Ignore service principal password resources from Terraform state management #351
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…sch/features/sp-mod-pwd-ignore
|
@iphilpot all checks are passing and ready for review |
| @@ -28,4 +28,8 @@ resource "azuread_service_principal_password" "sp" { | |||
| service_principal_id = azuread_service_principal.sp[0].object_id | |||
| value = local.sp_password | |||
| end_date_relative = var.sp_pwd_end_date_relative | |||
|
|
|||
| lifecycle { | |||
There was a problem hiding this comment.
These lifecycle hooks bake in the original passwords inserted into the creation of the service principal password and the key vault secrets that store them. How will password updates be managed due to this change? Outside of terraform?
There was a problem hiding this comment.
Yes should be completed outside of TF
ianphil
approved these changes
Oct 3, 2019
| @@ -28,4 +28,8 @@ resource "azuread_service_principal_password" "sp" { | |||
| service_principal_id = azuread_service_principal.sp[0].object_id | |||
| value = local.sp_password | |||
| end_date_relative = var.sp_pwd_end_date_relative | |||
|
|
|||
| lifecycle { | |||
There was a problem hiding this comment.
Any reason to put this in the SP module and not in the template?
There was a problem hiding this comment.
nevermind, it's a config element it looks like.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All Submissions:
What is the current behavior?
Currently, all azure resource(s) state changes related to the service principal password are managed through Terraform. This results in state changes being triggered for Terraform incremental builds as the password is randomly generated on each run. The impact is Terraform attempts to delete and recreate the password and KV secrets on each incremental deployment, regardless of template changes. Terraform should only be responsible for creating resources like the SP password and keyvault secrets when bootstrapping the initial azure environment.
Issue Number: #330
What is the new behavior?
Terraform resource types such as service prinipal passwords and keyvault secrets capturing sp passwords are ignored from state change lifecycles events via
Does this introduce a breaking change?