使用 terraform(无效的 UUID)创建 Azure AD 应用程序
[英]Create Azure AD Application using terraform(Invalid UUID)
问题描述
I am using terraform to create an Azure AD application, I have tried the default example from the terraform samples https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application also I have customized the code below from the one I created manually(basically, I have created an application manually in AD and got the details from the data resource using terraform for the created application).
我正在使用 terraform 创建一个 Azure AD 应用程序,我尝试了 terraform 示例中的默认示例https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application我还自定义了代码下面是我手动创建的(基本上,我已经在 AD 中手动创建了一个应用程序,并使用 terraform 为创建的应用程序从数据资源中获取了详细信息)。 both the code throws same error两个代码都抛出相同的错误
Error: Value must be a valid UUID │ │ with azuread_application.example, │ on adapp.tf line 3, in resource "azuread_application" "example": │ 3: resource "azuread_application" "example" {
This is the code I have customized from the original example这是我从原始示例自定义的代码
data "azuread_client_config" "current" {}
resource "azuread_application" "example" {
display_name = "example"
identifier_uris = ["api://example-app"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"
resource_access {
id = "..."
type = "Scope"
}
}
web {
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = false
}
}
}
I have validated the "data.azuread_client_config.current.object_id", its not null and it producing the value.我已经验证了“data.azuread_client_config.current.object_id”,它不是 null 并且它产生了值。
Terraform Config: Terraform 配置:
Terraform v0.15.4 on windows_amd64
- provider registry.terraform.io/hashicorp/azuread v1.6.0
1 个解决方案
解决方案1
3 已采纳 2021-08-24 10:23:43
As you are using the resource app id of "Microsoft Graph" (00000003-0000-0000-c000-000000000000), so you have to provide what delegated permissions you need for your app to have in Microsoft graph like User.read etc.当您使用"Microsoft Graph"的资源应用程序 ID (00000003-0000-0000-c000-000000000000) 时,您必须提供您的应用程序在 Microsoft graph 中所需的委托权限,例如 User.read 等。
Some CLI commands that will help you to get the Microsoft Graph resource App Id's and Delegated Permissions Id's:一些 CLI 命令将帮助您获取 Microsoft Graph 资源应用程序 ID 和委派权限 ID:
- az ad sp list --display-name "Microsoft Graph" --query
'[].{appDisplayName:appDisplayName, appId:appId}'
--output table
- az ad sp show --id 00000003-0000-0000-c000-000000000000 --query
"oauth2Permissions[].{Value:value, Id:id}" --output table
So as you are already using the default Microsoft Graph App Id, we need to get the delegated permission ID's to provide in resource access id.因此,由于您已经在使用默认的 Microsoft Graph 应用程序 ID,因此我们需要获取委托权限 ID 以在资源访问 ID 中提供。
Then your terraform code will be as below:那么您的 terraform 代码将如下所示:
data "azuread_client_config" "current" {}
resource "azuread_application" "example" {
display_name = "example"
identifier_uris = ["api://example-app"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"# resourceid of microsoft graph
resource_access {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
type = "Scope"
}
}
web {
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = false
}
}
}
Doing a terraform plan:做一个 terraform 计划:
Note: Default Microsoft Graph App ID is "00000003-0000-0000-c000-000000000000" and Default Windows Active Directory App ID (Azure AD Graph) is "00000002-0000-0000-c000-000000000000" .注意:默认 Microsoft Graph 应用程序 ID 为"00000003-0000-0000-c000-000000000000" ,默认 Windows Active Directory 应用程序 ID (Azure AD Graph) 为"00000002-0000-0000-c000-000000000000" 。 Based on your requirement you can use Microsoft Graph or Azure AD Graph.根据您的要求,您可以使用 Microsoft Graph 或 Azure AD Graph。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.