0

I want to provision an azure key vault from terraform via the interactive powershell prompt. I want to login to to azure (az login) with the web browser. I want that users object id to set a limited custom access policy for it. My terraform snippet for the key vault looks like this:

resource "azurerm_key_vault" "always_encrypted_sample" {
  # . . . . SNIP . . . .
  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${var.certificate_creator}"

    certificate_permissions = [
      "create", "get" # Terraform needs get to make the cert, probably to check its existance
    ]
  }
}

resource "azurerm_key_vault_certificate" "column_certificate" {
    # . . . . SNIP . . . .
}

I don't know how to get the object id. az account show only gives me the following:

{
  "environmentName": "AzureCloud",
  "id": "XXXXXXXXXXXX",
  "isDefault": true,
  "name": "Pay-As-You-Go",
  "state": "Enabled",
  "tenantId": "XXXXXXX",
  "user": {
    "name": "user@domain.tld",
    "type": "user"
  }
}

I opened a feature request for user to contain an id property. I am looking for a workaround. Is there an command in the azure cli to get my users object id or even upn so I can query the object id from that? Is that object id exposed by terraform somewhere? Its not in azurerm_client_config.

Justin Dearing
  • 1,017
  • 10
  • 33

1 Answers1

1

There is a way to do this using the Azure CLI. Here is a demo:

scripts/getuser.ps1:

$t = az ad signed-in-user show
$t = "$t"
$j = ConvertFrom-Json $t
Write-Output "{`"object_id`":`"$($j.objectId)`"}"

main.ts:

provider "azurerm" {
  subscription_id = var.subscription_id
}

data "external" "user" {
  program = ["powershell.exe", "${path.module}/scripts/getuser.ps1"]
}

output "object_id" {
    value = data.external.user.result.object_id
}

Keep in mind az ad signed-in-user is fairly new so make sure everything is up to date.

Resources:

https://docs.microsoft.com/en-us/cli/azure/ad/signed-in-user?view=azure-cli-latest https://www.terraform.io/docs/providers/external/data_source.html

mikeruhl
  • 26
  • 1