@@ -81,6 +81,9 @@ data "azuread_service_principal" "msgraph" {
81
81
resource "azuread_application" "meshcloud_replicator" {
82
82
display_name = " replicator.${ var . service_principal_name_suffix } "
83
83
84
+ feature_tags {
85
+ enterprise = true
86
+ }
84
87
web {
85
88
implicit_grant {
86
89
access_token_issuance_enabled = false
@@ -132,18 +135,39 @@ resource "azuread_application" "meshcloud_replicator" {
132
135
}
133
136
}
134
137
138
+ // ---------------------------------------------------------------------------
139
+ // Create new client secret and associate it with the previous application
140
+ // ---------------------------------------------------------------------------
141
+ resource "time_rotating" "replicator_secret_rotation" {
142
+ rotation_days = 365
143
+ }
144
+ resource "azuread_application_password" "service_principal_pw" {
145
+ application_object_id = azuread_application. meshcloud_replicator . object_id
146
+ rotate_when_changed = {
147
+ rotation = time_rotating.replicator_secret_rotation.id
148
+ }
149
+ }
150
+
135
151
// ---------------------------------------------------------------------------
136
152
// Create new Enterprise Application and associate it with the previous application
137
153
// ---------------------------------------------------------------------------
138
154
resource "azuread_service_principal" "meshcloud_replicator" {
139
155
application_id = azuread_application. meshcloud_replicator . application_id
140
156
# The following tags are needed to create an Enterprise Application
141
157
# See https://github.com/hashicorp/terraform-provider-azuread/issues/7#issuecomment-529597534
142
- tags = [
143
- " WindowsAzureActiveDirectoryIntegratedApp" ,
144
- ]
158
+ # tags = [
159
+ # "WindowsAzureActiveDirectoryIntegratedApp",
160
+ # ]
145
161
}
146
162
163
+ # //---------------------------------------------------------------------------
164
+ # // Generate new password for the service principal
165
+ # //---------------------------------------------------------------------------
166
+ # resource "azuread_service_principal_password" "service_principal_pw" {
167
+ # service_principal_id = azuread_service_principal.meshcloud_replicator.id
168
+ # end_date = "2999-01-01T01:02:03Z" # no expiry
169
+ # }
170
+
147
171
// ---------------------------------------------------------------------------
148
172
// Assign the created ARM role to the Enterprise application
149
173
// ---------------------------------------------------------------------------
@@ -174,14 +198,6 @@ resource "azuread_app_role_assignment" "meshcloud_replicator-user" {
174
198
resource_object_id = data. azuread_service_principal . msgraph . object_id
175
199
}
176
200
177
- // ---------------------------------------------------------------------------
178
- // Generate new password for the service principal
179
- // ---------------------------------------------------------------------------
180
- resource "azuread_service_principal_password" "service_principal_pw" {
181
- service_principal_id = azuread_service_principal. meshcloud_replicator . id
182
- end_date = " 2999-01-01T01:02:03Z" # no expiry
183
- }
184
-
185
201
186
202
// ---------------------------------------------------------------------------
187
203
// Policy Definition for preventing the Application from assigning other privileges to itself
@@ -229,7 +245,7 @@ resource "azurerm_management_group_policy_assignment" "privilege-escalation-prev
229
245
# }
230
246
231
247
# facilitate migration from v0.1.0 of the module
232
- moved {
233
- from = azuread_service_principal_password . spp_pw
234
- to = azuread_service_principal_password . service_principal_pw
235
- }
248
+ # moved {
249
+ # from = azuread_application_password .spp_pw
250
+ # to = azuread_application_password .service_principal_pw
251
+ # }
0 commit comments