Terraform-provider-azurerm: Feature Request: `azurerm_service_principal`

This is unblocked. The Go SDK for Azure has everything needed to manage lifecycle of AAD Apps/ServicePrincipals, as well as the RBAC Client.

Is there any way this could be picked up in the near future? The inability to provision anything user/access related using the provider is a huge show-stopper for organizations wanting to provision their Azure subscriptions with code.

@tombuildsstuff what's the status on this one?

Does Explicit MSI not change the story here? I assume with explicit MSI I'll be able to create an SP via ARM rather than having to go to Graph?

That's what I had in mind when I filed this originally anyway. It also seems more fitting that "azure_rm" module for identity would use ARM/MSI rather than talking to AAD directly, maybe?

@tombuildsstuff ping on status of this one?

@achandmsft missed your ping here, given the above I'm re-scoping this to focus on Service Principals - which is available in the SDK - Role Assignments can already be managed via Terraform, so that should support this auth story (which can be used for both Users, Service Principals and Service Principals coming from MSI)

Is there guidance from Azure on whether users should go through Graph or Explicit MSI for provisioning service account identities in Terraform-like workflows? @achandmsft ?

@colemickens the guidance is to use Graph as Explicit MSI might not be integrated with all downstream services. However MSI is good to use where available such as with App Service for instance.

I don't understand, isn't explicit MSI creating an AAD identity and app? That's how implict MSI works...

I thought explicit MSI was just being able to provision the service account and then directly re-use it?

Can we get docs for explicit MSI please?

Ah, sorry, docs seem to be public under a slightly different name. :)

https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

A User Assigned Identity (public preview) is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant trusted by the subscription being used. After the identity is created, it can be assigned to one or more Azure service instances. The life cycle of a user assigned identity is managed separately from the life cycle of the Azure service instances it is assigned to.

I had wonder if maybe Explicit MSI would also expose SP/App as an ARM resource, but it seems this isn't the case. So I guess Terraform can only talk to Graph to provision identities. And then MSI only comes into play if you are using an MSI-enabled service and use a system-assigned identity or use a pre-provisioned Graph SP/App as a "system-assigned identity". Hopefully that's an accurate take on it.

I don't know what the ARM API looks like, or if it exists, or if there are schemas/etc, but "identities" are now a first-rate concept support in the Azure CLI for EMSI scenarios. This is presumably what Terraform should be creating, rather than poking Graph directly.

@tombuildsstuff Is this one up for grabs?

I have a project coming up which would benefit from the functionality so I can look at building this out in a PR. On a related note we also want to create Azure AD Users too so I would probably look to create a provider for that functionality too as they're pretty closely related.

@tombuildsstuff what is the current status of this one?

@achandmsft this can be added once #1269 is merged (since it’s dependent on it)

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!