使用同一 AAD 应用程序配置不同应用程序之间的访问
问题描述 投票:0回答:1
对于同一个应用程序,我有 2 个正在运行的容器和一个 Azure 应用服务。他们三个都使用相同的 AzureActiveDirectory 身份验证和相同的服务主体。
# Auth block for container apps
resource "azapi_resource" "ca_1_auth" {
type = "Microsoft.App/containerApps/authConfigs@2023-05-01"
name = "current"
parent_id = azapi_resource.ca_1.id
body = jsonencode({
properties = {
globalValidation = {
redirectToProvider = "azureactivedirectory"
unauthenticatedClientAction = "RedirectToLoginPage"
}
httpSettings = {
requireHttps = true
}
identityProviders = {
azureActiveDirectory = {
enabled = true
registration = {
clientId = var.auth_service_principal_id
}
}
}
platform = {
enabled = true
}
}
})
}
# Auth block for app service
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = var.auth_service_principal_id
}
default_provider = "AzureActiveDirectory"
issuer = "---"
}
如何验证这些容器之间的所有请求?我正在尝试授予访问权限,以便这两个容器可以访问应用程序服务容器
1个回答
0
投票
投票
使用同一 AAD 应用程序配置不同应用程序之间的访问
可以通过以下配置实现在两个容器和 Azure 应用服务之间启用身份验证,所有容器和 Azure 应用服务均使用相同的 Azure Active Directory (AzureAD) 进行身份验证,并使用相同的服务主体。
我的 Terraform 配置:
main.tf:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azapi = {
source = "azure/azapi"
}
}
}
provider "azapi" {
}
provider "azurerm" {
features {}
client_id = ""
subscription_id = ""
client_secret = ""
tenant_id = ""
}
variable "auth_service_principal_id" {
description = "The Client ID for the Azure AD Application"
default = ""
}
variable "issuer_url" {
description = "Issuer URL for Azure AD"
default = "https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/authorize"
}
variable "azure_client_secret" {
description = "Azure Client Secret for authentication"
type = string
sensitive = true
}
# Resource group
resource "azurerm_resource_group" "example" {
name = "vkssb-rg"
location = "East US"
}
# App Service Plan
resource "azurerm_service_plan" "example" {
name = "vksb-appservice-plan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
os_type = "Linux"
sku_name = "P1v2"
}
# App Service with Azure AD Authentication
resource "azurerm_app_service" "example" {
name = "vksb-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = var.auth_service_principal_id
}
default_provider = "AzureActiveDirectory"
issuer = var.issuer_url
}
}
# Container Apps
module "container_app_1" {
source = "./modules/container_app"
name = "vksbb-container-1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
azure_client_secret = var.azure_client_secret
auth_service_principal_id = var.auth_service_principal_id
}
module "container_app_2" {
source = "./modules/container_app"
name = "vksbb-container-2"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
azure_client_secret = var.azure_client_secret
auth_service_principal_id = var.auth_service_principal_id
}
output "app_service_id" {
value = azurerm_app_service.example.id
description = "The ID of the Azure App Service"
}
模块/container_app/main.tf:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azapi = {
source = "azure/azapi"
}
}
}
variable "name" {
description = "The name of the container app"
type = string
}
variable "resource_group_name" {
description = "The name of the resource group"
type = string
}
variable "location" {
description = "The Azure region where the container app will be deployed"
type = string
}
variable "auth_service_principal_id" {
description = "Client ID for the Azure AD application used for authentication"
type = string
}
variable "azure_client_secret" {
description = "Azure Client Secret for authentication"
type = string
sensitive = true
}
resource "azurerm_container_app_environment" "example" {
name = "${var.name}-env"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_container_app" "this" {
name = var.name
resource_group_name = var.resource_group_name
container_app_environment_id = azurerm_container_app_environment.example.id
revision_mode = "Multiple"
template {
container {
name = "vksbb-container-1"
image = "techorama2021cegeka/repro-nginx:4"
# Resources configuration directly inside the container block
cpu = 0.5 # CPU cores
memory = "1.0Gi" # Memory
env {
name = "EXAMPLE_VAR"
value = "example_value"
}
}
# Revision mode specified at the template level
revision_suffix = "rev1"
}
}
resource "azapi_resource" "auth_config" {
type = "Microsoft.App/containerApps/authConfigs@2023-05-01"
name = "current"
parent_id = azurerm_container_app.this.id
body = jsonencode({
properties = {
globalValidation = {
redirectToProvider = "azureactivedirectory"
unauthenticatedClientAction = "RedirectToLoginPage"
}
httpSettings = {
requireHttps = true
}
identityProviders = {
azureActiveDirectory = {
enabled = true
registration = {
clientId = var.azure_client_secret
}
}
}
platform = {
enabled = true
}
}
})
}
部署成功:
最新问题
- Blocklys 文本块输入字段在 Material-UI 模态中无法编辑
- 由于 ninja 问题,无法构建 android 项目
- 处置 StreamReader 是否会关闭底层流?
- 我可以在 Jenkins 共享库调用之间保留状态吗?
- 我正在尝试向 pentaho 中的输出文件添加标题,但我正在编写的实际数据中的列名称将从文件中删除
- 使用 Branch.io 导航到深层链接点击查看
- 如何将仅限 init 的属性的值传播到封闭类?
- 如何在 Entity Framework Core 中结合使用自定义表前缀和 TPH?
- 如何在react-router v6中更新location.state?
- 由于未经授权的 401,侧载 Outlook 添加失败
- 如何在 C++ 中为动态类型编程语言创建类似“PyObject”的结构?
- 无法截断外键约束中引用的表
- Hibernate 不会在父对象中加载子对象
- AzureDevOps - 自动化分支管道:工作项中的任务状态检查
- Selenium 网格请求超时,不执行。 Python 多重处理
- 协助完成基本编码作业
- 将字符串转换为 Google 电子表格中的公式的通用函数
- 如何在visionOS中让模型出现并发出空间声音?
- 在 Flutter 中构建签名应用程序包时出现问题
- TabControl 内 TabItem 标题的放置/对齐
© www.soinside.com 2019 - 2024. All rights reserved.