尝试使用 Terraform Azure AD Provider 2.0 进行应用程序注册时出错

Question

我正在尝试使用 Terraform Azure AD 2.0 提供程序进行应用程序注册，但在应用时出现以下错误。对象 ID 是 Microsoft Graph 的对象 ID。下面提供了所有众所周知的 ID：

https://github.com/manicminer/hamilton/blob/main/environments/published.go https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids

│

Error: Updating service principal with object ID: "a2f717fe-bc5d-42e5-b0b4-801562508280"
│ 
│   with azuread_service_principal.msgraph,
│   on resources.application.tf line 220, in resource "azuread_service_principal" "msgraph":
│  220: resource "azuread_service_principal" "msgraph" {
│ 
│ ServicePrincipalsClient.BaseClient.Patch(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.

下面是我的代码：

data "azuread_application_published_app_ids" "well_known" {}

data "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}

resource "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing   = true
}

resource "azuread_application" "app-api" {
  display_name = format("app-%s-api-%s", var.project.name, var.project.environment.name)
  owners       = [data.azuread_client_config.default.object_id]

  api {
    oauth2_permission_scope {
      admin_consent_description  = "Allows the app to read and write data"
      admin_consent_display_name = local.oauth2_permissions.read-and-write.admin_consent_display_name
      enabled                    = true
      id                         = random_uuid.opsys-gw.result
      type                       = "User"
      value                      = "read-and-write"
    }
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Application administrators have the ability to administer the application."
    display_name         = local.app_roles.application-administrator.display_name
    enabled              = true
    id                   = data.azuread_client_config.default.object_id
    value                = "application-administrator"
  }

  web {
    logout_url    = format("https://%s.azurewebsites.net/.auth/logout", module.name_app_service_api.location.app_service.name_unique)
    redirect_uris = [format("https://%s.azurewebsites.net/.auth/login/aad/callback", module.name_app_service_api.location.app_service.name_unique)]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph

   

     resource_access {
          id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
          type = "Role"
        }
    
        resource_access {
          id   = random_uuid.opsys-gw.result # User.Read.All
          type = "Scope"
        }
      }
    }

Azure AD API 服务主体资源

resource "azuread_service_principal" "api-sp" {
  application_id               = azuread_application.app-api.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.default.object_id]
}

Azure AD API 应用服务主体机密

resource "azuread_application_password" "api-app-sp-secret" {
  application_object_id = azuread_application.app-api.object_id
}

我的 Terraform 服务主体应用程序已在 Azure AD 中分配了所需的权限，如附件中所示

Answer 1

当我以普通用户的身份尝试使用您的上述代码时，遇到了同样的错误（因为我不知道我应该需要 [ 的特权=37=]我的租户.[中的应用程序管理员或全局管理员角色 =44=]

一旦我得到上面的 roles and adminsitator permission 就可以运行代码了。

您还需要从代码中删除此语句。

data "azuread_service_principal" "msgraph" { application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph }

地形代码：

# Configure the Azure Active Directory Provider provider "azuread" { } data "azuread_client_config" "current" {} data "azuread_application_published_app_ids" "well_known" {} resource "azuread_service_principal" "msgraph" { application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph use_existing = true } resource "azuread_application" "app-api" { display_name = "example3724" owners = [data.azuread_client_config.current.object_id] api { oauth2_permission_scope { admin_consent_description = "Allow the application to access example on behalf of the signed-in user." admin_consent_display_name = "Access example" enabled = true id = "96183846-204b-4b43-82e1-5d2222eb4b9b" type = "User" user_consent_description = "Allow the application to access example on your behalf." user_consent_display_name = "Access example" value = "user_impersonation" } } app_role { allowed_member_types = ["User", "Application"] description = "Admins can manage roles and perform all task actions" display_name = "Admin" enabled = true id = data.azuread_client_config.current.object_id value = "application-administrator" } web { homepage_url = "https://app.example.net" logout_url = "https://app.example.net/logout" redirect_uris = ["https://app.example.net/account"] implicit_grant { access_token_issuance_enabled = true id_token_issuance_enabled = true } } required_resource_access { resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph # Microsoft Graph resource_access { id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"] type = "Role" } resource_access { id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite"]# User.Read.All type = "Scope" } } }

OutPut--

尝试使用 Terraform Azure AD Provider 2.0 进行应用程序注册时出错

Error while trying to do App Registration using Terraform Azure AD Provider 2.0

azure

azure-active-directory

terraform

terraform-provider-azure

azure-appservice

Azure AD API 服务主体资源

Azure AD API 应用服务主体机密