Service Principal from Terraform not recognized by Azure API

浪尽此生 提交于 2021-01-20 07:53:58

问题


What specific changes need to be made to the syntax below in order for the terraform azurerm provider to be able to authenticate the service principal that will be created using the following code?

The Problem

A Second Terraform module needs to authenticate to Azure through the azurerm provider with a client_id and client_secret that is created programatically during an earlier, separate process.

The provider block in the Second Terraform module looks like:

provider "azurerm" {
  subscription_id = var.subscriptionId
  client_id       = var.clientId
  client_secret   = var.clientSecret
  tenant_id       = var.tenantId
}  

The problem arises when the correct values whcih we validated from the earlier preceding process are not accepted as the var.clientId and the var.clientSecret in the provider code block above.

How the Service Principal is Created:

The client_id and client_secret to be used to authenticate to the Second Terraform module are currently created by a First Terraform module which includes the following:

resource "azuread_application" "appReg" {
  name = var.appName
}

resource "azuread_service_principal" "example-sp" {
  application_id = azuread_application.appReg.application_id
}

resource "azuread_service_principal_password" "example-sp_pwd" {
  service_principal_id = azuread_service_principal.example-sp.id
  value                = "long-random-string"
  end_date             = "2021-06-02T01:02:03Z"
}

data "azurerm_subscription" "thisSubscription" {
  subscription_id = var.subscriptionId
}

resource "azurerm_role_assignment" "example-sp_role_assignment" {
  scope                = data.azurerm_subscription.thisSubscription.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.example-sp.id
}

resource "azuread_application_app_role" "example-role" {
  application_object_id = azuread_application.appReg.id
  allowed_member_types  = ["User", "Application"]
  description           = "Admins can manage roles and perform all task actions"
  display_name          = "Admin"
  is_enabled            = true
  value                 = "administer"
}

Terraform reports Apply complete after the above First module is run, and we are also able to confirm in the Azure Portal that the correct Active Directory has a new app registration with name var.appName and with ID equal to what we find in the First modules tfstate file.

The Error Message:

When Terraform tries to apply the Second module using the Service Principal ID and Secret created by the First module, the following error is thrown:

Error: 
Error building account: 
Error getting authenticated object ID: 
Error listing Service Principals: 
autorest.DetailedError{
  Original:adal.tokenRefreshError{
    message:"adal: Refresh request failed. 
    Status Code = '400'. 
    Response body: {
      \"error\":\"unauthorized_client\",
      \"error_description\":\"AADSTS700016: 
          Application with identifier 'correct-app-id' was not found in the directory 'the-right-ad-id'. 
          This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. 
          You may have sent your authentication request to the wrong tenant.\\r\\n
          Trace ID: some-trace-id\\r\\n
          Correlation ID: correlation-id-redacted\\r\\n
          Timestamp: 2020-12-31 19:02:19Z\",
          \"error_codes\":[700016],
          \"timestamp\":\"2020-12-31 19:02:19Z\",
          \"trace_id\":\"some-trace-id\",
          \"correlation_id\":\"correlation-id-redacted\",
          \"error_uri\":\"https://login.microsoftonline.com/error?code=700016\"
    }", 
    resp:(*http.Response)(0xc000ac2000)}, 
    PackageType:"azure.BearerAuthorizer", 
    Method:"WithAuthorization", 
    StatusCode:400, 
    Message:"Failed to refresh the Token for request to https://graph.windows.net/the-right-ad-id/servicePrincipals?%24filter=appId+eq+%27correct-app-id%27&api-version=1.6", 
    ServiceError:[]uint8(nil), 
    Response:(*http.Response)(0xc000ac2000)
}  

The error message does not seem helpful because we validated that the app is registered with the AAD instance.

How can we resolve this problem and programmatically create a client_id and client_secret that will be accepted and usable by the Second module?


回答1:


As I see there is no problem with your Terraform code. It should work fine. But you got the error that the application was not found in the tenant. So what you need to do is to check if the tenant Id is really right in the second module.



来源:https://stackoverflow.com/questions/65525116/service-principal-from-terraform-not-recognized-by-azure-api

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!