From 79eca9c9c8ee2ed2bc1ec4dbdb8eb098de488ff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Chase=20=E6=9D=8E?= Date: Fri, 15 Nov 2024 21:46:31 -0600 Subject: [PATCH 1/3] Adding pfsense resources for ACME certificate renewal credentials. --- azure/terraform/stacks/acm-general/pfsense.tf | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 azure/terraform/stacks/acm-general/pfsense.tf diff --git a/azure/terraform/stacks/acm-general/pfsense.tf b/azure/terraform/stacks/acm-general/pfsense.tf new file mode 100644 index 0000000..deaea21 --- /dev/null +++ b/azure/terraform/stacks/acm-general/pfsense.tf @@ -0,0 +1,40 @@ +# https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS +# +# This is a service principal that is used by PFSense to manage DNS records +# for the ACME challenges. + + +# az ad sp create-for-rbac --name pfsenseServiceApp --role "DNS Zone Contributor" --scopes /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/acme-general/providers/Microsoft.Network/dnszones/acme.chase.net + +resource "azuread_application" "pfsense" { + display_name = "pfsenseServiceApp" + owners = var.additional_owner_ids +} + +resource "azuread_service_principal" "pfsense" { + client_id = azuread_application.pfsense.client_id + description = "Service Principal for on-prem pfSense" + owners = var.additional_owner_ids +} + +resource "azuread_service_principal_password" "pfsense" { + service_principal_id = azuread_service_principal.pfsense.id + display_name = "pfsensePassword" +} + +# Lookup existing role asisgnments +# `az role assignment list --all | grep "" -B10 -A10` +resource "azurerm_role_assignment" "pfsense_dns_contributor" { + scope = data.azurerm_dns_zone.acmuic_org.id + role_definition_name = "DNS Zone Contributor" + principal_id = azuread_service_principal.pfsense.object_id +} + +output "pfsense_service_principal_id" { + value = azuread_service_principal.pfsense.id +} + +output "pfsense_service_principal_password" { + value = azuread_service_principal_password.pfsense.value + sensitive = true +} From 186025f6faa8a58c0ea0ab456c5a7c1b8cfee918 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Chase=20=E6=9D=8E?= Date: Fri, 15 Nov 2024 21:50:32 -0600 Subject: [PATCH 2/3] Adding additional comments about sp password. Linting. --- azure/terraform/stacks/acm-general/pfsense.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/azure/terraform/stacks/acm-general/pfsense.tf b/azure/terraform/stacks/acm-general/pfsense.tf index deaea21..8df231d 100644 --- a/azure/terraform/stacks/acm-general/pfsense.tf +++ b/azure/terraform/stacks/acm-general/pfsense.tf @@ -17,6 +17,9 @@ resource "azuread_service_principal" "pfsense" { owners = var.additional_owner_ids } +# This password exires every 2 years +# You'll need to update this in pfSense manually: +# Services > Acme Certificates > (edit the cert) > Domain SAN list > (expand(+) DNS-Azure (Microsoft) > Client Secret resource "azuread_service_principal_password" "pfsense" { service_principal_id = azuread_service_principal.pfsense.id display_name = "pfsensePassword" @@ -35,6 +38,6 @@ output "pfsense_service_principal_id" { } output "pfsense_service_principal_password" { - value = azuread_service_principal_password.pfsense.value + value = azuread_service_principal_password.pfsense.value sensitive = true } From c6a84bdfd5a03bdd3b2dc4f75143045ae216be6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Chase=20=E6=9D=8E?= Date: Fri, 15 Nov 2024 21:54:59 -0600 Subject: [PATCH 3/3] Removing extraneous comment. --- azure/terraform/stacks/acm-general/pfsense.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/azure/terraform/stacks/acm-general/pfsense.tf b/azure/terraform/stacks/acm-general/pfsense.tf index 8df231d..a5da19e 100644 --- a/azure/terraform/stacks/acm-general/pfsense.tf +++ b/azure/terraform/stacks/acm-general/pfsense.tf @@ -3,9 +3,6 @@ # This is a service principal that is used by PFSense to manage DNS records # for the ACME challenges. - -# az ad sp create-for-rbac --name pfsenseServiceApp --role "DNS Zone Contributor" --scopes /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/acme-general/providers/Microsoft.Network/dnszones/acme.chase.net - resource "azuread_application" "pfsense" { display_name = "pfsenseServiceApp" owners = var.additional_owner_ids