| page_title | dbtcloud_azure_ad_application Resource - dbtcloud |
|---|---|
| subcategory | |
| description | Manages an Azure Active Directory (Microsoft Entra ID) application registration for a dbt Cloud account. This enables Azure DevOps integration, allowing dbt Cloud to access Azure DevOps repositories for project setup. The client_id, client_secret and tenant_id are encrypted at rest and never returned by the API. They are stored as sensitive values in Terraform state so they can be resent on every update — the API requires all three on both create and update. Destroy behaviour: running terraform destroy calls the dbt Cloud DELETE endpoint, which marks the record as inactive. Due to a known dbt Cloud backend limitation, the underlying database row is retained and re-creating the resource against the same account without a backend cleanup will fail with a unique-constraint error. If you need to recreate the resource after a destroy, contact dbt Cloud support to have the orphaned record removed, or use terraform import to re-adopt the existing record ID. Requires the Azure DevOps integration feature to be enabled on the account (enterprise plans only). |
Manages an Azure Active Directory (Microsoft Entra ID) application registration for a dbt Cloud account. This enables Azure DevOps integration, allowing dbt Cloud to access Azure DevOps repositories for project setup.
The client_id, client_secret and tenant_id are encrypted at rest and never returned by the API. They are stored as sensitive values in Terraform state so they can be resent on every update — the API requires all three on both create and update.
Destroy behaviour: running terraform destroy calls the dbt Cloud DELETE endpoint, which marks the record as inactive. Due to a known dbt Cloud backend limitation, the underlying database row is retained and re-creating the resource against the same account without a backend cleanup will fail with a unique-constraint error. If you need to recreate the resource after a destroy, contact dbt Cloud support to have the orphaned record removed, or use terraform import to re-adopt the existing record ID.
Requires the Azure DevOps integration feature to be enabled on the account (enterprise plans only).
resource "dbtcloud_azure_ad_application" "this" {
organization_name = "my-azure-devops-org"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = var.azure_client_secret
tenant_id = "00000000-0000-0000-0000-000000000001"
# Optional: defaults to "service_user". Set to "service_principal" to use
# service principal authentication instead.
azure_service_authentication_method = "service_user"
}
# NOTE: destroying this resource calls the dbt Cloud DELETE endpoint, which
# marks the record as inactive but does not remove the underlying database row.
# Re-creating the resource against the same account after a destroy will fail
# with a unique-constraint error. To recover, ask dbt Cloud support to remove
# the orphaned record, or use `terraform import` to re-adopt it:
#
# terraform import dbtcloud_azure_ad_application.this <id>client_id(String, Sensitive) The client ID (application ID) of the Azure AD app registration. Stored as a sensitive value — the API never returns it.client_secret(String, Sensitive) The client secret of the Azure AD app registration. Stored as a sensitive value — the API never returns it.organization_name(String) The name of the Azure DevOps organization.tenant_id(String, Sensitive) The tenant ID of the Azure AD directory. Stored as a sensitive value — the API never returns it.
azure_service_authentication_method(String) The method used for service authentication. One of: ~~~service_user~~~, ~~~service_principal~~~. Defaults to ~~~service_user~~~.resource_metadata(Dynamic) Metadata for tracking resource identity during account migrations. Stored in Terraform state only and not sent to the API.
account_id(Number) The ID of the dbt Cloud account.created_at(String) Timestamp when the application was created.id(Number) The ID of the Azure AD application.oauth_redirect_uri_domain(String) The domain used for the OAuth redirect URI. Set automatically by dbt Cloud based on the account's subdomain.updated_at(String) Timestamp when the application was last updated.
Import is supported using the following syntax:
# using import blocks (requires Terraform >= 1.5)
import {
to = dbtcloud_azure_ad_application.this
id = "azure_ad_application_id"
}
import {
to = dbtcloud_azure_ad_application.this
id = "12345"
}
# using the older import command
terraform import dbtcloud_azure_ad_application.this azure_ad_application_id
terraform import dbtcloud_azure_ad_application.this 12345
# NOTE: client_id, client_secret, and tenant_id will be empty after import —
# the API never returns these values. You must set them in your config to
# avoid drift on the next apply.
#
# Import is also the recovery path if destroy left an orphaned record in dbt
# Cloud (the DELETE endpoint soft-deletes the row rather than removing it).
# Find the existing record ID and import it instead of creating a new one.