terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
Export OIDC issuer URL as attribute of azuread_application
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
To configure login via OIDC at various systems, i need to know the URL of the OIDC issuer. This URL is stored in the JWTs issued by Entra ID as the iss claim and will be validated by the system I want to authenticate at.
In most of my use cases, this URL can be terraformed like this: https://login.microsoftonline.com/${data.azurerm_client_config.current.tenant_id}/, but in some cases the OIDC issuer URL might be different (e.g. when using v1 tokens, the URL might be something like https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/). It would be great if the azuread_application resource could provide an attribute that I can use instead of my hardcoded, hand-crafted string.
An example of how this attribute could be implemented can be found in the AzureRM provider; the azurerm_kubernetes_cluster resource exports an attribute called oidc_issuer_url which I can directly use to configure e.g. federated credentials for Workload Identity.
New or Affected Resource(s)
azuread_application
Potential Terraform Configuration
To make my use case clearer, I am providing an example where I try to configure the boundary_auth_method_oidc resource from the hashicorp/boundary provider using attributes from azuread_application.
variable "boundary_url" {
type = string
}
resource "azuread_application" "boundary_oid_auth" {
display_name = "Boundary (OIDC auth)"
group_membership_claims = ["All"]
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
type = "Role"
}
resource_access {
id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
type = "Scope"
}
resource_access {
id = "98830695-27a2-44f7-8c18-0c3ebc9698f6" # GroupMember.Read.All
type = "Role"
}
}
web {
logout_url = "${var.boundary_url}:3000"
redirect_uris = ["${var.boundary_url}/v1/auth-methods/oidc:authenticate:callback"]
}
}
resource "azuread_application_password" "boundary_oidc_auth" {
application_id = azuread_application.boundary_oidc_auth.id
display_name = "Boundary (OIDC auth) client secret"
}
resource "azuread_service_principal" "boundary_oidc_auth" {
client_id = azuread_application.boundary_oidc_auth.client_id
}
resource "boundary_auth_method_oidc" "entra_id" {
# Using the new property from azuread_application instead of hardcoding it
issuer = azuread_application.boundary_oidc_auth.oidc_issuer_url
name = "Microsoft Entra ID"
description = "OIDC auth method using Microsoft Entra ID"
scope_id = "global"
client_id = azuread_application.boundary_oidc_auth.client_id
client_secret = azuread_application_password.boundary_oidc_auth.value
signing_algorithms = ["RS256"]
api_url_prefix = var.boundary_url
}
References
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#oidc_issuer_url
I don't believe there is an endpoint to fetch this URL. And I also believe that (as of now at least) it's either https://login.microsoftonline.com/<tenant-id> for v2 tokens or https://sts.windows.net/<tenant-id> for v1 tokens. So you could do something like:
variable "boundary_url" {
type = string
}
data "azuread_client_config" "current" {}
resource "azuread_application" "boundary_oid_auth" {
display_name = "Boundary (OIDC auth)"
...
api {
requested_access_token_version = 2
}
resource "azuread_application_password" "boundary_oidc_auth" {
application_id = azuread_application.boundary_oidc_auth.id
display_name = "Boundary (OIDC auth) client secret"
}
resource "boundary_auth_method_oidc" "entra_id" {
issuer = (azuread_application.boundary_oid_auth.api.requested_access_token_version == 1 ?
"https://sts.windows.net/${data.azuread_client_config.current.tenant_id}/" :
"https://login.microsoftonline.com/${data.azuread_client_config.current.tenant_id}/")
name = "Microsoft Entra ID"
description = "OIDC auth method using Microsoft Entra ID"
scope_id = "global"
client_id = azuread_application.boundary_oidc_auth.client_id
client_secret = azuread_application_password.boundary_oidc_auth.value
signing_algorithms = ["RS256"]
api_url_prefix = var.boundary_url
}
