Create New Service Principal Across Environments
Go to Automation: (Add Job Template URL here)
Description
Creates (or reuses if existing) an App Registration and associated Service Principal for each requested environment (e.g., DV, QA, ST, PR). For each environment it:
1. Constructs a standardized display name: Sys_Azure_<AppDisplayName>_<ENV> (or Sys_Azure_OND_... for onderwijs tenant).
2. Checks existence of App Registration and Service Principal.
3. Creates them if absent.
4. Optionally adds a secret or certificate depending on SecretType.
5. Applies tagging metadata (Functie/environment, Entiteit, Domein, etc.) via Graph PowerShell.
Helper logic resides in new_serviceprincipal_tasks.yml which the main play loops over per environment.
Naming Convention
- Standard:
Sys_Azure_<AppDisplayName>_<Environment> - Onderwijs:
Sys_Azure_OND_<AppDisplayName>_<Environment>
Credentials
Retrieved from PasswordState: - Production: Sys_Azure_AppRegs_PR - Onderwijs: Sys_Azure_OND_Admin
Inputs
| Variable | Description |
|---|---|
AppDisplayName |
Base logical service name (without prefixes or environment suffix). |
environments |
List of environment codes (e.g., ["DV","QA","PR"]). |
SecretType |
Secret, Certificaat, or None (lowercase checks in tasks: secret / certificaat). |
onderwijs |
'yes' to target onderwijs tenant. |
showAppToUsers |
'no' adds "HideApp" tag (default). |
domein |
Optional domain tag value. |
entiteit |
Optional entity tag value. |
MDAPPGUID |
Optional metadata GUID tag. |
MDInstanceGUID |
Optional instance GUID tag. |
additionalTags |
Comma-separated extra tags appended verbatim. |
Tagging Behavior
Base tag always includes: Functie : <Environment>.
Additional conditional tags added only when corresponding variables non-empty.
When showAppToUsers == 'no', the tag HideApp is appended.
Outputs
Per environment (when created):
- Debug message listing environment, app name, AppId, and Service Principal object ID.
- Secret/certificate handling outputs (passwordstate update results, certificate role results) depending on SecretType.
Dependencies / Modules
| Component | Purpose |
|---|---|
azure.azcollection.azure_rm_adapplication_info |
Detect existing App Registration. |
azure.azcollection.azure_rm_adapplication |
Create App Registration. |
azure.azcollection.azure_rm_adserviceprincipal_info |
Detect existing Service Principal. |
azure.azcollection.azure_rm_adserviceprincipal |
Create Service Principal. |
azure.azcollection.azure_rm_adpassword |
Create secret (when SecretType == secret). |
d09.passwordstate.* modules |
Credential retrieval & storage. |
ansible.windows.win_powershell |
Apply tags via Graph. |
d09.certificates.pki_certificate |
Certificate issuance (when certificaat). |
Example Invocation
AppDisplayName: MyBusinessAPI
environments: ["DV","QA","PR"]
SecretType: Secret
onderwijs: 'no'
showAppToUsers: 'no'
entiteit: Stadsbeheer
domein: Integraties
additionalTags: CostCenter:12345,OwnerTeam:Integration
Idempotency
- If an App Registration exists for an environment, creation is skipped and existing IDs are reused.
- Tag update always attempted when
app_idis determined (safe operation, replaces Tags set). - Secret/Certificate block skipped when
SecretType == 'None'(case sensitivity caveat—task checks lowercase 'none').
Notes
- Provide consistent casing for
SecretTypevalues or adjust tasks to lower-case the variable for robust comparisons. - Tag merging: current script constructs a fresh tag array; existing tags are overwritten.