So I see the key vault is storing sas. So first Key Vault should be created in Azure Portal , Save the sas token and other variables and then run this code ? That's how we should run ?
Thanks for your video but I just want to understand how do we scan the code using checkov which is at 10th point . 10. Add code scanning to the process using Checkov
@NedintheCloud Hi Ned, in the last video you mentioned that you were going to take the Plan file as an artifact and use that in CD, i didn't see that in this video. Is there any video that you did with the use case that i mentioned here, would appreciate if you can share that. Thanks
HI Ned, I have been enjoying your series and videos on Azure DevOps. I have made some minor tweaks in my own code to get the Service Principals created that reads the key vault to work with the major revision to version 2 onwards of the azuread provider. So I have set mine to 2.18. So as you know due to the password value now becoming read only as Azure Active Directory no longer accepts user-supplied password values. So instead of using the random password result I changed the code to the following: resource "azuread_service_principal_password" "resource_creation" { service_principal_id = azuread_service_principal.resource_creation.object_id #value = random_password.resource_creation.result } output "client_secret" { description = "Client Secret" #value = nonsensitive(azuread_service_principal_password.resource_creation.value) value = azuread_service_principal_password.resource_creation.value sensitive = true } I then supply the output value to the credential: serviceprincipalkey = azuread_service_principal_password.resource_creation.value plus pipeline variable az-client-secret = azuread_service_principal_password.resource_creation.value The behaviour I am observing is terraform apply generates a password and stores it in Key Vault. However when viewing the service principal connection in Azure Devops the service principal key is blank and fails to validate and connect to key vault. I will continue to resolve this in my own code as I am sure it is something simple to fix. thanks Matt
I got this working in the end, I was using the wrong SPN, needed to output the service connection one instead resource "azuread_service_principal_password" "service_connection" { service_principal_id = azuread_service_principal.service_connection.object_id } output "service_connection_secret" { description = "Service Connection Secret" value = azuread_service_principal_password.service_connection.value sensitive = true }
Great video, again!
So I see the key vault is storing sas. So first Key Vault should be created in Azure Portal , Save the sas token and other variables and then run this code ? That's how we should run ?
Thanks for your video but I just want to understand how do we scan the code using checkov which is at 10th point .
10. Add code scanning to the process using Checkov
@NedintheCloud Hi Ned, in the last video you mentioned that you were going to take the Plan file as an artifact and use that in CD, i didn't see that in this video. Is there any video that you did with the use case that i mentioned here, would appreciate if you can share that. Thanks
HI Ned, I have been enjoying your series and videos on Azure DevOps. I have made some minor tweaks in my own code to get the Service Principals created that reads the key vault to work with the major revision to version 2 onwards of the azuread provider. So I have set mine to 2.18. So as you know due to the password value now becoming read only as Azure Active Directory no longer accepts user-supplied password values. So instead of using the random password result I changed the code to the following:
resource "azuread_service_principal_password" "resource_creation" {
service_principal_id = azuread_service_principal.resource_creation.object_id
#value = random_password.resource_creation.result
}
output "client_secret" {
description = "Client Secret"
#value = nonsensitive(azuread_service_principal_password.resource_creation.value)
value = azuread_service_principal_password.resource_creation.value
sensitive = true
}
I then supply the output value to the credential: serviceprincipalkey = azuread_service_principal_password.resource_creation.value
plus pipeline variable
az-client-secret = azuread_service_principal_password.resource_creation.value
The behaviour I am observing is terraform apply generates a password and stores it in Key Vault. However when viewing the service principal connection in Azure Devops the service principal key is blank and fails to validate and connect to key vault.
I will continue to resolve this in my own code as I am sure it is something simple to fix.
thanks
Matt
I got this working in the end, I was using the wrong SPN, needed to output the service connection one instead
resource "azuread_service_principal_password" "service_connection" {
service_principal_id = azuread_service_principal.service_connection.object_id
}
output "service_connection_secret" {
description = "Service Connection Secret"
value = azuread_service_principal_password.service_connection.value
sensitive = true
}