServicesAgreement. |
| logo_url | CDN URL to the application's logo, as uploaded with the logo_image property. |
| oauth2_permission_scope_ids | A mapping of OAuth2.0 permission scope values to scope IDs, intended to be useful when referencing permission scopes in other resources in your configuration. |
| object_id | The object id of application. Can be used to assign roles to user. |
| publisher_domain | The verified publisher domain for the application. |
| sp_object_id | Azure Service Principal Object ID. |
Apache 2 Licensed. See LICENSE for full details.