prefapp · pablosanchezpaz · Feb 5, 2026 · Feb 10, 2026 · Copilot · Feb 10, 2026
@@ -0,0 +1,48 @@
+formatter: "markdown"
+
+version: ""
+
-version: ""
-version: ""
+header-from: docs/header.md
+footer-from: docs/footer.md
+
+recursive:
+  enabled: false
+  path: modules
+  include-main: true
+
+sections:
+  hide: []
+  show: []
+
+content: ""
+
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
@@ -1,57 +1,29 @@
-# Azure OIDC
+<!-- BEGIN_TF_DOCS -->
+# Azure OIDC Terraform Module
 
 ## Overview
 
-This module creates an Azure AD application, service principal and role assignment for each application in the data file.
+This Terraform module creates Azure AD applications, service principals, and role assignments for each application defined in the input data file. It supports federated credentials for GitHub Actions and other issuers.
 
-> Note: not defining a scope in an application is equivalent to defining the scope of the subscription
+> Note: Not defining a scope in an application is equivalent to defining the scope of the subscription.
 
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >3.0.0 |
+## Main features
+- Create multiple Azure AD applications and service principals.
+- Assign custom roles and scopes to each application.
+- Add federated credentials for GitHub Actions or custom issuers.
+- Realistic configuration example.
 
-## Providers
+## Complete usage example
 
-| Name | Version |
-|------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | ~> 2.15.0 |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >3.0.0 |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [azuread_application.gh_oidc_ad_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_federated_identity_credential.gh_oidc_identity_credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
-| [azuread_service_principal.gh_oidc_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azurerm_role_assignment.gh_oidc_service_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
-| [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
-
-## Usage
-
-### Set a module
-
-```terraform
-module "githuib-oidc" {
+### Module usage
+```hcl
+module "github-oidc" {
   source = "git::https://github.com/prefapp/tfm.git//modules/azure-oidc?ref=<version>"
-  data   = yamldecode(file("<path_to_yaml_file>"
+  data   = yamldecode(file("<path_to_yaml_file>"))
 }
 ```
 
-#### Example
-
-```terraform
-module "githuib-oidc" {
-  source = "git::https://github.com/prefapp/tfm.git//modules/azure-oidc?ref=v1.2.3"
-  data   = yamldecode(file("github_oidc.yaml")
-```
-
-### Set a data file
-
+### Example data file
 ```yaml
 applications:
   - name: app
@@ -74,8 +46,7 @@ applications:
         issuer: "issuer_foo_foo"
 ```
 
-#### Example
-
+#### Realistic example
 ```yaml
 app_registrations:
   - name: service_repositories
@@ -107,3 +78,79 @@ app_registrations:
     # scope:
     #   - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # This is similar to not putting scope
 ```
+
+## Notes
+- If you do not define a scope, the subscription scope will be used by default.
+- Federated credentials support GitHub Actions and custom issuers.
+- Each application can have multiple roles, scopes, and federated credentials.
+
+## File structure
+
+```
+.
+├── main.tf
+├── variables.tf
+├── outputs.tf
+├── README.md
+├── CHANGELOG.md
+└── docs/
+    ├── header.md
+    └── footer.md
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.15.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | ~> 2.15.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_application.gh_oidc_ad_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.gh_oidc_identity_credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
+| [azuread_service_principal.gh_oidc_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.gh_oidc_service_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
+| [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_data"></a> [data](#input\_data) | YAML data for configuring resources | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+
+## Examples
+
+For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-oidc/_examples):
+
+- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-oidc/_examples/basic) - OIDC and federated credentials configuration for workloads (e.g., GitHub Actions).
+
+## Resources and support
+
+- [Official Azure AD Application documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals)
+- [Terraform reference for azuread\_application](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application)
+- [Terraform reference for azuread\_application\_federated\_identity\_credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential)
+- [Terraform reference for azurerm\_role\_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment)
+
+## Support
+
+For issues, questions, or contributions related to this module, please visit the [repository's issue tracker](https://github.com/prefapp/tfm/issues).
+<!-- END_TF_DOCS -->
@@ -0,0 +1,21 @@
+module "azure_oidc" {
+  source = "../../"
+
+  data = {
+    app_registrations = [
+      {
+        name  = "service_repositories"
+        roles = ["AcrPush", "AcrPull"]
+        scope = [
+          "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry"
+        ]
+        federated_credentials = [
+          {
+            subject = "repository_owner:prefapp"
+            issuer  = "https://token.actions.githubusercontent.com"
+          }
+        ]
+      }
+    ]
+  }
+}
@@ -0,0 +1,11 @@
+data:
+  app_registrations:
+    - name: service_repositories
+      roles:
+        - AcrPush
+        - AcrPull
+      scope:
+        - /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry
+      federated_credentials:
+        - subject: repository_owner:prefapp
+          issuer: https://token.actions.githubusercontent.com
-data:
-  app_registrations:
-    - name: service_repositories
-      roles:
-        - AcrPush
-        - AcrPull
-      scope:
-        - /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry
-      federated_credentials:
-        - subject: repository_owner:prefapp
-          issuer: https://token.actions.githubusercontent.com
+app_registrations:
+  - name: service_repositories
+    roles:
+      - AcrPush
+      - AcrPull
+    scope:
+      - /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry
+    federated_credentials:
+      - subject: repository_owner:prefapp
+        issuer: https://token.actions.githubusercontent.com
-data:
-  app_registrations:
-    - name: service_repositories
-      roles:
-        - AcrPush
-        - AcrPull
-      scope:
-        - /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry
-      federated_credentials:
-        - subject: repository_owner:prefapp
-          issuer: https://token.actions.githubusercontent.com
+app_registrations:
+  - name: service_repositories
+    roles:
+      - AcrPush
+      - AcrPull
+    scope:
+      - /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registry
+    federated_credentials:
+      - subject: repository_owner:prefapp
+        issuer: https://token.actions.githubusercontent.com
@@ -0,0 +1,16 @@
+## Examples
+
+For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-oidc/_examples):
+
+- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-oidc/_examples/basic) - OIDC and federated credentials configuration for workloads (e.g., GitHub Actions).
+
+## Resources and support
+
+- [Official Azure AD Application documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals)
+- [Terraform reference for azuread_application](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application)
+- [Terraform reference for azuread_application_federated_identity_credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential)
+- [Terraform reference for azurerm_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment)
+
+## Support
+
+For issues, questions, or contributions related to this module, please visit the [repository's issue tracker](https://github.com/prefapp/tfm/issues).
@@ -0,0 +1,98 @@
+# Azure OIDC Terraform Module
+
+## Overview
+
+This Terraform module creates Azure AD applications, service principals, and role assignments for each application defined in the input data file. It supports federated credentials for GitHub Actions and other issuers.
+
+> Note: Not defining a scope in an application is equivalent to defining the scope of the subscription.
+
+## Main features
+- Create multiple Azure AD applications and service principals.
+- Assign custom roles and scopes to each application.
+- Add federated credentials for GitHub Actions or custom issuers.
+- Realistic configuration example.
+
+## Complete usage example
+
+### Module usage
+```hcl
+module "github-oidc" {
-module "github-oidc" {
+module "github_oidc" {
-module "github-oidc" {
+module "github_oidc" {
+  source = "git::https://github.com/prefapp/tfm.git//modules/azure-oidc?ref=<version>"
+  data   = yamldecode(file("<path_to_yaml_file>"))
+}
+```
+
+### Example data file
+```yaml
+applications:
+  - name: app
+    roles:
+      - role1
+      - role2
+    scope:
+      - scope1
+      - scope2
+    federated_credentials:
+      - subject: "subject_claim_foo:my_repo_foo"
+        issuer: "issuer_foo"
+      - subject: "subject_claim_bar:my_repo_bar"
+        issuer: "issuer_bar"
+  - name: app2
+    roles:
+      - role1
+    federated_credentials:
+      - subject: "my_repo_foo_foo"
+        issuer: "issuer_foo_foo"
+```
+
+#### Realistic example
+```yaml
+app_registrations:
+  - name: service_repositories
+    roles:
+      - AcrPush
+      - AcrPull
+    scope:
+      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registries"
+      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/bar/providers/Microsoft.ContainerRegistry/registries/bar-registries"
+    federated_credentials:
+      - subject: "repository_owner:prefapp"
+        issuer: "https://token.actions.githubusercontent.com"
+  - name: state_repositorie
-  - name: state_repositorie
+  - name: state_repositories
-  - name: state_repositorie
+  - name: state_repositories
+    roles:
+      - AcrPush
+    scope:
+      - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo/providers/Microsoft.ContainerRegistry/registries/foo-registries"
+    federated_credentials:
+      - subject: "repository_owner:prefapp"
+        issuer: "https://token.actions.githubusercontent.com"
+  - name: infra_repositorie
-  - name: infra_repositorie
+  - name: infra_repositories
-  - name: infra_repositorie
+  - name: infra_repositories
+    roles:
+      - Contributor
+    federated_credentials:
+      - subject: "my_repo_foo"
+        issuer: "issuer_foo"
+      - subject: "my_repo_bar"
+        issuer: "issuer_bar"
+    # scope:
+    #   - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # This is similar to not putting scope
+```
+
+## Notes
+- If you do not define a scope, the subscription scope will be used by default.
+- Federated credentials support GitHub Actions and custom issuers.
+- Each application can have multiple roles, scopes, and federated credentials.
+
+## File structure
+
+```
+.
+├── main.tf
+├── variables.tf
+├── outputs.tf
+├── README.md
+├── CHANGELOG.md
+└── docs/
+    ├── header.md
+    └── footer.md
+```