Terraform无法识别Azure API的服务主体 [英] Service Principal from Terraform not recognized by Azure API

问题描述

为了使terraform azurerm提供程序能够验证将使用以下代码创建的服务主体，需要对以下语法进行哪些特定更改?

问题

第二 Terraform模块需要通过azurerm提供程序通过 client_id 和 client_secret 在早期通过编程方式创建的Azure提供商进行身份验证，单独的过程.

A Second Terraform module needs to authenticate to Azure through the azurerm provider with a client_id and client_secret that is created programatically during an earlier, separate process.

第二 Terraform模块中的provider块如下所示:

The provider block in the Second Terraform module looks like:

provider "azurerm" {
  subscription_id = var.subscriptionId
  client_id       = var.clientId
  client_secret   = var.clientSecret
  tenant_id       = var.tenantId
}  

当我们通过先前的较早过程验证的正确值不被接受为提供程序代码块中的 var.clientId 和 var.clientSecret 时，就会出现问题以上.

The problem arises when the correct values whcih we validated from the earlier preceding process are not accepted as the var.clientId and the var.clientSecret in the provider code block above.

如何创建服务主体:

用于验证 Second Terraform模块的 client_id 和 client_secret 当前由 First 创建> Terraform模块，其中包括以下内容:

The client_id and client_secret to be used to authenticate to the Second Terraform module are currently created by a First Terraform module which includes the following:

resource "azuread_application" "appReg" {
  name = var.appName
}

resource "azuread_service_principal" "example-sp" {
  application_id = azuread_application.appReg.application_id
}

resource "azuread_service_principal_password" "example-sp_pwd" {
  service_principal_id = azuread_service_principal.example-sp.id
  value                = "long-random-string"
  end_date             = "2021-06-02T01:02:03Z"
}

data "azurerm_subscription" "thisSubscription" {
  subscription_id = var.subscriptionId
}

resource "azurerm_role_assignment" "example-sp_role_assignment" {
  scope                = data.azurerm_subscription.thisSubscription.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.example-sp.id
}

resource "azuread_application_app_role" "example-role" {
  application_object_id = azuread_application.appReg.id
  allowed_member_types  = ["User", "Application"]
  description           = "Admins can manage roles and perform all task actions"
  display_name          = "Admin"
  is_enabled            = true
  value                 = "administer"
}

在运行上述 First 模块后，

Terraform报告应用完成，并且我们还能够在Azure门户中确认正确的Active Directory具有新的应用程序注册名称为 var.appName 且ID等于我们在 First 模块 tfstate 文件中找到的ID.

Terraform reports Apply complete after the above First module is run, and we are also able to confirm in the Azure Portal that the correct Active Directory has a new app registration with name var.appName and with ID equal to what we find in the First modules tfstate file.

错误消息:

当Terraform使用 First 模块创建的服务主体ID和密码尝试 Second 模块 Second 时，将引发以下错误:

When Terraform tries to apply the Second module using the Service Principal ID and Secret created by the First module, the following error is thrown:

Error: 
Error building account: 
Error getting authenticated object ID: 
Error listing Service Principals: 
autorest.DetailedError{
  Original:adal.tokenRefreshError{
    message:"adal: Refresh request failed. 
    Status Code = '400'. 
    Response body: {
      \"error\":\"unauthorized_client\",
      \"error_description\":\"AADSTS700016: 
          Application with identifier 'correct-app-id' was not found in the directory 'the-right-ad-id'. 
          This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. 
          You may have sent your authentication request to the wrong tenant.\\r\\n
          Trace ID: some-trace-id\\r\\n
          Correlation ID: correlation-id-redacted\\r\\n
          Timestamp: 2020-12-31 19:02:19Z\",
          \"error_codes\":[700016],
          \"timestamp\":\"2020-12-31 19:02:19Z\",
          \"trace_id\":\"some-trace-id\",
          \"correlation_id\":\"correlation-id-redacted\",
          \"error_uri\":\"https://login.microsoftonline.com/error?code=700016\"
    }", 
    resp:(*http.Response)(0xc000ac2000)}, 
    PackageType:"azure.BearerAuthorizer", 
    Method:"WithAuthorization", 
    StatusCode:400, 
    Message:"Failed to refresh the Token for request to https://graph.windows.net/the-right-ad-id/servicePrincipals?%24filter=appId+eq+%27correct-app-id%27&api-version=1.6", 
    ServiceError:[]uint8(nil), 
    Response:(*http.Response)(0xc000ac2000)
}  

该错误消息似乎没有帮助，因为我们已验证该应用已向AAD实例注册.

The error message does not seem helpful because we validated that the app is registered with the AAD instance.

我们如何解决此问题并以编程方式创建第二模块可以接受和使用的 client_id 和 client_secret ?

How can we resolve this problem and programmatically create a client_id and client_secret that will be accepted and usable by the Second module?

推荐答案

我看到您的Terraform代码没有问题.它应该工作正常.但是，您会得到一个错误，即在租户中找不到该应用程序.因此，您需要做的是检查第二个模块中的租户ID是否正确.

As I see there is no problem with your Terraform code. It should work fine. But you got the error that the application was not found in the tenant. So what you need to do is to check if the tenant Id is really right in the second module.

这篇关于Terraform无法识别Azure API的服务主体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！