Automated configuration of Azure RunAsAccount while creating Azure Automation Account using Terraform

[AbhishekB15]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

While creating an Azure Automation account using terraform, RunAsAccount is not getting configured automatically. It would be really helpful if the RunAsAccount configuration occurs automatically saving time for manual creation.

New or Affected Resource(s)

azurerm_automation_account

Provider version used - 1.31.0

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[MMollyy]

On top of this feature request I would like to note the ability to create and use service principals for the automation account, which I believe should be possible with the azure ad provider?
As well as connection, certificate and custom role (incl. scoping) handling for that service principal. Of which I believe only the latter three would be possible with the current azurerm provider.

[ghost]

Hi @AbhishekB15,

Thanks for opening this issue.
Currently, this function "Run As Accounts" in Automation Account, is used on Azure portal only, and is not programmable in Terraform.

[MMollyy]

Okay, so if the Run as account isn't usable; Terraform could still have the automation account configured with a service principal and such, instead of needing to go into the portal and do manual work.

[ghost]

@MMollyy You're right.

[dowlingw]

#4785 provides the ability to provision the Automation account private certificate side of this - hopefully it's not too terrible and gets accepted ;)

Neither the azurerm or azuread providers have a resource type for associating a public certificate against the service principal in Azure AD. If that support appeared, you'd be able to emulate this behaviour - but you'd have to generate the certificate file out of band.

To really tie this together, you'd want something like random_certificate (with all the semantics of random_ resources) that would generate the certificate within terraform - the go standard library should have most/all of the code for this so it might not be too onerous.

[AbhishekB15]

@weiyuping68 Happy New Year :)
Any update on this request?

[ctooley21]

any update? this feature would be very helpful on our terraform setup. currently creating automation account manually as we require a RunAsAccount for some of our runbooks.

[rapster83]

Any updates on that? Thx.

[enorlando]

Any updates on this request please?
Thank you!

[yupwei68]

Hi All, sorry to inform that the service team has confirmed that the rest API is not available in the near future due to design constraints, which means we could not provide terraform resource.

[njuCZ]

Hi, I am sorry that the service team hasn't provide RunAsAccount function. According to https://docs.microsoft.com/en-us/azure/automation/manage-runas-account#run-as-account, for now I think we could configure a service principal, assign roles, create automation certificates and automation connection to work it around.
I have submited the azurerm_automation_connection pr to complete this work flow

[katbyte]

@dowlingw - hashicorp/terraform-provider-azuread#262 will add the ability toattach certs to SPs in azuread.

[mikemowgli]

@katbyte , this is interesting. Could you elaborate on the Terraform resources needed then? I'm guessing:

• For the SP: azuread_application, azuread_service_principal, azurerm_role_assignment, azuread_service_principal_certificate
• For the automation Connection: azurerm_automation_connection_service_principal (is it redundant with azurerm_automation_connection ?)
• For the automation certificate: azurerm_automation_certificate, azurerm_automation_connection_certificate

It feels to me that both azurerm_automation_certificate and azuread_service_principal_certificate would be providing the certificate.

What am I missing? Could you clarify?

Thank you

[njuCZ]

Hi all, I have configured a basic script to complete the RunAsAccount function.
First of all, we need to generate a certificate and pfx with the contents unencrypted, we could use following command.

openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl pkcs12 -export -keypbe NONE -certpbe NONE -inkey privateKey.key -in certificate.crt -out certificate.pfx

After input the second commands, just type two "enter" key.

After preparing the certificate, we could use following TF script:

provider "azurerm" {
  features {}
}

provider "azuread" {}
provider "time" {}
provider "random" {}

variable "automation_account_name" {
  default = "testautomation"
}

variable "resource_group_name" {
  default = "rg"
}

variable "location" {
  default = "southeastasia"
}

resource "time_offset" "end_date" {
  offset_hours = 24 * 365
}

resource "random_string" "random" {
  length = 16
  special = false
}

resource "azuread_application" "test" {
  name = format("%s_%s", var.automation_account_name, random_string.random.result)
}

resource "azuread_application_certificate" "test" {
  application_object_id = azuread_application.test.id
  type                  = "AsymmetricX509Cert"
  value                 = file("certificate.crt")
  end_date              = time_offset.end_date.rfc3339
}

resource "azuread_service_principal" "test" {
  application_id = azuread_application.test.application_id

  depends_on = [
    azuread_application_certificate.test,
  ]
}

resource "azuread_service_principal_certificate" "test" {
  service_principal_id = azuread_service_principal.test.id
  type                 = "AsymmetricX509Cert"
  value                = file("certificate.crt")
  end_date             = time_offset.end_date.rfc3339
}

data "azurerm_subscription" "primary" {}

data "azurerm_client_config" "current" {}

resource "azurerm_role_assignment" "test" {
  scope                = data.azurerm_subscription.primary.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.test.object_id
}

resource "azurerm_automation_account" "test" {
  name                = var.automation_account_name
  location            = var.location
  resource_group_name = var.resource_group_name
  sku_name            = "Basic"
}

resource "azurerm_automation_certificate" "test" {
  name                    = "AzureRunAsCertificate"
  resource_group_name     = azurerm_automation_account.test.resource_group_name
  automation_account_name = azurerm_automation_account.test.name
  base64                  = filebase64("certificate.pfx")
}

resource "azurerm_automation_connection_service_principal" "test" {
  name                    = "AzureRunAsConnection"
  resource_group_name     = azurerm_automation_account.test.resource_group_name
  automation_account_name = azurerm_automation_account.test.name
  application_id          = azuread_service_principal.test.application_id
  tenant_id               = data.azurerm_client_config.current.tenant_id
  subscription_id         = data.azurerm_client_config.current.subscription_id
  certificate_thumbprint  = azurerm_automation_certificate.test.thumbprint
}

After creating successfully, I tested by running a powershell runbook to list all resourcegroups in my sub, it could succeed.

Could anyone have a try of it? Hope it could unblock all of you.

[tombuildsstuff]

👋

Since we've not heard back from you here I'm going to close this issue for the moment, but please let us know if the solution proposed above doesn't work for you and we'll take another look.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!