I'm Creating the App Registration, App Registration Secrets, API Permissions, and Role Assignment via Terraform. I'm Able to allocate the MicroSoft Graph API Permissions and able to Grant Permissions. For Log Analytic API Permission Grant, I'm Getting Error on the Terraform code.
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
owners = [data.azuread_client_config.current.object_id]
}
data "azuread_application_published_app_ids" "log" {}
resource "azuread_service_principal" "LogAnalyticsApi" {
application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
use_existing = true
owners = [data.azuread_client_config.current.object_id]
}
# Retrieve domain information
data "azuread_domains" "domain" {
only_initial = true
}
# Create an application
resource "azuread_application" "appreg" {
display_name = "Demo_App_Registration_Portal"
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
type = "Role"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Domain.ReadWrite.All"]
type = "Scope"
}
#####
resource_access {
id = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
type = "Role"
}
#####
}
#Log Analytic API Data Read Access
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
resource_access {
id = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
type = "Role"
}
}
}
#Creating Client Password for the Application
resource "azuread_application_password" "appregpassword" {
display_name = "Demo_App_Registration_Portal_Password"
application_object_id = azuread_application.appreg.object_id
depends_on = [
azuread_application.appreg
]
}
output "azuread_application_password" {
value = azuread_application_password.appregpassword.id
}
# Create a service principal
resource "azuread_service_principal" "appregsp" {
application_id = azuread_application.appreg.application_id
app_role_assignment_required = true
owners = [data.azuread_client_config.current.object_id]
}
resource "azuread_app_role_assignment" "example" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "Directory" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "Domain-Read" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Domain.Read.All"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
resource "azuread_app_role_assignment" "Domain-Read-Write" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Domain.ReadWrite.All"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
####
resource "azuread_app_role_assignment" "UserAuthenticationMethod-Read-All" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["UserAuthenticationMethod.Read.All"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
####
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.appregsp.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["User.Read", "Domain.ReadWrite.All"]
}
##Log Analytics API Role Assignment
resource "azuread_app_role_assignment" "LogAnalytics-Read" {
app_role_id = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.LogAnalyticsAPI.object_id
}
#Role Assigning to the App
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "appregclient" {
}
resource "azurerm_role_assignment" "example" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Reader"
principal_id = azuread_service_principal.appregsp.object_id
depends_on = [
azuread_application.appreg
]
}
I'm Creating the App Registration, App Registration Secrets, API Permissions, and Role Assignment via Terraform. I'm Able to allocate the MicroSoft Graph API Permissions and able to Grant Permissions. For Log Analytic API Permission Grant, I'm Getting Error on the Terraform code. I have upload how I want Log Analytic API Permission in the Image.
But I'm getting the Error Message as below:
There is a Mapping issue, which I have identified and fixed the issue. Regarding the Log Analytic Grant permission,
My Log Analytic Resource Block:
data "azuread_application_published_app_ids" "log" {}
resource "azuread_service_principal" "LogAnalyticsApi" {
application_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
use_existing = true
owners = [data.azuread_client_config.current.object_id]
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.log.result.LogAnalyticsAPI
resource_access {
id = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
type = "Role"
}
}
resource "azuread_app_role_assignment" "LogAnalytics-Read" {
app_role_id = azuread_service_principal.LogAnalyticsAPI.app_role_ids["Data.Read"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.LogAnalyticsAPI.object_id
}
I have modified the code as Below and Log Analytic Api Permission I'm able to Grant the Log Analytic API Permission. You can check by calling the below resource blocks in your code.
data "azuread_application_published_app_ids" "log" {}
resource "azuread_service_principal" "LogAnalyticsApi" {
application_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" #Data.Read
use_existing = true
owners = [data.azuread_client_config.current.object_id]
}
required_resource_access {
resource_app_id = "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5"
resource_access {
id = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
type = "Role"
}
}
resource "azuread_app_role_assignment" "LogAnalytics-Read" {
app_role_id = azuread_service_principal.LogAnalyticsApi.app_role_ids["Data.Read"]
principal_object_id = azuread_service_principal.appregsp.object_id
resource_object_id = azuread_service_principal.LogAnalyticsApi.object_id
}