我正在尝试做应用程序注册,并有几个应用程序的角色,我想分配。我的代码如下
resource "random_uuid" "prod" {}
resource "azuread_application" "app_prod" {
display_name = format("app-%s-%s", var.project.name, var.project.environment.name)
owners = [data.azuread_client_config.default.object_id]
identifier_uris = [format("https://contoso.onmicrosoft.com/%s-%s", var.project.name, var.project.environment.name)]
api {
oauth2_permission_scope {
for_each = toset(local.oauth2_permissions)
admin_consent_description = each.value.admin_consent_description
admin_consent_display_name = each.value.admin_consent_display_name
enabled = true
id = random_uuid.prod.result
type = each.value.type
value = each.key
}
}
app_role {
for_each = toset(local.app_roles)
allowed_member_types = each.value.allowed_member_types
description = each.value.description
display_name = each.value.display_name
enabled = true
id = random_uuid.prod.result
value = each.key
}
web {
logout_url = format("https://app-%s-%s", var.project.name, var.project.environment.name)
redirect_uris = []
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
}
}
locals {
app_roles = {
application-administrator = {
display_name = "Application administrator"
description = "Application administrators have the ability to administer the application."
allowed_member_types = ["User", "Application"]
}
BusinessAdmin = {
display_name = "BusinessAdmin"
description = "Business Administrator"
allowed_member_types = ["User"]
}
mulesoft-integration = {
display_name = "Mulesoft Integration"
description = "Allows MuleSoft Integration to talk to the APIs."
allowed_member_types = ["Application"]
}
}
oauth2_permissions = {
read-and-write = {
user_consent_description = "read-and-write"
admin_consent_display_name = "Read and write data"
admin_consent_description = "Allows the app to read and write data"
user_consent_display_name = "Allows the app to read and write data"
type = "User"
}
}
}
data "azuread_application_published_app_ids" "well_known" {}
data "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}
在执行terraform apply时得到的错误是:
Error: each.value cannot be used in this context
│
│ on resources.appreg.tf line 24, in resource "azuread_application" "app_prodstats":
│ 24: description = each.value.description
│
│ A reference to "each.value" has been used in a context in which it
│ unavailable, such as when the configuration no longer contains the value in
│ its "for_each" expression. Remove this reference to each.value in your
│ configuration to work around this error.
╵
╷
│ Error: each.value cannot be used in this context
│
│ on resources.appreg.tf line 25, in resource "azuread_application" "app_prodstats":
│ 25: display_name = each.value.display_name
│
│ A reference to "each.value" has been used in a context in which it
│ unavailable, such as when the configuration no longer contains the value in
│ its "for_each" expression. Remove this reference to each.value in your
│ configuration to work around this error.
╵
╷
│ Error: Reference to "each" in context without for_each
│
│ on resources.appreg.tf line 28, in resource "azuread_application" "app_prodstats":
│ 28: value = each.key
│
│ The "each" object can be used only in "module" or "resource" blocks, and
│ only when the "for_each" argument is set.
╵
如果您正在使用动态块,则需要content块:
dynamic "app_role" {
for_each = toset(local.app_roles)
content {
allowed_member_types = app_role.value.allowed_member_types
description = app_role.value.description
display_name = app_role.value.display_name
enabled = true
id = random_uuid.prod.result
value = app_role.key
}
}
你必须对你代码中出现错误的其他部分做类似的修改。