我使用Terraform为我们的应用程序创建应用程序注册和角色。但我不知道如何对二头肌做同样的事情。这是今天使用的:
步骤1。在活动目录中注册应用程序,有效地创建"应用程序注册"。
resource "azuread_application" "ad_app" {
name = local.full_app_name
type = "webapp/api"
owners = var.app_owners
}
步骤2:为我们的应用创建一个角色
resource "azuread_application_app_role" "person_read" {
application_object_id = azuread_application.ad_app.id
allowed_member_types = ["Application"]
description = "Person Reader can search and read persons"
display_name = "Person Reader"
value = "Persons.Read"
}
问题是我无法弄清楚如何使用肱二头肌(或ARM模板)执行这些步骤。我尝试了'Microsoft.Authorization/roleDefinitions',但它似乎不对。我不知道如何做应用程序注册。
不幸的是,在ARM模板或Bicep中不直接支持这两种方法。但是你可以使用部署脚本来创建使用Bicep/ARM模板。
使用Bicep创建Azure AD应用程序注册:
param name string
param location string = resourceGroup().location
param currentTime string = utcNow()
resource script 'Microsoft.Resources/deploymentScripts@2019-10-01-preview' = {
name: name
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${resourceId('app-reg-automation', 'Microsoft.ManagedIdentity/userAssignedIdentities', 'AppRegCreator')}': {}
}
}
properties: {
azPowerShellVersion: '5.0'
arguments: '-resourceName "${name}"'
scriptContent: '''
param([string] $resourceName)
$token = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$headers = @{'Content-Type' = 'application/json'; 'Authorization' = 'Bearer ' + $token}
$template = @{
displayName = $resourceName
requiredResourceAccess = @(
@{
resourceAppId = "00000003-0000-0000-c000-000000000000"
resourceAccess = @(
@{
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
type = "Scope"
}
)
}
)
signInAudience = "AzureADMyOrg"
}
// Upsert App registration
$app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications?filter=displayName eq '$($resourceName)'").value
$principal = @{}
if ($app) {
$ignore = Invoke-RestMethod -Method Patch -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)" -Body ($template | ConvertTo-Json -Depth 10)
$principal = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/servicePrincipals?filter=appId eq '$($app.appId)'").value
} else {
$app = (Invoke-RestMethod -Method Post -Headers $headers -Uri "https://graph.microsoft.com/beta/applications" -Body ($template | ConvertTo-Json -Depth 10))
$principal = Invoke-RestMethod -Method POST -Headers $headers -Uri "https://graph.microsoft.com/beta/servicePrincipals" -Body (@{ "appId" = $app.appId } | ConvertTo-Json)
}
// Creating client secret
$app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)")
foreach ($password in $app.passwordCredentials) {
Write-Host "Deleting secret with id: $($password.keyId)"
$body = @{
"keyId" = $password.keyId
}
$ignore = Invoke-RestMethod -Method POST -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)/removePassword" -Body ($body | ConvertTo-Json)
}
$body = @{
"passwordCredential" = @{
"displayName"= "Client Secret"
}
}
$secret = (Invoke-RestMethod -Method POST -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)/addPassword" -Body ($body | ConvertTo-Json)).secretText
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['objectId'] = $app.id
$DeploymentScriptOutputs['clientId'] = $app.appId
$DeploymentScriptOutputs['clientSecret'] = $secret
$DeploymentScriptOutputs['principalId'] = $principal.id
// create app role
'''
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
forceUpdateTag: currentTime // ensures script will run every time
}
}
output objectId string = script.properties.outputs.objectId
output clientId string = script.properties.outputs.clientId
output clientSecret string = script.properties.outputs.clientSecret
output principalId string = script.properties.outputs.principalId
参考:
使用ARM模板创建应用程序注册/Bicep | by Jon Reginbald
为Azure AD应用程序创建应用程序角色:
我对此没有太多的想法,但我猜你可以使用下面的脚本,其中//create app role是在上面的代码中编写的:
$app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)")
$body1 = @{
Id = [Guid]::NewGuid().ToString()
IsEnabled = true
AllowedMemberTypes =@("application")
Description = "My Role Description.."
DisplayName = "My Custom Role"
Value = "MyCustomRole"
}
$createapprole= Invoke-RestMethod -Method POST -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)/appRoles" -Body ($body1 | ConvertTo-Json)
参考:
允许的资源类型
更新应用程序