How to add a certificate to an Azure App Registration

[daviewales]

SUMMARY

I'm trying to understand how I can add a certificate to an Azure App Registration.

Suppose I have generated a client certificate on the server as follows:

        - name: Ensure private key exists
          community.crypto.openssl_privatekey:
            path: "~/private.key"
            mode: "0600"

        # EDIT: CSR is required to specify common_name (CN) for Subject field.
        # Azure won't accept certificates without this.
        - name: Ensure CSR exists
          community.crypto.openssl_csr_pipe:
            privatekey_path: "~/private.key"
            common_name: example
          register: csr

        - name: Ensure self-signed certificate exists
          community.crypto.x509_certificate:
            path: "~/certificate.pem"
            privatekey_path: "~/private.key"
            csr_content: "{{ csr.csr }}"
            provider: selfsigned
            mode: "0644"
            return_content: true
          register: test_certificate

How can I add this as a client certificate credential to authenticate as a given Azure App Registration?

In the Azure Portal, I could upload the certificate here:

Alternatively, in Terraform I could use the azuread_application_certificate resource to attach a client certificate to a given application.

However, I can't see how to do the equivalent in Ansible.
My best guess is that I should use the key_value parameter for azure_rm_adapplication?
But it's not super clear in the docs that this is the case.

I note that azure_rm_adpassword appears to be equivalent to Terraform's azuread_application_password. But I can't see the equivalent for client certificates.

ISSUE TYPE

• Documentation Report

COMPONENT NAME

azure_rm_adapplication

ANSIBLE VERSION

❯ ansible --version
ansible [core 2.16.4]
  config file = /home/dwales/.ansible.cfg
  configured module search path = ['/home/dwales/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/dwales/.local/pipx/venvs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/dwales/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/dwales/.local/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/dwales/.local/pipx/venvs/ansible/bin/python)
  jinja version = 3.1.3
  libyaml = True

[daviewales]

I figured it out, but it could still be good to update the docs with an example.
To add a certificate to an existing application I did the following:

        - name: Add certificate to app registration
          azure.azcollection.azure_rm_adapplication:
            app_id: "{{ test_app_uuid }}"
            display_name: test-app-registration
            key_value: "{{ test_certificate.certificate }}"
            tenant: "{{ azure_tenant_id }}"
          delegate_to: 127.0.0.1
          run_once: true
          become: no

I assume that if the application didn't already exist, a new one would be created with the given app_id.

EDIT: I didn't figure it out. I thought this had updated the app registration with the key, but it didn't do this.