I was not able to find the creation of (Desktop + devices) platform resource feature of terraform (azuread_application) also attached screen shot for the azure portal.
**Mobile & desktop Platform screen shot **
Terraform code:
# AAD AKS kubectl app
resource "azuread_application" "aks-aad-client" {
display_name = local.app_name
sign_in_audience = "AzureADMultipleOrgs"
web {
redirect_uris = ["https://login.microsoftonline.com/common/oauth2/nativeclient"]
implicit_grant {
access_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
resource_access {
id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
type = "Scope"
}
}
app_role {
allowed_member_types = ["User"]
description = "Admins can manage roles and perform all task actions"
display_name = "user"
enabled = true
value = "Task"
}
}
There are multiple options is available.But How can I configured the (Desktop + devices) platform?
If it's possible please provide az command for (desktop + devices) creation or terraform code.
Regards,
Nataraj.R
You can create a Web App using the below sample script from Github.
GitHub: https://github.com/kumarvna/terraform-azurerm-app-service
And in default App setting block you can add another setting as
MobileAppsManagement_EXTENSION_VERSION = "Latest"
As per the Microsoft documentation for creating a mobile app.
Update:
I could add the platform using terraform by adding a reply_uris parameter in the azuread_ application resource block and it got added.
provider "azuread" {
}
# Create an application
resource "azuread_application" "example" {
name ="Your azuread app display name"
reply_urls = ["https://login.microsoftonline.com/common/oauth2/nativeclient","https://login.live.com/oauth20_desktop.srf"]
}
after its added in portal its showing as web but it has the same configuration as mobile and desktop application uri's.
If I used "type=native" parameter then it working fine as expected. It type parameter going to expired soon.
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
Note: By defaults to webapp/api
# AAD client app
resource "azuread_application" "aks-aad-client" {
display_name = local.app_name
prevent_duplicate_names = true
sign_in_audience = "AzureADMultipleOrgs"
type = "native"
web {
redirect_uris = ["https://login.microsoftonline.com/common/oauth2/nativeclient"]
implicit_grant {
access_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = "xxxxxxxxxxxxxxxxxxxx"
resource_access {
id = "xxxxxxxxxxxxxxx"
type = "Scope"
}
}
app_role {
allowed_member_types = ["User"]
description = "Admins can manage roles and perform all task actions"
display_name = "user"
enabled = true
value = "Task"
}
}
Related
I'm trying to create app registration via Terraform using az login and not service principal.
I have 2 roles : Application Developer + Groups Administrator
From Azure Portal it works fine but using Terraform it gives an error :
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
This is my Terraform code :
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.90"
}
azuread = {
source = "hashicorp/azuread"
version = "= 2.28.1"
}
}
backend "azurerm" {
resource_group_name = ""
storage_account_name = ""
container_name = ""
access_key = ""
}
}
provider "azuread" {
tenant_id = "....."
}
resource "random_uuid" "app_user_impersonation_scope" {}
resource "azuread_application" "app_reg" {
provider = azuread
display_name = "my_app_registration"
identifier_uris = ["api:app-001"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMyOrg"
feature_tags {
custom_single_sign_on = true
enterprise = true
}
api {
mapped_claims_enabled = true
requested_access_token_version = 2
oauth2_permission_scope {
admin_consent_description = "Allow the application to access app on behalf of the signed-in user."
admin_consent_display_name = "Access app-001"
id = random_uuid.app_user_impersonation_scope.result
enabled = true
type = "User"
user_consent_description = "Allow the application reg to access app on your behalf."
user_consent_display_name = "Access app-001"
value = "user_impersonation"
}
}
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # MS Graph app id.
resource_access {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read id.
type = "Scope"
}
}
web {
homepage_url = "https://app-001.azurewebsites.net"
logout_url = "https://app-001.azurewebsites.net/logout"
redirect_uris = ["https://app-001.azurewebsites.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
}
Thanks for your help
Your user requires any of these roles:
Application Administrator; or
Cloud Application Administrator
More info: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#all-roles
I'm creating terraform configuration files to rapidly create and destory demo environments for our prospective customers. These environments are pretty simple, containing a few VMs in single vnet with a single subnet, some for management, some for apps, and one as an AVD session host.
I have seen this work perfectly well a handfull of times, but most of the time it fails during the VM domain-join. When I troubleshoot the issue it's always because the account being used for the doman-join is locked out. I have confirmed this by connecting to the VM via the bastion and manually attempting the domain-join.
Here's my config to create the admin account used for domain join:
resource "azuread_group" "dc_admins" {
display_name = "AAD DC Administrators"
security_enabled = true
}
resource "azuread_user" "admin" {
user_principal_name = join("#", [var.admin_username, var.onmicrosoft_domain])
display_name = var.admin_username
password = var.admin_password
depends_on = [
azuread_group.dc_admins
]
}
resource "azuread_group_member" "admin" {
group_object_id = azuread_group.dc_admins.object_id
member_object_id = azuread_user.admin.object_id
depends_on = [
azuread_group.dc_admins,
azuread_user.admin
]
}
Here's my domain-join config:
resource "azurerm_virtual_machine_extension" "domain_join_mgmt_devices" {
name = "join-domain"
virtual_machine_id = azurerm_windows_virtual_machine.mgmtvm[count.index].id
publisher = "Microsoft.Compute"
type = "JsonADDomainExtension"
type_handler_version = "1.0"
depends_on = [
azurerm_windows_virtual_machine.mgmtvm,
azurerm_virtual_machine_extension.install_rsat_tools
]
count = "${var.vm_count}"
settings = <<SETTINGS
{
"Name": "${var.onmicrosoft_domain}",
"OUPath": "OU=AADDC Computers,DC=hidden,DC=onmicrosoft,DC=com",
"User": "${var.onmicrosoft_domain}\\${var.admin_username}",
"Restart": "true",
"Options": "3"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"Password": "${var.admin_password}"
}
PROTECTED_SETTINGS
}
Here's the console output for the plan:
Terraform will perform the following actions:
# azurerm_virtual_machine_extension.domain_join_mgmt_devices[0] will be created
+ resource "azurerm_virtual_machine_extension" "domain_join_mgmt_devices" {
+ id = (known after apply)
+ name = "join-domain"
+ protected_settings = (sensitive value)
+ publisher = "Microsoft.Compute"
+ settings = jsonencode(
{
+ Name = "hidden.onmicrosoft.com"
+ OUPath = "OU=AADDC Computers,DC=hidden,DC=onmicrosoft,DC=com"
+ Options = "3"
+ Restart = "true"
+ User = "hidden.onmicrosoft.com\\admin_username"
}
)
+ type = "JsonADDomainExtension"
+ type_handler_version = "1.0"
+ virtual_machine_id = "/subscriptions/hiddensubid/resourceGroups/demo-rg/providers/Microsoft.Compute/virtualMachines/mgmt-vm1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
I cannot for the life of my figure out what is locking the account. It's a fresh account, in a fresh subscription, created by the Terraform configuration prior to being used for the domain-join action.
Has anyone else seen anything like this?
Am I missing some knowledge about AAD, AD DS, cloud-only managed
domains?
I create the AAD DC Administrative user before creating the AAD DS managed domain. Could this be an issue?
Should I wait X minutes before creating an admin account and using it for administrative actions?
Is it possible, using Terraform and AzureRM, to prevent an AAD account from being locked out?
Using Terraform, I created an Azure Static Web App as below. But the documentation does not demonstrate how to set application settings for the resource. For normal Azure functions apps we can see app_settings parameter. But how to set app settings for azure static web app created using Terraform?
resource "azurerm_static_site" "example" {
name = "example"
resource_group_name = "example"
location = "West Europe"
}
I like to set parameters AAD_CLIENT_ID and AAD_CLIENT_SECRET to configure identity provider for the azure static web app as in microsoft documention.
Application settings on Azure static web apps is an open feature request as of now (24/Nov/2021). I will update this answer as the feature is added to Terraform.
I believe in looking at the Terraform documentation (Link: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/static_site) which you have looked at, the static web app is very basic, and doesn't take app settings arguments.
Also according to the Azure Blog: https://devblogs.microsoft.com/devops/comparing-azure-static-web-apps-vs-azure-webapps-vs-azure-blob-storage-static-sites/ If you have a web app that you want to do more than just host a static site then you need to use a full featured web app. Perhaps Hashi Corp has taken that to mean this is essentially a basic web app to host a front end page? Not sure...
Following this theory, to do app Settings in Terraform you need to make an Azure Web App by the looks of things:
Here is an example of one I have if you need any guidance on how to code a Web App with App Settings. You probably know but for ref here you go.
resource "azurerm_app_service_plan" "websiteappserviceplan" {
name = "appserviceplan_mysite"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku {
tier = "Basic"
size = "B1"
}
}
resource "azurerm_app_service" "web_app" {
name = var.webapp_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.websiteappserviceplan.id
app_settings = {
"KEY_VAULT_URL" = azurerm_key_vault.myvault.vault_uri
"SUPPORTS_SAFEGUARDING" = "1"
"SUPPORTS_TECHNICIAN" = "1"
}
client_affinity_enabled = true
site_config {
always_on = true
min_tls_version = "1.2"
dotnet_framework_version = "v5.0"
app_command_line = "dotnet EventManagement.Web.dll"
ftps_state = "Disabled"
use_32_bit_worker_process = true
http2_enabled = true
websockets_enabled = true
}
logs {
detailed_error_messages_enabled = true
failed_request_tracing_enabled = true
application_logs {
azure_blob_storage {
level = "Information"
sas_url = format("https://${azurerm_storage_account.website_log_storage.name}.blob.core.windows.net/${azurerm_storage_container.website_logs_container.name}%s", data.azurerm_storage_account_blob_container_sas.website_logs_container_sas.sas)
retention_in_days = 365
}
}
http_logs {
azure_blob_storage {
sas_url = format("https://${azurerm_storage_account.website_log_storage.name}.blob.core.windows.net/${azurerm_storage_container.website_logs_container.name}%s", data.azurerm_storage_account_blob_container_sas.website_logs_container_sas.sas)
retention_in_days = 365
}
}
}
connection_string {
name = "StorageAccount"
type = "Custom"
value = azurerm_storage_account.website_log_storage.primary_connection_string
}
identity {
type = "SystemAssigned"
}
}
Following this article you can link Azure API Management to Users/Groups in Azure Active Directory.
At the moment I am creating the APIM instance with Terraform
resource "azurerm_api_management" "test" {
name = "example-apim"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
publisher_name = "My Company"
publisher_email = "company#terraform.io"
sku {
name = "Developer"
capacity = 1
}
}
How do I add the Active Directory Identity Provider to this?
Terraform added support for this in December 2019
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_identity_provider_aad
You can now link it with:
resource "azurerm_api_management_identity_provider_aad" "example" {
resource_group_name = azurerm_resource_group.example.name
api_management_name = azurerm_api_management.example.name
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "00000000000000000000000000000000"
allowed_tenants = ["00000000-0000-0000-0000-000000000000"]
}
This doesn't seem to be possible with terraform, however, it can be added by calling the REST API from the Azure CLI.
az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"
The body -b is json that has been formatted to a single line.
You need to look up the clientId from active directory and know what the clientSecret is.
You can embedd this command in terraform if you wish:
resource "null_resource" "add-ad-identity-provider" {
provisioner "local-exec" {
command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
}
depends_on = ["azurerm_api_management.test"]
}
the original answer from March 4th mostly works. However, a piece is missing. You also need to set up an app registration via https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad
That supplies the answers you need (Other than the allowed tenants, which is the tenant-id's to allow).
And that is also missing a piece, which is to, when configurating the app registration, to also go to API Permissions, add a new permission for Azure Active Directory Graph (in supported legacy APIs), create an Application permission, and add Directory.Read.All. Then grant admin consent.
If you combine resources from both azurerm and azuread providers, you can now automate the process of deploying APIM with an app registration and AAD authentication on the developer portal. It covers these two guides from Microsoft:
Quickstart: Create a new Azure API Management service instance by using the Azure portal
Authorize developer accounts by using Azure Active Directory in Azure API Management
Terraform code example:
terraform {
required_version = ">=1.0.9"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.81.0"
}
azuread = {
source = "hashicorp/azuread"
version = "=2.7.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
features {}
}
provider "azuread" {}
resource "azurerm_api_management" "api_management" {
name = var.api_management_name
location = var.location
resource_group_name = var.resource_group_name
publisher_name = var.publisher_name
publisher_email = var.publisher_email
sku_name = var.api_management_sku
identity {
type = "SystemAssigned"
}
}
resource "azuread_application" "application" {
display_name = var.application_name
web {
redirect_uris = ["${azurerm_api_management.api_management.developer_portal_url}/"]
}
}
resource "azuread_application_password" "password" {
application_object_id = azuread_application.application.object_id
}
resource "azurerm_api_management_identity_provider_aad" "identity_provider_aad" {
resource_group_name = var.resource_group_name
api_management_name = azurerm_api_management.api_management.name
client_id = azuread_application.application.application_id
client_secret = azuread_application_password.password.value
allowed_tenants = var.id_provider_allowed_tenants
}
Need to turn on 'App Service Authentication' for Active Directory from my terraform script.
When I add the auth_settings section to my azurerm_app_service resource using the client_id of the app_service I am creating I get the error
'self reference not allowed'
Makes sense but then were to I turn on authentication for the item I am creating?
name = "${var.prefix}-${var.environment_code}-${var.environment_segment_code}-web"
location = "${azurerm_resource_group.my_resource_group.location}"
resource_group_name = "${azurerm_resource_group.my_resource_group.name}"
app_service_plan_id = "${azurerm_app_service_plan.my_app_service_plan.id}"
app_settings = {
APPINSIGHTS_INSTRUMENTATIONKEY = "${azurerm_application_insights.my_insights.instrumentation_key}"
}
tags = {
my-Environment = "${var.environment}"
my-Location = "${var.country}"
my-Stack = "${var.stack}"
}
lifecycle {
ignore_changes = [
"app_settings"
]
}
auth_settings {
enabled = true
active_directory {
client_id = "${azurerm_app_service.web.client_id}"
}
default_provider = "AzureActiveDirectory"
}
}```
I'd like to have ad authentication enabled for my website when I terraform.
From azurerm_app_service
A active_directory block supports the following:
client_id - (Required) The Client ID of this relying party
application. Enables OpenIDConnection authentication with Azure Active
Directory.
There is no direct client_id attribute in the azurerm_app_service block, you need to register the App Service app in Azure Active Directory then add the Application (client) ID on the Azure portal in the active_directory block. See the details about configure your App Service app to use Azure Active Directory sign-in.
The Azure Active Directory resources have been split out into a new AzureAD Provider - as such the AzureAD resources within the AzureRM Provider are deprecated and will be removed in the next major version (2.0). You could do it with azuread_application block.
For example, this works for me with
Terraform v0.12.5
+ provider.azuread v0.5.1
+ provider.azurerm v1.32.0
# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {
version = "~> 0.3"
}
# Create an application
resource "azuread_application" "example" {
name = "${var.prefix}-app-service"
homepage = "https://${var.prefix}-app-service"
identifier_uris = ["https://${var.prefix}-app-service"]
reply_urls = ["https://${var.prefix}-app-service.azurewebsites.net/.auth/login/aad/callback"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
and
auth_settings {
enabled = true
active_directory {
client_id = "${azuread_application.example.application_id}"
}
default_provider = "AzureActiveDirectory"
issuer = "https://sts.windows.net/xxxxxxx-xxxx-xxx-xxxx-xxxtenantID/"
}
Result