为了使 Terraform azurerm 提供程序能够对将使用以下代码创建的服务主体进行身份验证,需要对下面的语法进行哪些具体更改?
问题
A secondTerraform 模块需要通过 azurerm 提供程序向 Azure 进行身份验证client_id
and client_secret
它是在早期的单独进程中以编程方式创建的。
提供者块secondTerraform 模块如下所示:
provider "azurerm" {
subscription_id = var.subscriptionId
client_id = var.clientId
client_secret = var.clientSecret
tenant_id = var.tenantId
}
当我们从之前的流程中验证的正确值不被接受为正确值时,就会出现问题var.clientId
和var.clientSecret
在上面的提供者代码块中。
服务主体是如何创建的:
The client_id
and client_secret
用于验证secondTerraform 模块当前由firstTerraform 模块包括以下内容:
resource "azuread_application" "appReg" {
name = var.appName
}
resource "azuread_service_principal" "example-sp" {
application_id = azuread_application.appReg.application_id
}
resource "azuread_service_principal_password" "example-sp_pwd" {
service_principal_id = azuread_service_principal.example-sp.id
value = "long-random-string"
end_date = "2021-06-02T01:02:03Z"
}
data "azurerm_subscription" "thisSubscription" {
subscription_id = var.subscriptionId
}
resource "azurerm_role_assignment" "example-sp_role_assignment" {
scope = data.azurerm_subscription.thisSubscription.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.example-sp.id
}
resource "azuread_application_app_role" "example-role" {
application_object_id = azuread_application.appReg.id
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
is_enabled = true
value = "administer"
}
地形报告Apply complete
在上述之后first模块已运行,我们还可以在 Azure 门户中确认正确的 Active Directory 有一个名为的新应用程序注册var.appName
并且 ID 等于我们在first模块tfstate
file.
错误信息:
当 Terraform 尝试apply
the second模块使用由创建的服务主体 ID 和密钥first模块,抛出以下错误:
Error:
Error building account:
Error getting authenticated object ID:
Error listing Service Principals:
autorest.DetailedError{
Original:adal.tokenRefreshError{
message:"adal: Refresh request failed.
Status Code = '400'.
Response body: {
\"error\":\"unauthorized_client\",
\"error_description\":\"AADSTS700016:
Application with identifier 'correct-app-id' was not found in the directory 'the-right-ad-id'.
This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
You may have sent your authentication request to the wrong tenant.\\r\\n
Trace ID: some-trace-id\\r\\n
Correlation ID: correlation-id-redacted\\r\\n
Timestamp: 2020-12-31 19:02:19Z\",
\"error_codes\":[700016],
\"timestamp\":\"2020-12-31 19:02:19Z\",
\"trace_id\":\"some-trace-id\",
\"correlation_id\":\"correlation-id-redacted\",
\"error_uri\":\"https://login.microsoftonline.com/error?code=700016\"
}",
resp:(*http.Response)(0xc000ac2000)},
PackageType:"azure.BearerAuthorizer",
Method:"WithAuthorization",
StatusCode:400,
Message:"Failed to refresh the Token for request to https://graph.windows.net/the-right-ad-id/servicePrincipals?%24filter=appId+eq+%27correct-app-id%27&api-version=1.6",
ServiceError:[]uint8(nil),
Response:(*http.Response)(0xc000ac2000)
}
该错误消息似乎没有帮助,因为我们验证了该应用程序已注册到 AAD 实例。
我们如何解决这个问题并以编程方式创建一个client_id
and client_secret
将被接受并使用second module?