Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ add support for token signing certificate #741

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

✨ add support for token signing certificate #741

wants to merge 1 commit into from

Conversation

dhohengassner
Copy link

We do like to add support to the provider to create a token signing certificate.

This commit adds a new field token_signing_certificate_name to the
resource azuread_service_principal.

If this is set a ceritificate will be generated and the thumbprint
will be stored in a computed field called preferred_token_signing_key_thumbprint.

Issue: #732

@dhohengassner dhohengassner force-pushed the service-principal-token-cert branch 2 times, most recently from e0d9baf to 8ff8e30 Compare February 22, 2022 16:05
@github-actions github-actions bot added size/L and removed size/M labels Feb 22, 2022
@dhohengassner
✨ add support for token signing certificate
2e0ef4d 
We do like to add support to the provider to create a token signing certificate.

This commit adds new optional fields `token_signing_certificate_name` and
`token_signing_certificate_end_date` to the resource `azuread_service_principal`.
If both of these fields are set a token signing ceritificate for the
service principal gets created and attached.

The certificate thumbprint will be stored in a computed field called
`preferred_token_signing_key_thumbprint`.

There is now way to update or rotate the certificate because of missing
API support. Therefore in case of an adjustment the principal will
be replaced.

Issue: hashicorp#732
@dhohengassner
Copy link
Author

dhohengassner commented Feb 23, 2022
edited
Loading

@manicminer This is a draft using the hamilton extension from manicminer/hamilton#151

to solve #732

Please review if that would be an ok workaround until we get an API extension from Microsoft.
The extended unit test seems to work for me locally.
I am happy to adjust and add documentation based on your feedback.
Thanks in advance

@manicminer
Copy link
Contributor

Hi @dhohengassner, thanks for the PR, this would be great to add to the provider! Sorry for the delay in reviewing.

I'm wondering if this would be better as a separate resource, similar to azuread_service_principal_certificate?

@isarns
Copy link

isarns commented Apr 17, 2022
edited
Loading

A welcome feature, waiting to see it in the provider :)
If someone needs this functionality now you can use this python script:

    def create_self_sign_cert(self) -> None:
        output_date = datetime.datetime.now()
        output_date = output_date + datetime.timedelta(days=365*3)
        output_date = output_date.strftime("%Y-%m-%dT%H:%M:%SZ")
        request_headers = {
                    'Authorization': 'bearer %s'% (token), ## access token
                    'content-type': 'application/json'
                }
        create_message_URL = "https://graph.microsoft.com/v1.0/servicePrincipals/" + ent_app_id + "/addTokenSigningCertificate" ## service principal id 
        payload = {
                "displayName":"CN=SelfSignedCert",
                "endDateTime":output_date
        }
        result = requests.post(create_message_URL, json.dumps(payload), headers = request_headers)
        #print(result.text)
        #print(result.status_code)
        if(result.status_code == 200):
            print(f"Added Cert")
        else:
            print("ERROR: Did not add Cert.")
            sys.exit(1)

@LaurentLesle

This comment was marked as off-topic.

Sign in to view
@tagur87
Copy link
Contributor

tagur87 commented Nov 12, 2022

Hi @manicminer - Just wanting to follow up on this.

Hi @dhohengassner, thanks for the PR, this would be great to add to the provider! Sorry for the delay in reviewing.

I'm wondering if this would be better as a separate resource, similar to azuread_service_principal_certificate?

Based on a previous comment here: #732 (comment), it was indicated that it might not be best to do a separate resource for this certificate. You also indicated you were going to check with the internal Graph API team to see if full CRUD support for this resource was coming.

Has there been any movement on this?
Do we want to go the way that this PR suggests, or should we re-work it for a separate resource?

Thanks for the help, and let me know if there’s anything I can do to help.

@matt-tyler matt-tyler mentioned this pull request Nov 28, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katbyte katbyte Awaiting requested review from katbyte katbyte will be requested when the pull request is marked ready for review katbyte is a code owner

Assignees
No one assigned
Labels
dependencies feature/service-principals size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dhohengassner @manicminer @isarns @LaurentLesle @tagur87