无法应用 Terraform 配置 Entra Id 403 错误

问题描述 投票:0回答:1

我正在学习本教程: https://developer.hashicorp.com/terraform/tutorials/it-saas/entra-id

我的main.tf如下:

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# Configure the Azure Active Directory Provider
provider "azuread" {}

# Retrieve domain information
data "azuread_domains" "default" {
  only_initial = true
}

locals {
  domain_name = data.azuread_domains.default.domains.0.domain_name
  users       = csvdecode(file("${path.module}/users.csv"))
}

resource "random_pet" "suffix" {
  length = 2
}

# Create users
resource "azuread_user" "users" {
  for_each = { for user in local.users : user.first_name => user }

  user_principal_name = format(
    "%s%s-%s@%s",
    substr(lower(each.value.first_name), 0, 1),
    lower(each.value.last_name),
    random_pet.suffix.id,
    local.domain_name
  )

  password = format(
    "%s%s%s!",
    lower(each.value.last_name),
    substr(lower(each.value.first_name), 0, 1),
    length(each.value.first_name)
  )
  force_password_change = true

  display_name = "${each.value.first_name} ${each.value.last_name}"
  department   = each.value.department
  job_title    = each.value.job_title
}

我能够完成“terraform apply”命令之前的所有步骤,但出现错误:

data.azuread_domains.default: Reading...
  
  Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
    + create
  
  Terraform planned the following actions, but then encountered a problem:
  
    # random_pet.suffix will be created
    + resource "random_pet" "suffix" {
        + id        = (known after apply)
        + length    = 2
        + separator = "-"
      }
  
  Plan: 1 to add, 0 to change, 0 to destroy.
  ╷
  │ Error: Could not list domains
  │
  │   with data.azuread_domains.default,
  │   on main.tf line 8, in data "azuread_domains" "default":
  │    8: data "azuread_domains" "default" {
  │
  │ DomainsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

故障排除步骤:

  • 我验证了我有一个 Entra ID 租户,并且该租户反映在 ARM_TENANT_ID 环境变量中。
  • 我确认已选择我的订阅。
  • 我确认我已登录 
    az login
  • 我已验证我的租户具有全局管理员权限
  • 我创建了一个服务原则并做到了
    az login --service-principle
  • 遵循本文档中的“在 Azure 门户中创建服务主体”步骤:https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret。 创建了 Terraform 应用程序注册并获取了新的环境变量。 将新的环境变量放入我的 
    .profile
    中,重新加载 Linux 配置文件并再次运行 
    terraform apply

请告知错误原因以及如何解决。

azure terraform azure-active-directory terraform-provider-azure
1个回答
0
投票

问题的原因是我之前以与此处描述类似的方式配置了 ARM 环境变量: https://developer.hashicorp.com/terraform/tutorials/azure-get-started/azure-build

我的猜测是这些变量与 

az login
命令加载的其他一些环境变量不兼容。

一旦我从 .profile 中删除了所有 ARM 环境变量,

terraform apply
命令就成功了。

您觉得这个解决方案怎么样?欢迎评论。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.