Open helvetia-regel opened 2 years ago
I can get a token using the graph API, and run the following queries successfully with curl:
get an API token:
$ curl -X POST -vvv -d client_id=$ARM_CLIENT_ID -d client_secret=$ARM_CLIENT_SECRET -d grant_type=client_credentials -d scope=https%3A%2F%2Fgraph.microsoft.com%2F.default https://login.microsoftonline.com/$ARM_TENANT_ID/oauth2/v2.0/token
list key sets:
$ curl -H "Authorization: Bearer $TOKEN" https://graph.microsoft.com/beta/trustFramework/keySets
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#trustFramework/keySets","value":[]}
create new key set:
$ curl -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json" -X POST https://graph.microsoft.com/beta/trustFramework/keySets -d '{"id": "foo"}'
{"@odata.context":"https://graph.microsoft.com/beta/$metadata#trustFramework/keySets/$entity","id":"B2C_1A_foo","keys":[]}
however, in terraform I still get the error. I collected more traces using TF_LOG and TF_PROVIDER_LOG but it does not include the error message:
azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer: Creating...
azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer: Creating...
2022-09-06T16:52:03.312+0200 [TRACE] readResourceInstanceState: no state present for azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer
2022-09-06T16:52:03.312+0200 [INFO] Starting apply for azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer
2022-09-06T16:52:03.312+0200 [INFO] Starting apply for azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer
2022-09-06T16:52:03.313+0200 [DEBUG] azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer: applying the planned Create change
2022-09-06T16:52:03.313+0200 [TRACE] GRPCProvider: ApplyResourceChange
2022-09-06T16:52:03.313+0200 [DEBUG] azureadb2cief_trust_framework_key_set.B2C_1A_TokenSigningKeyContainer: applying the planned Create change
2022-09-06T16:52:03.313+0200 [TRACE] GRPCProvider: ApplyResourceChange
2022-09-06T16:52:04.270+0200 [DEBUG] provider.terraform-provider-azureadb2cief_v0.2.0: 2022/09/06 16:52:04 [DEBUG] POST https://graph.microsoft.com/beta/trustFramework/keySets
2022-09-06T16:52:04.270+0200 [DEBUG] provider.terraform-provider-azureadb2cief_v0.2.0: 2022/09/06 16:52:04 [DEBUG] POST https://graph.microsoft.com/beta/trustFramework/keySets
2022-09-06T16:52:04.780+0200 [TRACE] maybeTainted: azureadb2cief_trust_framework_key_set.B2C_1A_TokenEncryptionKeyContainer encountered an error during creation, so it is now marked as tainted
Hello, Could you please share your provider configuration block? For example:
provider "azureadb2cief" {
tenant_id = "06878585-dd97-4848-8f61-887e0e9f35dc"
use_cli = true
}
Thanks
empty provider, using version 0.2:
provider "azureadb2cief" {
}
ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET environment variables set according to managementapp1
service principal created in the B2C tenant and following the Azure documentation: Register a Microsoft Graph application.
API Permissions set for managementapp1:
I want to avoid use_cli
. managementapp1
was created in order to run terraform provisioning from a CI pipeline using ARM_CLIENT_SECRET credentials, similarly to other CI pipelines I already have with the azurerm provider.
This provider sets use_cli to true by default. If you do not explicitly set it to false, it will attempt to use the logged in context of the az cli even though you set ARM_CLIENT_ID, ARM_TENANT_ID, and ARM_CLIENT_SECRET. Try setting it to false either in the provider configuration block:
provider "azureadb2cief" {
use_cli = false
}
OR by setting the environment variable (like this if using bash)
export ARM_USE_CLI=false
OK thanks, that's right, it works now with use_cli = false
. I completely missed the fact that use_cli
defaults to true. Actually, the flags are really similar in the azuread
provider. It can help to include similar content in the B2C provider too.
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/azure_cli
hi! 👋 I'm testing provider version 0.2.0 and need help to resolve the following API permission issue.
I get the following error when applying the sample base policy to an existing AAD B2C tenant:
problem is, I believe it does have the TrustFrameworkKeySet.ReadWrite.All permission.
How to reproduce
I follow the instructions at Register a Microsoft Graph application to register an app 'managementapp1' in a B2C tenant. I grant application permissions, and finally grant admin consent:
I export ARM_CLIENT_ID, ARM_CLIENT_SECRET, and ARM_TENANT_ID in the environment. Values are the client id, client secret, and tenant id of the
managementapp1
application created in the first step.Verify that
az login
is indeed successful using these credentials:running terraform apply fails with the above error log.
Environment