对于同一个应用程序,我有 2 个正在运行的容器和一个 Azure 应用服务。他们三个都使用相同的 AzureActiveDirectory 身份验证和相同的服务主体。
# Auth block for container apps
resource "azapi_resource" "ca_1_auth" {
type = "Microsoft.App/containerApps/authConfigs@2023-05-01"
name = "current"
parent_id = azapi_resource.ca_1.id
body = jsonencode({
properties = {
globalValidation = {
redirectToProvider = "azureactivedirectory"
unauthenticatedClientAction = "RedirectToLoginPage"
}
httpSettings = {
requireHttps = true
}
identityProviders = {
azureActiveDirectory = {
enabled = true
registration = {
clientId = var.auth_service_principal_id
}
}
}
platform = {
enabled = true
}
}
})
}
# Auth block for app service
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = var.auth_service_principal_id
}
default_provider = "AzureActiveDirectory"
issuer = "---"
}
如何验证这些容器之间的所有请求?我正在尝试授予访问权限,以便这两个容器可以访问应用程序服务容器
使用同一 AAD 应用程序配置不同应用程序之间的访问
可以通过以下配置实现在两个容器和 Azure 应用服务之间启用身份验证,所有容器和 Azure 应用服务均使用相同的 Azure Active Directory (AzureAD) 进行身份验证,并使用相同的服务主体。
我的 Terraform 配置:
main.tf:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azapi = {
source = "azure/azapi"
}
}
}
provider "azapi" {
}
provider "azurerm" {
features {}
client_id = ""
subscription_id = ""
client_secret = ""
tenant_id = ""
}
variable "auth_service_principal_id" {
description = "The Client ID for the Azure AD Application"
default = ""
}
variable "issuer_url" {
description = "Issuer URL for Azure AD"
default = "https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/authorize"
}
variable "azure_client_secret" {
description = "Azure Client Secret for authentication"
type = string
sensitive = true
}
# Resource group
resource "azurerm_resource_group" "example" {
name = "vkssb-rg"
location = "East US"
}
# App Service Plan
resource "azurerm_service_plan" "example" {
name = "vksb-appservice-plan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
os_type = "Linux"
sku_name = "P1v2"
}
# App Service with Azure AD Authentication
resource "azurerm_app_service" "example" {
name = "vksb-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = var.auth_service_principal_id
}
default_provider = "AzureActiveDirectory"
issuer = var.issuer_url
}
}
# Container Apps
module "container_app_1" {
source = "./modules/container_app"
name = "vksbb-container-1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
azure_client_secret = var.azure_client_secret
auth_service_principal_id = var.auth_service_principal_id
}
module "container_app_2" {
source = "./modules/container_app"
name = "vksbb-container-2"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
azure_client_secret = var.azure_client_secret
auth_service_principal_id = var.auth_service_principal_id
}
output "app_service_id" {
value = azurerm_app_service.example.id
description = "The ID of the Azure App Service"
}
模块/container_app/main.tf:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azapi = {
source = "azure/azapi"
}
}
}
variable "name" {
description = "The name of the container app"
type = string
}
variable "resource_group_name" {
description = "The name of the resource group"
type = string
}
variable "location" {
description = "The Azure region where the container app will be deployed"
type = string
}
variable "auth_service_principal_id" {
description = "Client ID for the Azure AD application used for authentication"
type = string
}
variable "azure_client_secret" {
description = "Azure Client Secret for authentication"
type = string
sensitive = true
}
resource "azurerm_container_app_environment" "example" {
name = "${var.name}-env"
resource_group_name = var.resource_group_name
location = var.location
}
resource "azurerm_container_app" "this" {
name = var.name
resource_group_name = var.resource_group_name
container_app_environment_id = azurerm_container_app_environment.example.id
revision_mode = "Multiple"
template {
container {
name = "vksbb-container-1"
image = "techorama2021cegeka/repro-nginx:4"
# Resources configuration directly inside the container block
cpu = 0.5 # CPU cores
memory = "1.0Gi" # Memory
env {
name = "EXAMPLE_VAR"
value = "example_value"
}
}
# Revision mode specified at the template level
revision_suffix = "rev1"
}
}
resource "azapi_resource" "auth_config" {
type = "Microsoft.App/containerApps/authConfigs@2023-05-01"
name = "current"
parent_id = azurerm_container_app.this.id
body = jsonencode({
properties = {
globalValidation = {
redirectToProvider = "azureactivedirectory"
unauthenticatedClientAction = "RedirectToLoginPage"
}
httpSettings = {
requireHttps = true
}
identityProviders = {
azureActiveDirectory = {
enabled = true
registration = {
clientId = var.azure_client_secret
}
}
}
platform = {
enabled = true
}
}
})
}
部署成功: