terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Feature: Auto-Generate New User Passwords - azuread_user

Open Threpio opened this issue 3 years ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Hi there.

When I am creating a new user in Azuread with terraform I am not given the option that I would be through the portal to Auto Generate the password of the new user. I do not require the password to be set as an output of the new-user creation but I find it clumsy to have to define a random tf resource to implement the required password.

I would like for there to be a flag that can be set so that if the user is new (and not an imported one) that it creates an auto-generated password (either through the API or otherwise) and sets it to the user.

I currently modularise all of the users in our Azuread setup. Importing a user is very easy but if I want to create a new user then I have to use a different module that includes a password field and generates one.

I would like the logic to be as follows:

if UserExistsBool {
  generate_password
} else {
  do_not_change_password
}

New or Affected Resource(s)

azuread_user

Potential Terraform Configuration

resource "azuread_user" "tha" {
   user_principal_name = "[email protected]"
  display_name        = "J. Doe"
  mail_nickname       = "jdoe"
  generate_password = true
}

References

  • #0000

Threpio avatar Oct 06 '21 07:10 Threpio

Hi @Threpio, thanks for requesting this. If we were to auto generate passwords for new users, there would be no way to retrieve or expose this in Terraform, as the password is never returned back by the API. Obviously we would know the value that was generated, but for this reason we could not reliably set an attribute, which means any user accounts you created with such an option would be unusable.

One approach I have seen is to generate (or hardcode) a somewhat strong random slug, and concatenate this with well-known attributes for the user, to create a predictable temporary password in order that the user can perform their initial sign-in.

As this implementation for an option like this would be unreliable and prone to leaving accounts in an unusable state, unfortunately I don't believe we can implement this. I hope this makes sense!

I'm happy to leave this issue open for awhile in case other ideas come up which improve the feasibility here :)

manicminer avatar Oct 12 '21 21:10 manicminer

Yes I completely understand the points made. I do however believe that the creating of the user with a random password that is NOT returned allows for the user to be created and managed within a terraform environment without it needing to be created externally and then imported. I believe that this flag would allow for the user to be created - The sysadmin of the company/team would then be able to manually reset the password within the UI and that password could be bundled within an email to the new user as introduction.

Threpio avatar Oct 15 '21 16:10 Threpio

I note that in order for this to be applied - Whatever random password that we create and pass would have to conform to the password policies that could be defined.

I had a look but couldn't seem to find - Is there a way in the client to pass a 'Auto-generate' password header/client/param to Azure to allow them to create it?

Threpio avatar Oct 21 '21 09:10 Threpio

We use the following to work around the issue of passwords.

We generate a random password but we don't care what it is. When we create new user in terraform we will ask the user to use "reset password" functionality on first login.

This removes the whole need to know the initial password at all.

For this to work, we need to specify alternate email address and/or mobile phone number during creation time as it's not possible to reset password without this info.

Since we don't care about password, we simply add it to ignore_changes.

And since the password is in the ignore_changes you can also import existing users and terraform will not bother to update/change it, so this works too.

Our terraform looks similar to this (except we have it in a for_each loop)

resource "random_password" "example" {
  length  = 32
  special = true
  lower   = true
  upper   = true
  number  = true
}

resource "azuread_user" "example" {
  user_principal_name = "[email protected]"

  # Specify these to allow reset password even if the user never logged in at all.
  # At least one of these needs to be specified.
  mobile_phone = "+44 1111111111"
  other_mails = [
    "[email protected]",
  ]

  # We don't care about the password at all
  password = random_password.example.result

  lifecycle {
    ignore_changes = [
      password
    ]
  }
}

ppanyukov avatar Oct 28 '21 18:10 ppanyukov