我怎样才能 terraform 授予访问我的 Azure Active Directory 租户

Question

Input: client_id , subscription_id , resource-group-name , .

Manual / command line steps:

1. Approving at

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=<client_id>&response_type=code

2. Creating a new role ( az role definition create --output none --role-definition )
3. Creating a role assignment ( az role assignment create ).

Steps 2-3 are pretty easy since I could leverage azurerm TF Provider and, more speficially, its azurerm_role_definition and azurerm_role_assignment resources but I'm kinda confused about step #1.

Update: after googling it seems like step #1 is very similar to Enable Azure Active Directory in your App Service app if that helps.

Answer 1

Before you can even get Terraform to interact with Azure/Azure AD resources you need to get Terraform to authenticate to it.

If you're running your Terraform code locally, the process is generally to authenticate using the Azure CLI - az login and then you provide the code shown by the CLI, to the authentication page.

If you want to do this non-interactively, the best practice is you'd need to get the Terraform code run on a machine that either has Managed Identities enabled. Either a System-Assigned or a User-Assigned identity.

Another possible but less direct approach would be to use a Service Principal with a Client Secret for Terraform to authenticate . this is kinda like the link you provided for the App Service.

Try to follow the steps in those two links above as these are from Terraform and have all required steps to ensure you are able to set it up right.