如何使用 Terraform 将 Active Directory 添加到 APIM?
How Do I Add Active Directory To APIM Using Terraform?
跟随 this article 您可以 link Azure API 管理到 Azure Active Directory Users/Groups。
目前我正在用 Terraform
创建 APIM 实例
resource "azurerm_api_management" "test" {
name = "example-apim"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
publisher_name = "My Company"
publisher_email = "company@terraform.io"
sku {
name = "Developer"
capacity = 1
}
}
如何向其中添加 Active Directory 身份提供程序?
这对于 terraform 似乎是不可能的,但是,它可以通过 calling the REST API 从 Azure CLI 添加。
az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"
正文 -b 是 json 已被格式化为一行。
您需要从活动目录中查找 clientId 并知道 clientSecret 是什么。
如果您愿意,可以将此命令嵌入到 terraform 中:
resource "null_resource" "add-ad-identity-provider" {
provisioner "local-exec" {
command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
}
depends_on = ["azurerm_api_management.test"]
}
Terraform 在 December 2019
中添加了对此的支持
您现在可以 link 使用:
resource "azurerm_api_management_identity_provider_aad" "example" {
resource_group_name = azurerm_resource_group.example.name
api_management_name = azurerm_api_management.example.name
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "00000000000000000000000000000000"
allowed_tenants = ["00000000-0000-0000-0000-000000000000"]
}
3 月 4 日的原始答案大部分有效。但是,缺少一块。您还需要通过 https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad 设置应用程序注册
这提供了您需要的答案(允许的租户除外,这是允许的租户 ID)。
而且还缺少一块,即在配置应用程序注册时,还要转到 API 权限,为 Azure Active Directory Graph 添加新权限(在支持的旧版中 APIs),创建一个Application权限,并添加Directory.Read.All。然后授予管理员同意。
如果您结合来自 azurerm 和 azuread 提供商的资源,您现在可以通过在开发人员门户上注册应用程序和 AAD 身份验证来自动化部署 APIM 的过程。它涵盖了 Microsoft 的这两个指南:
- 快速入门:使用 Azure 门户创建新的 Azure API 管理服务实例
- Authorize developer accounts by using Azure Active Directory in Azure API Management
Terraform 代码示例:
terraform {
required_version = ">=1.0.9"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.81.0"
}
azuread = {
source = "hashicorp/azuread"
version = "=2.7.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
features {}
}
provider "azuread" {}
resource "azurerm_api_management" "api_management" {
name = var.api_management_name
location = var.location
resource_group_name = var.resource_group_name
publisher_name = var.publisher_name
publisher_email = var.publisher_email
sku_name = var.api_management_sku
identity {
type = "SystemAssigned"
}
}
resource "azuread_application" "application" {
display_name = var.application_name
web {
redirect_uris = ["${azurerm_api_management.api_management.developer_portal_url}/"]
}
}
resource "azuread_application_password" "password" {
application_object_id = azuread_application.application.object_id
}
resource "azurerm_api_management_identity_provider_aad" "identity_provider_aad" {
resource_group_name = var.resource_group_name
api_management_name = azurerm_api_management.api_management.name
client_id = azuread_application.application.application_id
client_secret = azuread_application_password.password.value
allowed_tenants = var.id_provider_allowed_tenants
}
跟随 this article 您可以 link Azure API 管理到 Azure Active Directory Users/Groups。
目前我正在用 Terraform
创建 APIM 实例resource "azurerm_api_management" "test" {
name = "example-apim"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
publisher_name = "My Company"
publisher_email = "company@terraform.io"
sku {
name = "Developer"
capacity = 1
}
}
如何向其中添加 Active Directory 身份提供程序?
这对于 terraform 似乎是不可能的,但是,它可以通过 calling the REST API 从 Azure CLI 添加。
az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"
正文 -b 是 json 已被格式化为一行。
您需要从活动目录中查找 clientId 并知道 clientSecret 是什么。
如果您愿意,可以将此命令嵌入到 terraform 中:
resource "null_resource" "add-ad-identity-provider" {
provisioner "local-exec" {
command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
}
depends_on = ["azurerm_api_management.test"]
}
Terraform 在 December 2019
中添加了对此的支持您现在可以 link 使用:
resource "azurerm_api_management_identity_provider_aad" "example" {
resource_group_name = azurerm_resource_group.example.name
api_management_name = azurerm_api_management.example.name
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "00000000000000000000000000000000"
allowed_tenants = ["00000000-0000-0000-0000-000000000000"]
}
3 月 4 日的原始答案大部分有效。但是,缺少一块。您还需要通过 https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad 设置应用程序注册 这提供了您需要的答案(允许的租户除外,这是允许的租户 ID)。
而且还缺少一块,即在配置应用程序注册时,还要转到 API 权限,为 Azure Active Directory Graph 添加新权限(在支持的旧版中 APIs),创建一个Application权限,并添加Directory.Read.All。然后授予管理员同意。
如果您结合来自 azurerm 和 azuread 提供商的资源,您现在可以通过在开发人员门户上注册应用程序和 AAD 身份验证来自动化部署 APIM 的过程。它涵盖了 Microsoft 的这两个指南:
- 快速入门:使用 Azure 门户创建新的 Azure API 管理服务实例
- Authorize developer accounts by using Azure Active Directory in Azure API Management
Terraform 代码示例:
terraform {
required_version = ">=1.0.9"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.81.0"
}
azuread = {
source = "hashicorp/azuread"
version = "=2.7.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
features {}
}
provider "azuread" {}
resource "azurerm_api_management" "api_management" {
name = var.api_management_name
location = var.location
resource_group_name = var.resource_group_name
publisher_name = var.publisher_name
publisher_email = var.publisher_email
sku_name = var.api_management_sku
identity {
type = "SystemAssigned"
}
}
resource "azuread_application" "application" {
display_name = var.application_name
web {
redirect_uris = ["${azurerm_api_management.api_management.developer_portal_url}/"]
}
}
resource "azuread_application_password" "password" {
application_object_id = azuread_application.application.object_id
}
resource "azurerm_api_management_identity_provider_aad" "identity_provider_aad" {
resource_group_name = var.resource_group_name
api_management_name = azurerm_api_management.api_management.name
client_id = azuread_application.application.application_id
client_secret = azuread_application_password.password.value
allowed_tenants = var.id_provider_allowed_tenants
}