Vault provider - Azure Secrets Backend role - add SP to existing group

We’ve been expanding our use of hashicorp Vault with Azure to create short-lived, dynamic Service Principals. We’re now simplifying the initial configuration of Vault policies and backend secret roles with Terraform.

Currently, we are generating Dynamic Service principals with Vault by getting Vault to add the new SP to an existing group (the group has all the relevant roles assigned in Azure). This works well for us. However, the Vault provider in Terraform doesn’t appear to have a way to configure this.

Existing Vault CLi Method


      "group_name": "Existing-Group-Assigned-To-ResourceGroup",
      "object_id": "Existing-Group-ID-7527e"

Written to Azure Secret backend using the CLi:

vault write azure/roles/test-role ttl=10m azure_groups=@test-role.json

In Terraform we can create a new Azure Secret Backend role to create an SP and assign a role to it at a particular scope:

resource "vault_azure_secret_backend_role" "generated_role" {
       backend             = "${}"
       role                     = "generated_role"
       ttl                        = 300
       max_ttl               = 600
       azure_roles {
            role_name = "Reader"
            scope =  "/subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group"

And we can create a new secret for an existing SP:

 role                        = "existing_object_id"
    application_object_id           = "11111111-2222-3333-4444-44444444444"

But we can’t seem to create a new SP and add it to an existing group (as we can with the native Vault CLi).

Is there anyway to do this?

Ideally it would be a block similar to this in the “vault_azure_secret_backend_role” resource in Terraform:

  azure_groups {
    group_name = "Existing-Group-Assigned-To-ExistingRG"
    group_id  = "ExistingGroupID-4453fdf834hklqawe"

Alternatively, is anyone aware of a workaround to achieve the same result?

Thanks everyone…