如何使用Terraform将Active Directory添加到APIM?

时间:2019-08-16 21:25:32

标签: terraform azure-api-management

this article之后,您可以将Azure API管理链接到Azure Active Directory中的用户/组。

此刻,我正在使用Terraform

创建APIM实例 
resource "azurerm_api_management" "test" {
  name                = "example-apim"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  publisher_name      = "My Company"
  publisher_email     = "company@terraform.io"

  sku {
    name     = "Developer"
    capacity = 1
  }
}

如何向其中添加Active Directory身份提供程序?

3 个答案:

答案 0 :(得分:1)

Terraform 在 December 2019 中添加了对此的支持

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_identity_provider_aad

您现在可以将其链接到:

resource "azurerm_api_management_identity_provider_aad" "example" {
  resource_group_name = azurerm_resource_group.example.name
  api_management_name = azurerm_api_management.example.name
  client_id           = "00000000-0000-0000-0000-000000000000"
  client_secret       = "00000000000000000000000000000000"
  allowed_tenants     = ["00000000-0000-0000-0000-000000000000"]
}

答案 1 :(得分:0)

这似乎在terraform中是不可能的,但是可以通过calling the REST API从Azure CLI中添加。

az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"

正文-b是已格式化为单行的json。

您需要从活动目录中查找clientId,并知道clientSecret是什么。

如果愿意,可以将此命令嵌入terraform中:

resource "null_resource" "add-ad-identity-provider" {
  provisioner "local-exec" {
    command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
  }
  depends_on = ["azurerm_api_management.test"]
}

答案 2 :(得分:0)

3 月 4 日的原始答案大部分有效。然而,少了一块。您还需要通过 https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad 设置应用注册 这提供了您需要的答案(除了允许的租户,这是要允许的租户 ID)。

而且还缺少一个部分,即在配置应用程序注册时,还要转到 API 权限,为 Azure Active Directory Graph 添加新权限(在支持的旧 API 中),创建应用程序权限,以及添加 Directory.Read.All。然后授予管理员同意。

相关问题
最新问题