search

pjfebbraro / terraform-provider-azureadb2cief

Mozilla Public License 2.0
1 stars 3 forks source link

Unable to apply B2C policies using provider version 2 #5

Open helvetia-regel opened 2 years ago

helvetia-regel commented 2 years ago

hi! 👋 I'm testing provider version 0.2.0 and need help to resolve the following API permission issue.

I get the following error when applying the sample base policy to an existing AAD B2C tenant:

Plan: 3 to add, 0 to change, 0 to destroy.
azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer: Creating...
azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer: Creating...
â•·
│ Error: unexpected status 403 with response: {"error":{"code":"AADB2C","message":"The application does not have any of the required application permissions (TrustFrameworkKeySet.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"fbac9894-ac51-4c5a-ba0d-73e2082e26c9","date":"2022-09-06T14:15:23","request-id":"2e1b953f-d1f8-4c9f-ba90-be79c390fc6d","client-request-id":"2e1b953f-d1f8-4c9f-ba90-be79c390fc6d"}}}
│ 
│   with azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer,
│   on main.tf line 212, in resource "azureadb2cief_trust_framework_key_set" "B2C_1A_TokenSigningKeyContainer":
│  212: resource "azureadb2cief_trust_framework_key_set" "B2C_1A_TokenSigningKeyContainer" {

problem is, I believe it does have the TrustFrameworkKeySet.ReadWrite.All permission.

How to reproduce

I follow the instructions at Register a Microsoft Graph application to register an app 'managementapp1' in a B2C tenant. I grant application permissions, and finally grant admin consent:

I export ARM_CLIENT_ID, ARM_CLIENT_SECRET, and ARM_TENANT_ID in the environment. Values are the client id, client secret, and tenant id of the managementapp1 application created in the first step.

Verify that az login is indeed successful using these credentials:

$ az login --allow-no-subscriptions --output none --service-principal --tenant "$ARM_TENANT_ID" --username "$ARM_CLIENT_ID" --password "$ARM_CLIENT_SECRET"
$ echo $?
0

running terraform apply fails with the above error log.

Environment

$ terraform init -upgrade      

Initializing the backend...

Initializing provider plugins...
- Finding pjfebbraro/azureadb2cief versions matching "0.2.0"...
- Using previously-installed pjfebbraro/azureadb2cief v0.2.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
regel at home in ~ $ 
regel at home in ~ $ 
regel at home in ~ $ 
regel at home in ~ $ terraform -version
Terraform v1.0.10
on darwin_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.28.1
+ provider registry.terraform.io/hashicorp/azurerm v3.21.1
+ provider registry.terraform.io/hashicorp/helm v2.6.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.13.1
+ provider registry.terraform.io/hashicorp/random v3.4.2
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/pjfebbraro/azureadb2cief v0.2.0
helvetia-regel commented 2 years ago

I can get a token using the graph API, and run the following queries successfully with curl:

get an API token:

$ curl -X POST -vvv -d client_id=$ARM_CLIENT_ID -d client_secret=$ARM_CLIENT_SECRET -d grant_type=client_credentials -d scope=https%3A%2F%2Fgraph.microsoft.com%2F.default https://login.microsoftonline.com/$ARM_TENANT_ID/oauth2/v2.0/token

list key sets:

$ curl -H "Authorization: Bearer $TOKEN" https://graph.microsoft.com/beta/trustFramework/keySets
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#trustFramework/keySets","value":[]}

create new key set:

$ curl -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json" -X POST https://graph.microsoft.com/beta/trustFramework/keySets -d '{"id": "foo"}'
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#trustFramework/keySets/$entity","id":"B2C_1A_foo","keys":[]}

however, in terraform I still get the error. I collected more traces using TF_LOG and TF_PROVIDER_LOG but it does not include the error message:

azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer: Creating...
azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer: Creating...
2022-09-06T16:52:03.312+0200 [TRACE] readResourceInstanceState: no state present for azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer
2022-09-06T16:52:03.312+0200 [INFO]  Starting apply for azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer
2022-09-06T16:52:03.312+0200 [INFO]  Starting apply for azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer
2022-09-06T16:52:03.313+0200 [DEBUG] azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer: applying the planned Create change
2022-09-06T16:52:03.313+0200 [TRACE] GRPCProvider: ApplyResourceChange
2022-09-06T16:52:03.313+0200 [DEBUG] azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer: applying the planned Create change
2022-09-06T16:52:03.313+0200 [TRACE] GRPCProvider: ApplyResourceChange
2022-09-06T16:52:04.270+0200 [DEBUG] provider.terraform-provider-azureadb2cief_v0.2.0: 2022/09/06 16:52:04 [DEBUG] POST https://graph.microsoft.com/beta/trustFramework/keySets
2022-09-06T16:52:04.270+0200 [DEBUG] provider.terraform-provider-azureadb2cief_v0.2.0: 2022/09/06 16:52:04 [DEBUG] POST https://graph.microsoft.com/beta/trustFramework/keySets
2022-09-06T16:52:04.780+0200 [TRACE] maybeTainted: azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer encountered an error during creation, so it is now marked as tainted
pjfebbraro commented 2 years ago

Hello, Could you please share your provider configuration block? For example:

provider "azureadb2cief" {
  tenant_id = "06878585-dd97-4848-8f61-887e0e9f35dc"
  use_cli   = true
}

Thanks

helvetia-regel commented 2 years ago

empty provider, using version 0.2:

provider "azureadb2cief" {
}

ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET environment variables set according to managementapp1 service principal created in the B2C tenant and following the Azure documentation: Register a Microsoft Graph application.

API Permissions set for managementapp1:

image

I want to avoid use_cli. managementapp1 was created in order to run terraform provisioning from a CI pipeline using ARM_CLIENT_SECRET credentials, similarly to other CI pipelines I already have with the azurerm provider.

pjfebbraro commented 2 years ago

This provider sets use_cli to true by default. If you do not explicitly set it to false, it will attempt to use the logged in context of the az cli even though you set ARM_CLIENT_ID, ARM_TENANT_ID, and ARM_CLIENT_SECRET. Try setting it to false either in the provider configuration block:

provider "azureadb2cief" {
  use_cli   = false
}

OR by setting the environment variable (like this if using bash)

export ARM_USE_CLI=false
helvetia-regel commented 2 years ago

OK thanks, that's right, it works now with use_cli = false. I completely missed the fact that use_cli defaults to true. Actually, the flags are really similar in the azuread provider. It can help to include similar content in the B2C provider too.

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/azure_cli