Question 104572 in Azure Question posted in
The official documentation to get you started can be found here.

Getting Error on the Terraform code while Azure App Registration Log Analytics API Permissions Allocation

I’m Creating the App Registration, App Registration Secrets, API Permissions, and Role Assignment via Terraform. I’m Able to allocate the MicroSoft Graph API Permissions and able to Grant Permissions. For Log Analytic API Permission Grant, I’m Getting Error on the Terraform code.

data "azuread_client_config" "current" {}

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}

data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
  application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}


# Retrieve domain information
data "azuread_domains" "domain" {
  only_initial = true
}

# Create an application
resource "azuread_application" "appreg" {
  display_name     = "Demo_App_Registration_Portal"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
      type = "Role"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
      type = "Role"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
      type = "Role"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
      type = "Role"
    }


    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Domain.ReadWrite.All"]
      type = "Scope"
    }


    #####

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
      type = "Role"
    }

    #####

  }

  #Log Analytic API Data Read Access

   required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI

    resource_access {
      id   = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
      type = "Role"
    }
   }

}

#Creating Client Password for the Application
resource "azuread_application_password" "appregpassword" {
  display_name          = "Demo_App_Registration_Portal_Password"
  application_object_id = azuread_application.appreg.object_id


  depends_on = [
    azuread_application.appreg
  ]

}

output "azuread_application_password" {
  value = azuread_application_password.appregpassword.id

}


# Create a service principal
resource "azuread_service_principal" "appregsp" {
  application_id               = azuread_application.appreg.application_id
  app_role_assignment_required = true
  owners                       = [data.azuread_client_config.current.object_id]
}

resource "azuread_app_role_assignment" "example" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}

resource "azuread_app_role_assignment" "Directory" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}
resource "azuread_app_role_assignment" "Domain-Read" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}

resource "azuread_app_role_assignment" "Domain-Read-Write" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id


}

####
resource "azuread_app_role_assignment" "UserAuthenticationMethod-Read-All" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}
####

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.appregsp.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["User.Read", "Domain.ReadWrite.All"]
}

##Log Analytics API Role Assignment
resource "azuread_app_role_assignment" "LogAnalytics-Read" {
  app_role_id         = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.LogAnalyticsAPI.object_id

}


#Role Assigning to the App

data "azurerm_subscription" "primary" {
}

data "azurerm_client_config" "appregclient" {
}

resource "azurerm_role_assignment" "example" {
  scope                = data.azurerm_subscription.primary.id
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.appregsp.object_id
  depends_on = [
    azuread_application.appreg
  ]

}

I’m Creating the App Registration, App Registration Secrets, API Permissions, and Role Assignment via Terraform. I’m Able to allocate the MicroSoft Graph API Permissions and able to Grant Permissions. For Log Analytic API Permission Grant, I’m Getting Error on the Terraform code. I have upload how I want Log Analytic API Permission in the Image.

enter image description here

But I’m getting the Error Message as below:

enter image description here

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    There is a Mapping issue, which I have identified and fixed the issue. Regarding the Log Analytic Grant permission,

    My Log Analytic Resource Block:

    data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
  application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}

required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI

    resource_access {
      id   = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
      type = "Role"
    }
   }

resource "azuread_app_role_assignment" "LogAnalytics-Read" {
  app_role_id         = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.LogAnalyticsAPI.object_id

}

    I have modified the code as Below and Log Analytic Api Permission I'm able to Grant the Log Analytic API Permission. You can check by calling the below resource blocks in your code.

    data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
 application_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" #Data.Read
 use_existing   = true
 owners         = [data.azuread_client_config.current.object_id]

}

required_resource_access {
   resource_app_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5"

   resource_access {
     id   = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
     type = "Role"
   }
 }


resource "azuread_app_role_assignment" "LogAnalytics-Read" {
 app_role_id         = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
 principal_object_id = azuread_service_principal.appregsp.object_id
 resource_object_id  = azuread_service_principal.LogAnalyticsApi.object_id

}

  2. 0

    I tried to reproduce the same in my environment:

    enter image description here

    As we see azuread_service_principal block has been named LogAnalyticsApi and not LogAnalyticsAPI

    resource "azuread_service_principal" "LogAnalyticsApi" {
  application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}

    When changed it LogAnalyticsApi when referred in remaining blocks
    For example:

    resource "azuread_app_role_assignment" "LogAnalytics-Read" {
  app_role_id         = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.LogAnalyticsApi.object_id

}

    Then the error is resolved.
    But occurred to map element LogAnalyticsAPI to log result .

    • Please change it to MicrosoftGraph or AppIds present in this available ApplicationIds in place of “ application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI “

       resource "azuread_service_principal" "LogAnalyticsApi" {
application_id = data.azuread_application_published_app_ids.log.result.MicrosoftGraph
use_existing   = false
owners         = [data.azuread_client_config.current.object_id]

      }

    • And also correct the same while giving Data.Read access to it in required_resource_access block

      ex:

      required_resource_access {
      resource_app_id = data.azuread_application_published_app_ids.log.result.MicrosoftGraph

      resource_access {
        id   = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
        type = "Role"
      }
     }

    enter image description here

    Reference: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search