如何使用 Bicep（或 ARM）创建 AD 应用程序注册和角色？

Question

我正在使用 Terraform 为我们的应用程序创建应用程序注册和角色。但我不知道如何对二头肌做同样的事情。这是今天使用的：

步骤 1. 在 Active Directory 中注册应用程序，有效创建“应用程序注册”。

resource "azuread_application" "ad_app" {
  name                        = local.full_app_name
  type                        = "webapp/api"
  owners                      = var.app_owners
}

第 2 步：为我们的应用程序创建角色

resource "azuread_application_app_role" "person_read" {
  application_object_id = azuread_application.ad_app.id
  allowed_member_types  = ["Application"]
  description           = "Person Reader can search and read persons"
  display_name          = "Person Reader"
  value = "Persons.Read"
}

问题是我不知道如何使用 Bicep（或 ARM 模板）执行这些步骤。我尝试过'Microsoft.Authorization/roleDefinitions'，但似乎不对。我不知道如何进行应用程序注册。

Answer 1

不幸的是，ARM 模板或 Bicep 并不直接支持两者。但您可以使用部署脚本来使用 Bicep/ARM 模板创建两者。

使用 Bicep 创建 Azure AD 应用程序注册：

param name string
param location string = resourceGroup().location
param currentTime string = utcNow()

resource script 'Microsoft.Resources/deploymentScripts@2019-10-01-preview' = {
  name: name
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${resourceId('app-reg-automation', 'Microsoft.ManagedIdentity/userAssignedIdentities', 'AppRegCreator')}': {}
    }
  }
  properties: {
    azPowerShellVersion: '5.0'
    arguments: '-resourceName "${name}"'
    scriptContent: '''
      param([string] $resourceName)
      $token = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
      $headers = @{'Content-Type' = 'application/json'; 'Authorization' = 'Bearer ' + $token}

      $template = @{
        displayName = $resourceName
        requiredResourceAccess = @(
          @{
            resourceAppId = "00000003-0000-0000-c000-000000000000"
            resourceAccess = @(
              @{
                id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
                type = "Scope"
              }
            )
          }
        )
        signInAudience = "AzureADMyOrg"
      }
      
      // Upsert App registration
      $app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications?filter=displayName eq '$($resourceName)'").value
      $principal = @{}
      if ($app) {
        $ignore = Invoke-RestMethod -Method Patch -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)" -Body ($template | ConvertTo-Json -Depth 10)
        $principal = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/servicePrincipals?filter=appId eq '$($app.appId)'").value
      } else {
        $app = (Invoke-RestMethod -Method Post -Headers $headers -Uri "https://graph.microsoft.com/beta/applications" -Body ($template | ConvertTo-Json -Depth 10))
        $principal = Invoke-RestMethod -Method POST -Headers $headers -Uri  "https://graph.microsoft.com/beta/servicePrincipals" -Body (@{ "appId" = $app.appId } | ConvertTo-Json)
      }
      
      // Creating client secret
      $app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)")
      
      foreach ($password in $app.passwordCredentials) {
        Write-Host "Deleting secret with id: $($password.keyId)"
        $body = @{
          "keyId" = $password.keyId
        }
        $ignore = Invoke-RestMethod -Method POST -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)/removePassword" -Body ($body | ConvertTo-Json)
      }
      
      $body = @{
        "passwordCredential" = @{
          "displayName"= "Client Secret"
        }
      }
      $secret = (Invoke-RestMethod -Method POST -Headers $headers -Uri  "https://graph.microsoft.com/beta/applications/$($app.id)/addPassword" -Body ($body | ConvertTo-Json)).secretText
      
      $DeploymentScriptOutputs = @{}
      $DeploymentScriptOutputs['objectId'] = $app.id
      $DeploymentScriptOutputs['clientId'] = $app.appId
      $DeploymentScriptOutputs['clientSecret'] = $secret
      $DeploymentScriptOutputs['principalId'] = $principal.id

// create app role

    '''
    cleanupPreference: 'OnSuccess'
    retentionInterval: 'P1D'
    forceUpdateTag: currentTime // ensures script will run every time
  }
}

output objectId string = script.properties.outputs.objectId
output clientId string = script.properties.outputs.clientId
output clientSecret string = script.properties.outputs.clientSecret
output principalId string = script.properties.outputs.principalId

参考：

使用 ARM 模板/Bicep 创建应用程序注册 | 作者：乔恩·雷金博尔德

为 Azure AD 应用程序创建应用程序角色：

我对此不太了解，但我想您可以使用//create app role上面代码中编写的以下脚本：

$app = (Invoke-RestMethod -Method Get -Headers $headers -Uri "https://graph.microsoft.com/beta/applications/$($app.id)")
      $body1 = @{
        Id = [Guid]::NewGuid().ToString()
        IsEnabled = true
        AllowedMemberTypes =@("application")
        Description = "My Role Description.."
        DisplayName = "My Custom Role"
        Value = "MyCustomRole"
      }
      $createapprole= Invoke-RestMethod -Method POST -Headers $headers -Uri  "https://graph.microsoft.com/beta/applications/$($app.id)/appRoles" -Body ($body1 | ConvertTo-Json)

参考：

appRole 资源类型

更新应用程序