Azure API 无法识别来自 Terraform 的服务主体 [英] Service Principal from Terraform not recognized by Azure API

问题描述

需要对以下语法进行哪些特定更改，以便 terraform azurerm 提供程序能够对将使用以下代码创建的服务主体进行身份验证?

问题

Second Terraform 模块需要通过 azurerm 提供程序使用之前以编程方式创建的 client_id 和 client_secret 向 Azure 进行身份验证，单独的进程.

A Second Terraform module needs to authenticate to Azure through the azurerm provider with a client_id and client_secret that is created programatically during an earlier, separate process.

Second Terraform 模块中的提供程序块如下所示:

The provider block in the Second Terraform module looks like:

provider "azurerm" {
  subscription_id = var.subscriptionId
  client_id       = var.clientId
  client_secret   = var.clientSecret
  tenant_id       = var.tenantId
}  

当我们从前面的过程中验证的正确值不被接受为提供程序代码块中的 var.clientId 和 var.clientSecret 时，就会出现问题以上.

The problem arises when the correct values whcih we validated from the earlier preceding process are not accepted as the var.clientId and the var.clientSecret in the provider code block above.

如何创建服务主体:

用于对 Second Terraform 模块进行身份验证的 client_id 和 client_secret 目前由 First Terraform 模块，包括以下内容:

The client_id and client_secret to be used to authenticate to the Second Terraform module are currently created by a First Terraform module which includes the following:

resource "azuread_application" "appReg" {
  name = var.appName
}

resource "azuread_service_principal" "example-sp" {
  application_id = azuread_application.appReg.application_id
}

resource "azuread_service_principal_password" "example-sp_pwd" {
  service_principal_id = azuread_service_principal.example-sp.id
  value                = "long-random-string"
  end_date             = "2021-06-02T01:02:03Z"
}

data "azurerm_subscription" "thisSubscription" {
  subscription_id = var.subscriptionId
}

resource "azurerm_role_assignment" "example-sp_role_assignment" {
  scope                = data.azurerm_subscription.thisSubscription.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.example-sp.id
}

resource "azuread_application_app_role" "example-role" {
  application_object_id = azuread_application.appReg.id
  allowed_member_types  = ["User", "Application"]
  description           = "Admins can manage roles and perform all task actions"
  display_name          = "Admin"
  is_enabled            = true
  value                 = "administer"
}

Terraform 报告 Apply complete 在上述 First 模块运行后，我们还能够在 Azure Portal 中确认正确的 Active Directory 有新的应用注册名称为 var.appName 且 ID 等于我们在 First 模块 tfstate 文件中找到的 ID.

Terraform reports Apply complete after the above First module is run, and we are also able to confirm in the Azure Portal that the correct Active Directory has a new app registration with name var.appName and with ID equal to what we find in the First modules tfstate file.

错误信息:

当 Terraform 尝试使用 First 模块创建的 Service Principal ID 和 Secret 来 apply Second 模块时，会引发以下错误:

When Terraform tries to apply the Second module using the Service Principal ID and Secret created by the First module, the following error is thrown:

Error: 
Error building account: 
Error getting authenticated object ID: 
Error listing Service Principals: 
autorest.DetailedError{
  Original:adal.tokenRefreshError{
    message:"adal: Refresh request failed. 
    Status Code = '400'. 
    Response body: {
      "error":"unauthorized_client",
      "error_description":"AADSTS700016: 
          Application with identifier 'correct-app-id' was not found in the directory 'the-right-ad-id'. 
          This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. 
          You may have sent your authentication request to the wrong tenant.\r\n
          Trace ID: some-trace-id\r\n
          Correlation ID: correlation-id-redacted\r\n
          Timestamp: 2020-12-31 19:02:19Z",
          "error_codes":[700016],
          "timestamp":"2020-12-31 19:02:19Z",
          "trace_id":"some-trace-id",
          "correlation_id":"correlation-id-redacted",
          "error_uri":"https://login.microsoftonline.com/error?code=700016"
    }", 
    resp:(*http.Response)(0xc000ac2000)}, 
    PackageType:"azure.BearerAuthorizer", 
    Method:"WithAuthorization", 
    StatusCode:400, 
    Message:"Failed to refresh the Token for request to https://graph.windows.net/the-right-ad-id/servicePrincipals?%24filter=appId+eq+%27correct-app-id%27&api-version=1.6", 
    ServiceError:[]uint8(nil), 
    Response:(*http.Response)(0xc000ac2000)
}  

错误消息似乎没有帮助，因为我们已验证该应用已注册到 AAD 实例.

The error message does not seem helpful because we validated that the app is registered with the AAD instance.

我们如何解决这个问题并以编程方式创建 client_id 和 client_secret 将被 Second 模块接受和使用?

How can we resolve this problem and programmatically create a client_id and client_secret that will be accepted and usable by the Second module?

推荐答案

我在 Kubernetes 上的 Terraform 部署代理上遇到了同样的问题.当内存或 CPU 不够大时，可能会出现几种类型的错误.

I had the same issue on Deployment Agents for Terraform on Kubernetes. Several types of error can appear when the memory or the CPU is not large enough.

以下是 Terraform 建议:https://www.terraform.io/docs/enterprise/before-installing/index.html

Below are the Terraform recommendations: https://www.terraform.io/docs/enterprise/before-installing/index.html

当多个 Terraform 部署并行时，您必须小心共享资源的部署基础架构(K8s、Hypervisor Pool 等)，这会导致一些随机错误.

You have to be careful with the deployment infrastructures that mutualises the resources (K8s, Hypervisor Pool etc.)when several Terraform deployments are in parallel it causes somewhat random errors.

Terraform 不停止、API AZure/AWS 错误、tfstate 锁定等

Terraform which does not stop, API AZure / AWS error, tfstate lock etc.

这篇关于Azure API 无法识别来自 Terraform 的服务主体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！