entra ID template app registration

Author: brown9804

4_identity-security/README.md

@@ -12,6 +12,10 @@ Last updated: 2026-02-03
 > [!IMPORTANT]
 > This folder contains sample Terraform templates for Azure identity and security services. These templates are starting points and should be customized based on your application needs.
 
+## Templates available
+
+- [Microsoft Entra ID (Entra ID)](./entra_id)
+
 <!-- START BADGE -->
 <div align="center">
   <img src="https://img.shields.io/badge/Total%20views-1283-limegreen" alt="Total views">

4_identity-security/entra_id/README.md

@@ -0,0 +1,85 @@
+# Terraform Template - Microsoft Entra ID (Entra ID)
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[brown9804](https://github.com/brown9804)
+
+Last updated: 2026-02-03
+
+------------------------------------------
+
+> High level: creates a Microsoft Entra ID application registration (tenant-level). Optionally creates a service principal, a client secret, and (optionally) assigns an Azure RBAC role at a provided scope.
+
+> High level: creates a Microsoft Entra ID application registration (tenant-level). Optionally creates a service principal and a client secret.
+
+> No Azure resource group is required unless you choose a resource-group RBAC scope (because the RG must already exist for role assignment).
+
+## File Descriptions
+
+- **main.tf**: Creates the application registration, optional service principal, and optional client secret.
+- **variables.tf**: Defines the input variables used in the Terraform configuration.
+- **provider.tf**: Configures the AzureRM and AzureAD providers.
+- **terraform.tfvars**: Provides example values for the variables defined in `variables.tf`.
+- **outputs.tf**: Defines outputs such as the application client ID, object IDs, and the client secret.
+
+## Variables
+
+Below is a list of variables used in this template, their expected values, types, and examples:
+
+| Variable Name | Description | Type | Example Value |
+| --- | --- | --- | --- |
+| `app_display_name` | The display name for the Entra ID application registration. | string | `"example-entra-app"` |
+| `sign_in_audience` | The Microsoft account types supported for the application. | string | `"AzureADMyOrg"` |
+| `application_owners` | Optional set of object IDs to set as owners. If empty, the current principal is used. | set(string) | `["00000000-0000-0000-0000-000000000000"]` |
+| `create_service_principal` | Whether to create a service principal for the application. | bool | `true` |
+| `use_existing_service_principal` | Import existing service principal linked to the application when present. | bool | `true` |
+| `create_client_secret` | Whether to create a client secret (application password). | bool | `true` |
+| `client_secret_display_name` | Display name for the client secret. | string | `"terraform-client-secret"` |
+| `client_secret_end_date_relative` | Relative duration for which the secret is valid. | string | `"4320h"` |
+
+## Usage
+
+1. Authenticate:
+
+   ```sh
+   az login
+   ```
+
+2. Initialize and apply:
+
+   ```sh
+   terraform init -upgrade
+   terraform apply -auto-approve
+   ```
+
+   Keep your `terraform.tfvars` minimal: set only `app_display_name`, and explicitly opt-in to optional resources (service principal, client secret, RBAC scope) when you need them.
+
+3. Validate and plan:
+
+   ```sh
+   terraform validate
+   terraform plan
+   ```
+
+4. Apply:
+
+   ```sh
+   terraform apply -auto-approve
+   ```
+
+If you need Azure RBAC role assignments, use an AzureRM-based template (requires a subscription context and scope such as a subscription or resource group).
+
+> These `TF_VAR_*` environment variables are scoped to your current shell session.
+
+## Notes
+
+- Creating applications, service principals, and secrets requires Microsoft Entra ID permissions (e.g., Application Administrator or appropriate Microsoft Graph application roles).
+- This template does not create Azure resources and does not require a resource group.
+
+<!-- START BADGE -->
+<div align="center">
+  <img src="https://img.shields.io/badge/Total%20views-1283-limegreen" alt="Total views">
+  <p>Refresh Date: 2026-02-03</p>
+</div>
+<!-- END BADGE -->

4_identity-security/entra_id/main.tf

@@ -0,0 +1,31 @@
+# main.tf
+# High level: creates a Microsoft Entra ID application registration (tenant-level).
+# Optionally creates a service principal and a client secret.
+# Azure RBAC assignment is intentionally not included in this template (it requires the AzureRM provider and an Azure subscription context).
+
+data "azuread_client_config" "current" {}
+
+locals {
+  effective_owners = length(var.application_owners) > 0 ? var.application_owners : toset([data.azuread_client_config.current.object_id])
+}
+
+resource "azuread_application" "this" {
+  display_name     = var.app_display_name
+  owners           = local.effective_owners
+  sign_in_audience = var.sign_in_audience
+}
+
+resource "azuread_service_principal" "this" {
+  count                        = var.create_service_principal ? 1 : 0
+  client_id                    = azuread_application.this.client_id
+  owners                       = local.effective_owners
+  use_existing                 = var.use_existing_service_principal
+  app_role_assignment_required = false
+}
+
+resource "azuread_application_password" "this" {
+  count            = var.create_client_secret ? 1 : 0
+  application_id   = azuread_application.this.id
+  display_name     = var.client_secret_display_name
+  end_date         = timeadd(timestamp(), var.client_secret_end_date_relative)
+}

4_identity-security/entra_id/outputs.tf

@@ -0,0 +1,25 @@
+output "tenant_id" {
+  description = "The Microsoft Entra ID (Entra ID) tenant ID"
+  value       = data.azuread_client_config.current.tenant_id
+}
+
+output "application_client_id" {
+  description = "The client ID (app ID) of the application registration"
+  value       = azuread_application.this.client_id
+}
+
+output "application_object_id" {
+  description = "The object ID of the application registration"
+  value       = azuread_application.this.object_id
+}
+
+output "service_principal_object_id" {
+  description = "The object ID of the service principal (if created)"
+  value       = try(azuread_service_principal.this[0].object_id, null)
+}
+
+output "client_secret" {
+  description = "The generated client secret value (if created)"
+  value       = try(azuread_application_password.this[0].value, null)
+  sensitive   = true
+}

4_identity-security/entra_id/provider.tf

@@ -0,0 +1,16 @@
+# provider.tf
+# This file configures the AzureRM and AzureAD (Microsoft Entra ID) providers.
+# It specifies the required providers and versions, along with provider-specific configurations.
+
+terraform {
+  required_version = ">= 1.8, < 2.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "azuread" {}

4_identity-security/entra_id/terraform.tfvars

@@ -0,0 +1,26 @@
+# terraform.tfvars
+# High level: this module creates an Entra ID app registration and (optionally) a service principal, client secret, and Azure RBAC role assignment.
+# This file provides example values for the variables defined in variables.tf.
+# Tip: IDs come from your current Azure CLI session (PowerShell):
+#   $env:ARM_SUBSCRIPTION_ID = (az account show --query id -o tsv)
+#   $env:ARM_TENANT_ID       = (az account show --query tenantId -o tsv)
+
+# Required
+app_display_name = "eg-brown-entra-app"
+
+# Optional (opt-in)
+# Create a service principal for the app registration
+create_service_principal = false
+
+# Create a client secret (only applies if you manage secrets via Terraform)
+create_client_secret = false
+
+# Optional: set owners explicitly (object IDs). If empty, current principal becomes owner.
+# application_owners = ["00000000-0000-0000-0000-000000000000"]
+
+# If create_client_secret = true
+# client_secret_display_name      = "terraform-client-secret"
+# client_secret_end_date_relative = "4320h"
+
+# Optional: assign RBAC role to the service principal
+# Azure RBAC is not part of this Entra-only template.

4_identity-security/entra_id/variables.tf

@@ -0,0 +1,47 @@
+variable "app_display_name" {
+  description = "The display name for the Entra ID application registration"
+  type        = string
+}
+
+variable "sign_in_audience" {
+  description = "The Microsoft account types that are supported for the application"
+  type        = string
+  default     = "AzureADMyOrg"
+}
+
+variable "application_owners" {
+  description = "Optional set of object IDs to set as owners for the application (users or service principals). If empty, the current principal is used."
+  type        = set(string)
+  default     = []
+}
+
+variable "create_service_principal" {
+  description = "Whether to create a service principal for the application"
+  type        = bool
+  default     = true
+}
+
+variable "use_existing_service_principal" {
+  description = "When true, an existing service principal linked to the application will be automatically imported"
+  type        = bool
+  default     = true
+}
+
+variable "create_client_secret" {
+  description = "Whether to create a client secret (application password)"
+  type        = bool
+  default     = true
+}
+
+variable "client_secret_display_name" {
+  description = "Display name for the client secret (application password)"
+  type        = string
+  default     = "terraform-client-secret"
+}
+
+variable "client_secret_end_date_relative" {
+  description = "Relative duration for which the client secret is valid (e.g. 240h for 10 days, 4320h for 180 days)"
+  type        = string
+  default     = "4320h"
+}
+

README.md

@@ -90,6 +90,14 @@ Last updated: 2026-02-03
 
 </details>
 
+<details>
+<summary><b> Identity and Security </b> (Click to expand) </summary>
+
+- [Identity and Security](./4_identity-security)
+  - [Microsoft Entra ID (Entra ID)](./4_identity-security/entra_id)
+
+</details>
+
 <details>
 <summary><b> Migration and Backup </b> (Click to expand) </summary>