如何自动配置 Azure B2C？

Question

我一直在关注几个 Microsoft 教程，以使用我的 Web 应用程序和 rest api 配置 Azure B2C。例如https://docs.microsoft.com/en-ca/azure/active-directory-b2c/tutorial-single-page-app-webapi?tabs=app-reg-ga

有很多来回，现在它正在工作。

所有的配置都是在门户中完成的，现在感觉很脆弱，因为我花了好几次尝试才把它弄好。

我的 Azure 部署的其余部分配置了 Terraform、Ansible 和 Azure CLI。

我看不到任何对 B2C 的支持。

还有其他选择吗？您可以将配置导出到文件作为备份吗？

万一坏了怎么办？如何回滚到以前的工作版本？

Answer 1

您可以使用图形 api，并且可以通过 CICD 管道对其进行控制。

https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations

https://docs.microsoft.com/en-us/azure/active-directory-b2c/deploy-custom-policies-devops

Answer 2

您可以使用以下 Powershell 脚本自动化该过程来创建service principal 和provider.tf：

#!/bin/bash

error()
{
  if [[ -n "$@" ]]
  then
    tput setaf 1
    echo "ERROR: $@" >&2
    tput sgr0
  fi

  exit 1
}

yellow() { tput setaf 3; cat - ; tput sgr0; return; }
cyan()   { tput setaf 6; cat - ; tput sgr0; return; }


# Grab the Azure subscription ID
subId=$(az account show --output tsv --query id)
[[ -z "$subId" ]] && error "Not logged into Azure as expected."

# Check for existing provider.tf
if [[ -f provider.tf ]]
then
  echo -n "The provider.tf file exists.  Do you want to overwrite? [Y/n]: "
  read ans
  [[ "${ans:-Y}" != [Yy] ]] && exit 0
fi

sname="terraform-${subId}-sp"
name="http://${sname}"

# Create the service principal
echo "az ad sp create-for-rbac --name \"$name\"" | yellow
spout=$(az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$subId" --name "$sname" --output json)

# If the service principal has been created then offer to reset credentials
if [[ "$?" -ne 0 ]]
then
  echo -n "Service Principal already exists. Do you want to reset credentials? [Y/n]: "
  read ans
  if [[ "${ans:-Y}" = [Yy] ]]
  then spout=$(az ad sp credential reset --name "$name" --output json)
  else exit 1
  fi
fi

[[ -z "$spout" ]] && error "Failed to create / reset the service principal $name"

# Echo the json output
echo "$spout" | yellow

# Derive the required variables
clientId=$(jq -r .appId <<< $spout)
clientSecret=$(jq -r .password <<< $spout)
tenantId=$(jq -r .tenant <<< $spout)

echo -e "\nWill now create a provider.tf file.  Choose output type."
PS3='Choose provider block type: '
options=("Populated azurerm block" "Empty azurerm block with environment variables" "Quit")
select opt in "${options[@]}"
do
  case $opt in
    "Populated azurerm block")
      cat > provider.tf <<-END-OF-STANZA
    provider "azurerm" {
      subscription_id = "$subId"
      client_id       = "$clientId"
      client_secret   = "$clientSecret"
      tenant_id       = "$tenantId"
    }
    END-OF-STANZA

      echo -e "\nPopulated provider.tf:"
      cat provider.tf | yellow
      echo
      break
      ;;
    "Empty azurerm block with environment variables")
      echo "provider \"azurerm\" {}" > provider.tf
      echo -e "\nEmpty provider.tf:"
      cat provider.tf | yellow
      echo >&2

      export ARM_SUBSCRIPTION_ID="$subId"
      export ARM_CLIENT_ID="$clientId"
      export ARM_CLIENT_SECRET="$clientSecret"
      export ARM_TENANT_ID="$tenantId"

      echo "Copy the following environment variable exports and paste into your .bashrc file:"
      cat <<-END-OF-ENVVARS | cyan
    export ARM_SUBSCRIPTION_ID="$subId"
    export ARM_CLIENT_ID="$clientId"
    export ARM_CLIENT_SECRET="$clientSecret"
    export ARM_TENANT_ID="$tenantId"
    END-OF-ENVVARS
      break
      ;;
    "Quit")
      exit 0
      ;;
    *) echo "invalid option $REPLY";;
  esac
done

echo "To log in as the Service Principal then run the following command:"
echo "az login --service-principal --username \"$clientId\" --password \"$clientSecret\" --tenant \"$tenantId\"" | cyan

exit 0

脚本将以交互方式：

1. 创建服务主体（如果已存在则重置凭据）
2. 提示选择填充或空的provider.tf azurerm 提供程序块 如果您选择了一个空块，则导出环境变量（并显示命令）
3. 显示az login 命令以服务主体身份登录

以下命令将下载并运行它：

uri=https://raw.githubusercontent.com/azurecitadel/azurecitadel.github.io/master/automation/terraform/createTerraformServicePrincipal.sh
curl -sL $uri > createTerraformServicePrincipal.sh && chmod 750 createTerraformServicePrincipal.sh
./createTerraformServicePrincipal.sh

请参阅 Richard Cheney 撰写的这篇精彩文章 - https://azurecitadel.com/automation/terraform/lab5/