如何使用 Terraform 将 Active Directory 添加到 APIM？

Question

在this article 之后，您可以将 Azure API 管理链接到 Azure Active Directory 中的用户/组。

目前我正在使用 Terraform 创建 APIM 实例

resource "azurerm_api_management" "test" {
  name                = "example-apim"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  publisher_name      = "My Company"
  publisher_email     = "company@terraform.io"

  sku {
    name     = "Developer"
    capacity = 1
  }
}

如何向其中添加 Active Directory 身份提供程序？

Answer 1

Terraform 在December 2019 中添加了对此的支持

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_identity_provider_aad

您现在可以将其链接到：

resource "azurerm_api_management_identity_provider_aad" "example" {
  resource_group_name = azurerm_resource_group.example.name
  api_management_name = azurerm_api_management.example.name
  client_id           = "00000000-0000-0000-0000-000000000000"
  client_secret       = "00000000000000000000000000000000"
  allowed_tenants     = ["00000000-0000-0000-0000-000000000000"]
}

Answer 2

这对于 terraform 似乎是不可能的，但是，它可以通过 Azure CLI 中的calling the REST API 添加。

az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"

正文 -b 是已格式化为单行的 json。

您需要从活动目录中查找clientId 并知道clientSecret 是什么。

如果您愿意，可以将此命令嵌入到 terraform 中：

resource "null_resource" "add-ad-identity-provider" {
  provisioner "local-exec" {
    command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
  }
  depends_on = ["azurerm_api_management.test"]
}

Answer 3

3 月 4 日的原始答案大多有效。然而，少了一块。您还需要通过https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad 设置应用注册 这提供了您需要的答案（除了允许的租户，这是允许的租户 ID）。

这也缺少了一点，即在配置应用程序注册时，还要转到 API 权限，为 Azure Active Directory Graph 添加新权限（在受支持的旧 API 中），创建应用程序权限，以及添加 Directory.Read.All。然后授予管理员同意。

Answer 4

如果您结合来自 azurerm 和 azuread 提供程序的资源，您现在可以通过开发人员门户上的应用注册和 AAD 身份验证来自动化部署 APIM 的过程。它涵盖了 Microsoft 的这两个指南：

• Quickstart: Create a new Azure API Management service instance by using the Azure portal
• Authorize developer accounts by using Azure Active Directory in Azure API Management

地形代码示例：

terraform {
  required_version = ">=1.0.9"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.81.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "=2.7.0"
    }
  }

  backend "azurerm" {}
}

provider "azurerm" {
  features {}
}

provider "azuread" {}

resource "azurerm_api_management" "api_management" {
  name                = var.api_management_name
  location            = var.location
  resource_group_name = var.resource_group_name
  publisher_name      = var.publisher_name
  publisher_email     = var.publisher_email
  sku_name            = var.api_management_sku

  identity {
    type = "SystemAssigned"
  }
}

resource "azuread_application" "application" {
  display_name = var.application_name
  web {
    redirect_uris = ["${azurerm_api_management.api_management.developer_portal_url}/"]
  }
}

resource "azuread_application_password" "password" {
  application_object_id = azuread_application.application.object_id
}

resource "azurerm_api_management_identity_provider_aad" "identity_provider_aad" {
  resource_group_name = var.resource_group_name
  api_management_name = azurerm_api_management.api_management.name
  client_id           = azuread_application.application.application_id
  client_secret       = azuread_application_password.password.value
  allowed_tenants     = var.id_provider_allowed_tenants
}