我一直在遵循几个 Microsoft 教程来使用我的 Web 应用程序和 REST API 配置 Azure B2C。例如https://learn.microsoft.com/en-ca/azure/active-directory-b2c/tutorial-single-page-app-webapi?tabs=app-reg-ga
有很多来来回回,现在正在发挥作用。
所有配置都是在门户中完成的,现在感觉非常脆弱,因为我花了几次尝试才把它弄好。
我的 Azure 部署的其余部分是使用 Terraform、Ansible 和 Azure CLI 配置的。
我看不到任何对 B2C 的支持。
还有其他选择吗?您可以将配置导出到文件作为备份吗?
如果东西坏了怎么办?如何回滚到以前的工作版本?
您可以使用以下Powershell脚本来创建service principal和
provider.tf自动化该过程:
#!/bin/bash
error()
{
if [[ -n "$@" ]]
then
tput setaf 1
echo "ERROR: $@" >&2
tput sgr0
fi
exit 1
}
yellow() { tput setaf 3; cat - ; tput sgr0; return; }
cyan() { tput setaf 6; cat - ; tput sgr0; return; }
# Grab the Azure subscription ID
subId=$(az account show --output tsv --query id)
[[ -z "$subId" ]] && error "Not logged into Azure as expected."
# Check for existing provider.tf
if [[ -f provider.tf ]]
then
echo -n "The provider.tf file exists. Do you want to overwrite? [Y/n]: "
read ans
[[ "${ans:-Y}" != [Yy] ]] && exit 0
fi
sname="terraform-${subId}-sp"
name="http://${sname}"
# Create the service principal
echo "az ad sp create-for-rbac --name \"$name\"" | yellow
spout=$(az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$subId" --name "$sname" --output json)
# If the service principal has been created then offer to reset credentials
if [[ "$?" -ne 0 ]]
then
echo -n "Service Principal already exists. Do you want to reset credentials? [Y/n]: "
read ans
if [[ "${ans:-Y}" = [Yy] ]]
then spout=$(az ad sp credential reset --name "$name" --output json)
else exit 1
fi
fi
[[ -z "$spout" ]] && error "Failed to create / reset the service principal $name"
# Echo the json output
echo "$spout" | yellow
# Derive the required variables
clientId=$(jq -r .appId <<< $spout)
clientSecret=$(jq -r .password <<< $spout)
tenantId=$(jq -r .tenant <<< $spout)
echo -e "\nWill now create a provider.tf file. Choose output type."
PS3='Choose provider block type: '
options=("Populated azurerm block" "Empty azurerm block with environment variables" "Quit")
select opt in "${options[@]}"
do
case $opt in
"Populated azurerm block")
cat > provider.tf <<-END-OF-STANZA
provider "azurerm" {
subscription_id = "$subId"
client_id = "$clientId"
client_secret = "$clientSecret"
tenant_id = "$tenantId"
}
END-OF-STANZA
echo -e "\nPopulated provider.tf:"
cat provider.tf | yellow
echo
break
;;
"Empty azurerm block with environment variables")
echo "provider \"azurerm\" {}" > provider.tf
echo -e "\nEmpty provider.tf:"
cat provider.tf | yellow
echo >&2
export ARM_SUBSCRIPTION_ID="$subId"
export ARM_CLIENT_ID="$clientId"
export ARM_CLIENT_SECRET="$clientSecret"
export ARM_TENANT_ID="$tenantId"
echo "Copy the following environment variable exports and paste into your .bashrc file:"
cat <<-END-OF-ENVVARS | cyan
export ARM_SUBSCRIPTION_ID="$subId"
export ARM_CLIENT_ID="$clientId"
export ARM_CLIENT_SECRET="$clientSecret"
export ARM_TENANT_ID="$tenantId"
END-OF-ENVVARS
break
;;
"Quit")
exit 0
;;
*) echo "invalid option $REPLY";;
esac
done
echo "To log in as the Service Principal then run the following command:"
echo "az login --service-principal --username \"$clientId\" --password \"$clientSecret\" --tenant \"$tenantId\"" | cyan
exit 0
脚本将交互:
provider.tfaz login以下命令将下载并运行它:
uri=https://raw.githubusercontent.com/azurecitadel/azurecitadel.github.io/master/automation/terraform/createTerraformServicePrincipal.sh
curl -sL $uri > createTerraformServicePrincipal.sh && chmod 750 createTerraformServicePrincipal.sh
./createTerraformServicePrincipal.sh
请参阅 Richard Cheney 撰写的这篇精彩文章 - https://azurecitadel.com/automation/terraform/lab5/
配置 ActiveDirectory / Entra ID 实例的最佳方法是依赖 Graph API。
它提供了用于此目的的广泛选项列表:https://learn.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-1.0
完全自动化该过程的一个建议是依靠 Ansible 等解决方案作为工具之间的“粘合剂”: