Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ add support for token signing certificate #741

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dhohengassner
Copy link

We do like to add support to the provider to create a token signing certificate.

This commit adds a new field token_signing_certificate_name to the
resource azuread_service_principal.

If this is set a ceritificate will be generated and the thumbprint
will be stored in a computed field called preferred_token_signing_key_thumbprint.

Issue: #732

@dhohengassner dhohengassner force-pushed the service-principal-token-cert branch 2 times, most recently from e0d9baf to 8ff8e30 Compare February 22, 2022 16:05
@github-actions github-actions bot added size/L and removed size/M labels Feb 22, 2022
We do like to add support to the provider to create a token signing certificate.

This commit adds new optional fields `token_signing_certificate_name` and
`token_signing_certificate_end_date` to the resource `azuread_service_principal`.
If both of these fields are set a token signing ceritificate for the
service principal gets created and attached.

The certificate thumbprint will be stored in a computed field called
`preferred_token_signing_key_thumbprint`.

There is now way to update or rotate the certificate because of missing
API support. Therefore in case of an adjustment the principal will
be replaced.

Issue: hashicorp#732
@dhohengassner dhohengassner force-pushed the service-principal-token-cert branch from 8ff8e30 to 2e0ef4d Compare February 23, 2022 13:29
@dhohengassner
Copy link
Author

dhohengassner commented Feb 23, 2022

@manicminer This is a draft using the hamilton extension from manicminer/hamilton#151

to solve #732

Please review if that would be an ok workaround until we get an API extension from Microsoft.
The extended unit test seems to work for me locally.
I am happy to adjust and add documentation based on your feedback.
Thanks in advance

@manicminer
Copy link
Contributor

Hi @dhohengassner, thanks for the PR, this would be great to add to the provider! Sorry for the delay in reviewing.

I'm wondering if this would be better as a separate resource, similar to azuread_service_principal_certificate?

@isarns
Copy link

isarns commented Apr 17, 2022

A welcome feature, waiting to see it in the provider :)
If someone needs this functionality now you can use this python script:

    def create_self_sign_cert(self) -> None:
        output_date = datetime.datetime.now()
        output_date = output_date + datetime.timedelta(days=365*3)
        output_date = output_date.strftime("%Y-%m-%dT%H:%M:%SZ")
        request_headers = {
                    'Authorization': 'bearer %s'% (token), ## access token
                    'content-type': 'application/json'
                }
        create_message_URL = "https://graph.microsoft.com/v1.0/servicePrincipals/" + ent_app_id + "/addTokenSigningCertificate" ## service principal id 
        payload = {
                "displayName":"CN=SelfSignedCert",
                "endDateTime":output_date
        }
        result = requests.post(create_message_URL, json.dumps(payload), headers = request_headers)
        #print(result.text)
        #print(result.status_code)
        if(result.status_code == 200):
            print(f"Added Cert")
        else:
            print("ERROR: Did not add Cert.")
            sys.exit(1)

@LaurentLesle

This comment was marked as off-topic.

@tagur87
Copy link
Contributor

tagur87 commented Nov 12, 2022

Hi @manicminer - Just wanting to follow up on this.

Hi @dhohengassner, thanks for the PR, this would be great to add to the provider! Sorry for the delay in reviewing.

I'm wondering if this would be better as a separate resource, similar to azuread_service_principal_certificate?

Based on a previous comment here: #732 (comment), it was indicated that it might not be best to do a separate resource for this certificate. You also indicated you were going to check with the internal Graph API team to see if full CRUD support for this resource was coming.

Has there been any movement on this?
Do we want to go the way that this PR suggests, or should we re-work it for a separate resource?

Thanks for the help, and let me know if there’s anything I can do to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants