尝试使用 Terraform Azure AD Provider 2.0 进行应用程序注册时出错
Error while trying to do App Registration using Terraform Azure AD Provider 2.0
我正在尝试使用 Terraform Azure AD 2.0 提供程序进行应用程序注册,但在应用时出现以下错误。
对象 ID 是 Microsoft Graph 的对象 ID。
下面提供了所有众所周知的 ID:
https://github.com/manicminer/hamilton/blob/main/environments/published.go
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids
│
Error: Updating service principal with object ID: "a2f717fe-bc5d-42e5-b0b4-801562508280"
│
│ with azuread_service_principal.msgraph,
│ on resources.application.tf line 220, in resource "azuread_service_principal" "msgraph":
│ 220: resource "azuread_service_principal" "msgraph" {
│
│ ServicePrincipalsClient.BaseClient.Patch(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
下面是我的代码:
data "azuread_application_published_app_ids" "well_known" {}
data "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "app-api" {
display_name = format("app-%s-api-%s", var.project.name, var.project.environment.name)
owners = [data.azuread_client_config.default.object_id]
api {
oauth2_permission_scope {
admin_consent_description = "Allows the app to read and write data"
admin_consent_display_name = local.oauth2_permissions.read-and-write.admin_consent_display_name
enabled = true
id = random_uuid.opsys-gw.result
type = "User"
value = "read-and-write"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Application administrators have the ability to administer the application."
display_name = local.app_roles.application-administrator.display_name
enabled = true
id = data.azuread_client_config.default.object_id
value = "application-administrator"
}
web {
logout_url = format("https://%s.azurewebsites.net/.auth/logout", module.name_app_service_api.location.app_service.name_unique)
redirect_uris = [format("https://%s.azurewebsites.net/.auth/login/aad/callback", module.name_app_service_api.location.app_service.name_unique)]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
resource_access {
id = random_uuid.opsys-gw.result # User.Read.All
type = "Scope"
}
}
}
Azure AD API 服务主体资源
resource "azuread_service_principal" "api-sp" {
application_id = azuread_application.app-api.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.default.object_id]
}
Azure AD API 应用服务主体机密
resource "azuread_application_password" "api-app-sp-secret" {
application_object_id = azuread_application.app-api.object_id
}
我的 Terraform 服务主体应用程序已在 Azure AD 中分配了所需的权限 ,如附件中所示
当我以普通用户的身份尝试使用您的上述代码时,遇到了同样的错误(因为我不知道我应该需要 [ 的特权=37=]我的租户.[中的应用程序管理员或全局管理员角色 =44=]
一旦我得到上面的 roles and adminsitator
permission
就可以 运行 代码了。
您还需要从代码中删除此语句。
data "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}
地形代码:
# Configure the Azure Active Directory Provider
provider "azuread" {
}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "app-api" {
display_name = "example3724"
owners = [data.azuread_client_config.current.object_id]
api {
oauth2_permission_scope {
admin_consent_description = "Allow the application to access example on behalf of the signed-in user."
admin_consent_display_name = "Access example"
enabled = true
id = "96183846-204b-4b43-82e1-5d2222eb4b9b"
type = "User"
user_consent_description = "Allow the application to access example on your behalf."
user_consent_display_name = "Access example"
value = "user_impersonation"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
enabled = true
id = data.azuread_client_config.current.object_id
value = "application-administrator"
}
web {
homepage_url = "https://app.example.net"
logout_url = "https://app.example.net/logout"
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite"]# User.Read.All
type = "Scope"
}
}
}
OutPut--
我正在尝试使用 Terraform Azure AD 2.0 提供程序进行应用程序注册,但在应用时出现以下错误。 对象 ID 是 Microsoft Graph 的对象 ID。 下面提供了所有众所周知的 ID:
https://github.com/manicminer/hamilton/blob/main/environments/published.go https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids
│
Error: Updating service principal with object ID: "a2f717fe-bc5d-42e5-b0b4-801562508280"
│
│ with azuread_service_principal.msgraph,
│ on resources.application.tf line 220, in resource "azuread_service_principal" "msgraph":
│ 220: resource "azuread_service_principal" "msgraph" {
│
│ ServicePrincipalsClient.BaseClient.Patch(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
下面是我的代码:
data "azuread_application_published_app_ids" "well_known" {}
data "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "app-api" {
display_name = format("app-%s-api-%s", var.project.name, var.project.environment.name)
owners = [data.azuread_client_config.default.object_id]
api {
oauth2_permission_scope {
admin_consent_description = "Allows the app to read and write data"
admin_consent_display_name = local.oauth2_permissions.read-and-write.admin_consent_display_name
enabled = true
id = random_uuid.opsys-gw.result
type = "User"
value = "read-and-write"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Application administrators have the ability to administer the application."
display_name = local.app_roles.application-administrator.display_name
enabled = true
id = data.azuread_client_config.default.object_id
value = "application-administrator"
}
web {
logout_url = format("https://%s.azurewebsites.net/.auth/logout", module.name_app_service_api.location.app_service.name_unique)
redirect_uris = [format("https://%s.azurewebsites.net/.auth/login/aad/callback", module.name_app_service_api.location.app_service.name_unique)]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
resource_access {
id = random_uuid.opsys-gw.result # User.Read.All
type = "Scope"
}
}
}
Azure AD API 服务主体资源
resource "azuread_service_principal" "api-sp" {
application_id = azuread_application.app-api.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.default.object_id]
}
Azure AD API 应用服务主体机密
resource "azuread_application_password" "api-app-sp-secret" {
application_object_id = azuread_application.app-api.object_id
}
我的 Terraform 服务主体应用程序已在 Azure AD 中分配了所需的权限
当我以普通用户的身份尝试使用您的上述代码时,遇到了同样的错误(因为我不知道我应该需要 [ 的特权=37=]我的租户.[中的应用程序管理员或全局管理员角色 =44=]
一旦我得到上面的 roles and adminsitator
permission
就可以 运行 代码了。
您还需要从代码中删除此语句。
data "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}
地形代码:
# Configure the Azure Active Directory Provider
provider "azuread" {
}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "app-api" {
display_name = "example3724"
owners = [data.azuread_client_config.current.object_id]
api {
oauth2_permission_scope {
admin_consent_description = "Allow the application to access example on behalf of the signed-in user."
admin_consent_display_name = "Access example"
enabled = true
id = "96183846-204b-4b43-82e1-5d2222eb4b9b"
type = "User"
user_consent_description = "Allow the application to access example on your behalf."
user_consent_display_name = "Access example"
value = "user_impersonation"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
enabled = true
id = data.azuread_client_config.current.object_id
value = "application-administrator"
}
web {
homepage_url = "https://app.example.net"
logout_url = "https://app.example.net/logout"
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite"]# User.Read.All
type = "Scope"
}
}
}
OutPut--