azure azure-active-directory terraform terraform-provider-azure

Getting Error on the Terraform code while Azure App Registration Log Analytics API Permissions Allocation

I'm Creating the App Registration, App Registration Secrets, API Permissions, and Role Assignment via Terraform. I'm Able to allocate the MicroSoft Graph API Permissions and able to Grant Permissions. For Log Analytic API Permission Grant, I'm Getting Error on the Terraform code.

data "azuread_client_config" "current" {}

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}

data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
  application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}


# Retrieve domain information
data "azuread_domains" "domain" {
  only_initial = true
}

# Create an application
resource "azuread_application" "appreg" {
  display_name     = "Demo_App_Registration_Portal"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
      type = "Role"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
      type = "Role"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
      type = "Role"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
      type = "Role"
    }


    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Domain.ReadWrite.All"]
      type = "Scope"
    }


    #####

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
      type = "Role"
    }

    #####

  }

  #Log Analytic API Data Read Access

   required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI

    resource_access {
      id   = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
      type = "Role"
    }
   }

}

#Creating Client Password for the Application
resource "azuread_application_password" "appregpassword" {
  display_name          = "Demo_App_Registration_Portal_Password"
  application_object_id = azuread_application.appreg.object_id


  depends_on = [
    azuread_application.appreg
  ]

}

output "azuread_application_password" {
  value = azuread_application_password.appregpassword.id

}


# Create a service principal
resource "azuread_service_principal" "appregsp" {
  application_id               = azuread_application.appreg.application_id
  app_role_assignment_required = true
  owners                       = [data.azuread_client_config.current.object_id]
}

resource "azuread_app_role_assignment" "example" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}

resource "azuread_app_role_assignment" "Directory" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}
resource "azuread_app_role_assignment" "Domain-Read" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}

resource "azuread_app_role_assignment" "Domain-Read-Write" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id


}

####
resource "azuread_app_role_assignment" "UserAuthenticationMethod-Read-All" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id

}
####

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.appregsp.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["User.Read", "Domain.ReadWrite.All"]
}

##Log Analytics API Role Assignment
resource "azuread_app_role_assignment" "LogAnalytics-Read" {
  app_role_id         = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.LogAnalyticsAPI.object_id

}


#Role Assigning to the App

data "azurerm_subscription" "primary" {
}

data "azurerm_client_config" "appregclient" {
}

resource "azurerm_role_assignment" "example" {
  scope                = data.azurerm_subscription.primary.id
  role_definition_name = "Reader"
  principal_id         = azuread_service_principal.appregsp.object_id
  depends_on = [
    azuread_application.appreg
  ]

}

But I'm getting the Error Message as below:

Solution

There is a Mapping issue, which I have identified and fixed the issue. Regarding the Log Analytic Grant permission,

My Log Analytic Resource Block:

data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
  application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
  use_existing   = true
  owners         = [data.azuread_client_config.current.object_id]

}

required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI

    resource_access {
      id   = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
      type = "Role"
    }
   }

resource "azuread_app_role_assignment" "LogAnalytics-Read" {
  app_role_id         = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
  principal_object_id = azuread_service_principal.appregsp.object_id
  resource_object_id  = azuread_service_principal.LogAnalyticsAPI.object_id

}

I have modified the code as Below and Log Analytic Api Permission I'm able to Grant the Log Analytic API Permission. You can check by calling the below resource blocks in your code.

data "azuread_application_published_app_ids" "log" {}

resource "azuread_service_principal" "LogAnalyticsApi" {
 application_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" #Data.Read
 use_existing   = true
 owners         = [data.azuread_client_config.current.object_id]

}

required_resource_access {
   resource_app_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5"

   resource_access {
     id   = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
     type = "Role"
   }
 }


resource "azuread_app_role_assignment" "LogAnalytics-Read" {
 app_role_id         = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
 principal_object_id = azuread_service_principal.appregsp.object_id
 resource_object_id  = azuread_service_principal.LogAnalyticsApi.object_id

}