I am using terraform to create an Azure AD application, I have tried the default example from the terraform samples https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application also I have customized the code below from the one I created manually(basically, I have created an application manually in AD and got the details from the data resource using terraform for the created application). both the code throws same error
Error: Value must be a valid UUID │ │ with
azuread_application.example, │ on adapp.tf line 3, in resource
"azuread_application" "example": │ 3: resource
"azuread_application" "example" {
This is the code I have customized from the original example
data "azuread_client_config" "current" {}
resource "azuread_application" "example" {
display_name = "example"
identifier_uris = ["api://example-app"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"
resource_access {
id = "..."
type = "Scope"
}
}
web {
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = false
}
}
}
I have validated the "data.azuread_client_config.current.object_id", its not null and it producing the value.
Terraform Config:
Terraform v0.15.4 on windows_amd64
provider registry.terraform.io/hashicorp/azuread v1.6.0
As you are using the resource app id of "Microsoft Graph" (00000003-0000-0000-c000-000000000000) , so you have to provide what delegated permissions you need for your app to have in Microsoft graph like User.read etc.
Some CLI commands that will help you to get the Microsoft Graph resource App Id's and Delegated Permissions Id's:
- az ad sp list --display-name "Microsoft Graph" --query
'[].{appDisplayName:appDisplayName, appId:appId}'
--output table
- az ad sp show --id 00000003-0000-0000-c000-000000000000 --query
"oauth2Permissions[].{Value:value, Id:id}" --output table
So as you are already using the default Microsoft Graph App Id , we need to get the delegated permission ID's to provide in resource access id.
Then your terraform code will be as below :
data "azuread_client_config" "current" {}
resource "azuread_application" "example" {
display_name = "example"
identifier_uris = ["api://example-app"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"# resourceid of microsoft graph
resource_access {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
type = "Scope"
}
}
web {
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = false
}
}
}
Doing a terraform plan :
Note : Default Microsoft Graph App ID is "00000003-0000-0000-c000-000000000000" and Default Windows Active Directory App ID (Azure AD Graph) is "00000002-0000-0000-c000-000000000000". Based on your requirement you can use Microsoft Graph or Azure AD Graph .
Related
I'm using GitHub Terraform provider with the resource github_branch_protection (documentation: https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection )
I'm using the argument required_pull_request_reviews.pull_request_bypassers (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection#pull_request_bypassers)
The documentation says:
pull_request_bypassers: (Optional) The list of actor Names/IDs that are allowed to bypass pull request requirements. Actor names must either begin with a "/" for users or the organization name followed by a "/" for teams.
So according to it I should be able to use username. It's confirmed by the example also:
required_pull_request_reviews {
dismiss_stale_reviews = true
restrict_dismissals = true
dismissal_restrictions = [
data.github_user.example.node_id,
github_team.example.node_id,
"/exampleuser",
"exampleorganization/exampleteam",
]
}
(ok this example is using dismissal_restrictions but the documentation is the same about the use of actor Names/IDs)
The problem is that when I use /username I have the following error:
│ Error: Could not resolve to a node with the global id of '/username'
My terraform plan contains:
required_pull_request_reviews {
~ pull_request_bypassers = [
+ "/username",
]
}
Do you know what am I making wrong and how to use username instead of node_id?
Thanks
I can create Github repository in an organisation as well as under my personal namespace.
I'm trying to create repository under org with terraform https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository
But it creates the repository under my personal namespace. The token I am using is authorized to create repository under the org. How do I specify the owner/org for the repo?
Putting name as org/repoName does not seem to work.
resource "github_repository" "new-repo" {
name = "org/sos-repo"
private = true
}
I believe the organisation is considered the owner input on the provider configuration.
This setting used to be called "organization".
You can specify it in the provider configuration block or you can use an environment variable GITHUB_OWNER.
e.g.
provider "github" {
owner = "my-org"
app_auth {
id = var.app_id # or `GITHUB_APP_ID`
installation_id = var.app_installation_id # or `GITHUB_APP_INSTALLATION_ID`
pem_file = var.app_pem_file # or `GITHUB_APP_PEM_FILE`
}
}
resource "github_membership" "membership_for_user_x" {
# ...
}
resource "github_repository" "example" {
name = "example"
description = "My awesome codebase"
visibility = "public"
}
Googleapi: Error 403: User not authorized to perform this action
provider "google" {
project = "xxxxxx"
region = "us-central1"
}
resource "google_pubsub_topic" "gke_cluster_upgrade_notifications" {
name = "cluster-notifications"
labels = {
foo = "bar"
}
message_storage_policy {
allowed_persistence_regions = [
"region",
]
}
}
# create the storage bucket for our scripts
resource "google_storage_bucket" "source_code" {
name = "xxxxxx-bucket-lh05111992"
location = "us-central1"
force_destroy = true
}
# zip up function source code
data "archive_file" "function_script_zip" {
type = "zip"
source_dir = "./function/"
output_path = "./function/main.py.zip"
}
# add function source code to storage
resource "google_storage_bucket_object" "function_script_zip" {
name = "main.py.zip"
bucket = google_storage_bucket.source_code.name
source = "./function/main.py.zip"
}
resource "google_cloudfunctions_function" "gke_cluster_upgrade_notifications" {---
-------
}
The service account has the owner role attached
Also tried using
1.export GOOGLE_APPLICATION_CREDENTIALS={{path}}
2.credentials = "${file("credentials.json")}" by place json file in terraform root folder.
It seems that the used account is missing some permissions (e.g. pubsub.topics.create) to create the Cloud Pub/Sub topic. The owner role should be sufficient to create the topic, as it contains the necessary permissions (you can check this here). Therefore, a wrong service account might be set in Terraform.
To address these IAM issues I would suggest:
Use the Policy Troubleshooter.
Impersonate service account and do the API call using CLI with --verbosity=debug flag, which will provide helpful information about the missing permissions.
I am trying to create an AKS cluster with managed identity using Terraform. This is my code so far, pretty basic and standard from a few documentation and blog posts I found online.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.79.1"
}
}
}
provider "azurerm" {
features {}
use_msi = true
}
resource "azurerm_resource_group" "rg" {
name = "prod_test"
location = "northeurope"
}
resource "azurerm_kubernetes_cluster" "cluster" {
name = "prod_test_cluster"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = "weak"
default_node_pool {
name = "default"
node_count = "4"
vm_size = "standard_ds3_v2"
}
identity {
type = "SystemAssigned"
}
}
And this is the error message that I can't come around to a solution. Any thoughts on it?
Error: creating Managed Kubernetes Cluster "prod_test_cluster" (Resource Group "prod_test"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="Feature Microsoft.ContainerService/AutoUpgradePreview is not enabled. Please see https://aka.ms/aks/previews for how to enable features."
│
│ with azurerm_kubernetes_cluster.cluster,
│ on main.tf line 19, in resource "azurerm_kubernetes_cluster" "cluster":
│ 19: resource "azurerm_kubernetes_cluster" "cluster" {
│
I tested it on my environment and faced the same issue as you can see below:
So, to give a description on the issue the AutoChannelUpgrade went
to public preview on August 2021. And as per the terraform azurerm provider 2.79.0 , it bydefault passes that value to none in the
backend but as we have not registered for the feature it fails giving
the error Feature Microsoft.ContainerService/AutoUpgradePreview is not enabled.
To confirm you don't have the feature registered you can use the
below command :
az feature show -n AutoUpgradePreview --namespace Microsoft.ContainerService
You will see it not registered as below:
Now to overcome this you can try two solutions as given below:
You can try using terraform azurerm provider 2.78.0 instead of 2.79.1.
Other solution will be to register for the feature and then you can
use the same code that you are using .
You can follow the below steps:
You can use below command to register the feature (it will take around 5
mins to get registered) :
az login --identity
az feature register --namespace Microsoft.ContainerService -n AutoUpgradePreview
After the above is done you can check the registration stauts with below command :
az feature registration show --provider-namespace Microsoft.ContainerService -n AutoUpgradePreview
After the feature status becomes registered you can do a terraform apply to your code .
I tested it using the below code on my VM:
provider "azurerm" {
features {}
subscription_id = "948d4068-xxxxx-xxxxxx-xxxx-e00a844e059b"
tenant_id = "72f988bf-xxxxx-xxxxxx-xxxxx-2d7cd011db47"
use_msi = true
}
resource "azurerm_resource_group" "rg" {
name = "terraformtestansuman"
location = "west us 2"
}
resource "azurerm_kubernetes_cluster" "cluster" {
name = "prod_test_cluster"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = "weak"
default_node_pool {
name = "default"
node_count = "4"
vm_size = "standard_ds3_v2"
}
identity {
type = "SystemAssigned"
}
}
Outputs:
Reference:
Github Issue
Install Azure CLI if not installed on the VM using Microsoft Installer
This question already has answers here:
json.Marshal(): json: error calling MarshalJSON for type msgraph.Application
(2 answers)
Closed 1 year ago.
I have very simple terraform code.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.46.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.0.0"
}
}
}
provider "azurerm" {
features {}
}
provider "azuread" {
tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
terraform {
backend "azurerm" {
resource_group_name = "xxxx"
storage_account_name = "xxxxxxxxx"
container_name = "xxxxxxxxxxxxx"
key = "xxxxxxxxxxxxxxxxx"
}
}
data "azuread_client_config" "current" {}
resource "azurerm_resource_group" "test" {
name = "test-rg-005"
location = "East US"
}
resource "azuread_application" "example" {
display_name = "Example-app"
}
However when i run this through yml pipeline on azure devops, i am getting this error during apply stage.
Plan: 1 to add, 0 to change, 0 to destroy.
azuread_application.example: Creating...
│ Error: Could not create application
│
│ with azuread_application.example,
│ on terraform.tf line 42, in resource "azuread_application" "example":
│ 42: resource "azuread_application" "example" {
│
│ json.Marshal(): json: error calling MarshalJSON for type
│ msgraph.Application: json: error calling MarshalJSON for type
│ *msgraph.Owners: marshaling Owners: encountered DirectoryObject with nil
│ ODataId
##[error]Error: The process '/opt/hostedtoolcache/terraform/1.0.5/x64/terraform' failed with
exit code 1
Any clue will be helpful, not really clear what this error is about?
Thanks.
There is a bug in azure Active directory provider after an MSFT update. This is impacting any azure ad provider usage creating new resources, however it seems to be working on already deployed resources, i.e. changing and upgrading the configurations of already deployed resource within azure ad. Following is the link for the bug updates.
https://github.com/hashicorp/terraform-provider-azuread/issues/588