search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.48k stars 4.56k forks source link

Manage AAD diagnostics settings for Azure Monitor through Service Principal #18624

Open Masahigo opened 1 year ago

Masahigo commented 1 year ago

Is there an existing issue for this?

Community Note

Terraform Version

1.1.9

AzureRM Provider Version

3.4.0

Affected Resource(s)/Data Source(s)

azurerm_monitor_aad_diagnostic_setting

Terraform Configuration Files

# IaC to execute

resource "azurerm_resource_group" "rg_monitoring" {
  location = "West Europe"
  name     = "Example"
}

resource "azurerm_log_analytics_workspace" "example" {
  name                = "acctest-01"
  location            = azurerm_resource_group.rg_monitoring.location
  resource_group_name = azurerm_resource_group.rg_monitoring.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

resource "azurerm_monitor_aad_diagnostic_setting" "aad" {
  name                       = "aad-sign-in-audit-logs"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id

  log {
    category = "SignInLogs"
    enabled  = true
    retention_policy {
      enabled = true
      days    = 180
    }
  }

  log {
    category = "ServicePrincipalSignInLogs"
    enabled  = true
    retention_policy {
      enabled = true
      days    = 180
    }
  }

  log {
    category = "AuditLogs"
    enabled  = true
    retention_policy {
      enabled = true
      days    = 180
    }
  }

  log {
    category = "ADFSSignInLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "B2CRequestLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "ManagedIdentitySignInLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "NetworkAccessTrafficLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "NonInteractiveUserSignInLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "ProvisioningLogs"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "RiskyServicePrincipals"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "RiskyUsers"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "ServicePrincipalRiskEvents"
    enabled  = false
    retention_policy {}
  }

  log {
    category = "UserRiskEvents"
    enabled  = false
    retention_policy {}
  }

}

# IaC for Service Principal used to execute the above

locals {
    my_sub_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
}

resource "azurerm_role_definition" "custom_rbac_role_aad_logs_contributor" {
  name        = "AAD-Logs-Contributor"
  scope       = "/subscriptions/${local.my_sub_id}"
  description = "Azure AD logs contributor"

  permissions {
    actions = [
      "microsoft.aadiam/azureADMetrics/read",
      "microsoft.aadiam/azureADMetrics/write",
      "microsoft.aadiam/azureADMetrics/delete",
      "microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/diagnosticSettings/read",
      "microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/diagnosticSettings/write",
      "microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/metricDefinitions/read",
      "microsoft.aadiam/diagnosticSettings/write",
      "microsoft.aadiam/diagnosticSettings/read",
      "microsoft.aadiam/diagnosticSettings/delete",
      "microsoft.aadiam/diagnosticSettingsCategories/read",
      "microsoft.aadiam/metricDefinitions/read",
      "microsoft.aadiam/metrics/read",
      "microsoft.aadiam/tenants/providers/Microsoft.Insights/diagnosticSettings/read",
      "microsoft.aadiam/tenants/providers/Microsoft.Insights/diagnosticSettings/write",
      "microsoft.aadiam/tenants/providers/Microsoft.Insights/logDefinitions/read"
    ]
  }

  assignable_scopes = [
    "/subscriptions/${local.my_sub_id}"
  ]
}

resource "azuread_application" "app" {
  display_name     = "app"
}

resource "azuread_service_principal" "sp" {
  application_id = azuread_application.app.application_id
}

resource "time_rotating" "seven_days" {
  rotation_days = 7
}

resource "azuread_service_principal_password" "sp_pwd" {
  service_principal_id = azuread_service_principal.sp.object_id
  rotate_when_changed = {
    rotation = time_rotating.seven_days.id
  }
}

resource "azurerm_role_assignment" "contributor" {
  scope                = locals.my_sub_id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.sp.id
}

resource "azurerm_role_assignment" "custom_role" {
  scope                = locals.my_sub_id
  role_definition_name = azurerm_role_definition.custom_rbac_role_aad_logs_contributor.name
  principal_id         = azuread_service_principal.sp.id
}

Debug Output/Panic Output

Error: retrieving Monitor AAD Diagnostic Setting: (Name "aad-sign-in-audit-logs"):
aad.DiagnosticSettingsClient#Get: Failure responding to request: StatusCode=403 -- 
Original Error: autorest/azure: Service returned an error. 
Status=403 Code="AuthorizationFailed" 
Message="The client '192d937f-f0c9-44ae-be77-19c117c6728d' with object id '192d937f-f0c9-44ae-be77-19c117c6728d' does not have authorization to perform action 'microsoft.aadiam/diagnosticSettings/read' over scope '/providers/microsoft.aadiam/diagnosticSettings/aad-sign-in-audit-logs' or the scope is invalid. If access was recently granted, please refresh your credentials."

Expected Behaviour

The IaC had already been executed previously using User account so there should have not been any changes to the resources.

Actual Behaviour

HTTP 403 when authenticated with Service Principal and trying to update the IaC.

Steps to Reproduce

  1. az logout
  2. source the SP's credentials from env variables
  3. try executing Terraform plan

Important Factoids

No response

References

Following is stated in Terraform documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_aad_diagnostic_setting

Authentication
The API for this resource does not support service principal authentication. This resource can only be used with Azure CLI authentication.

Thus I tried also logging in separately from Azure CLI with the Service Principal's credentials and there was no difference in behaviour. Could this message be more detailed to explain what is the issue / why? A limitation on the API side?

More references

Is it still not possible to manage Azure AD diagnostics settings for Azure Monitor through Service Principal from Terraform?

Joerg-L commented 8 months ago

Hi there, we are now also facing this issue. When running the terraform locally as user, we don't have any issue.

But when the code runs on a VMSS in Azure trough a Azure Devops Pipeline, the pipeline is failing because the privilege issue.

Using Azure CLI as workaround with az login --identity in the pipeline is also not possible as this leads to

│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal). │ │ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' │ auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret │ │ Alternatively you can authenticate using the Azure CLI by using a User Account.

Does any one has a good workaround beside of "remove that code and do it with powershell or so as one timer"?

Thanks Joerg

pnwhitmore commented 6 months ago

Hello - This link may be helpful in your situation: https://github.com/Azure/azure-rest-api-specs/issues/11085#issuecomment-1363008480.

DanielUlisses commented 2 months ago

the link added by pnwhitmore would work but now the retention_policy block is not supported anymore so the resource is broken until this block is mandatory