Области терраформирования Dynamics 365 Business Central

Я пытаюсь создать сценарий terraform, который зарегистрирует приложение в Azure AD.

Мне удалось создать сценарий, который читает только из областей Microsoft Graph. Но у меня возникли проблемы с определением эквивалента этих областей в Business Central (облачная версия).

Для Microsoft Graph у меня есть следующие разрешения:

• Эл. адрес
• offline_access
• Openid
• профиль
• Financials.ReadWrite.All
• User.Read

И я читал их так в терраформе:

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

locals {
  MAIL_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  USER_READ_PERMISSION             = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  OFFLINE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}

Кажется, что все работает нормально. Я просто пытаюсь найти аналогичный способ сделать это для Dynamics 365 Business Central

Меня интересуют эти:

• app_access
• Financials.ReadWrite.All
• user_impersonation

Кто-нибудь знает, как может выглядеть эта конечная точка? Документация очень ограничена.

РЕДАКТИРОВАТЬ:

Это последний сценарий для всех, кто заинтересован в настройке регистрации приложения Business Central.

variable "subscription_id" {
  type = string
}
variable "app_name" {
  type = string
}
variable "app_homepage" {
  type = string
}
variable "app_reply_urls" {
  type = list(string)
}

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

data "azuread_service_principal" "d365bc" {
  display_name = "Dynamics 365 Business Central"
}

locals {
  APP_ACCESS_PERMISSION                 = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
  USER_IMPERSONATION_PERMISSION         = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
  BC_FINANCIALS_READ_WRITE_PERMISSION   = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  GRAPH_FINANCIAL_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  MAIL_READ_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  MAIL_PERMISSION                       = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  OFFLINE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                     = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}

resource "azuread_application" "businessCentral" {
  name                       = var.app_name
  homepage                   = var.app_homepage
  identifier_uris            = []
  reply_urls                 = var.app_reply_urls
  available_to_other_tenants = true
  type                       = "webapp/api"

  required_resource_access {
    resource_app_id = data.azuread_service_principal.graph-api.application_id
    resource_access {
      id   = local.GRAPH_FINANCIAL_READ_WRITE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_READ_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OFFLINE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OPENID_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.PROFILE_PERMISSION
      type = "Scope"
    }
  }

  required_resource_access {
    resource_app_id = data.azuread_service_principal.d365bc.application_id
    resource_access {
      id   = local.APP_ACCESS_PERMISSION
      type = "Role"
    }
    resource_access {
      id   = local.USER_IMPERSONATION_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.BC_FINANCIALS_READ_WRITE_PERMISSION
      type = "Scope"
    }
  }

  app_role {
    allowed_member_types = [
      "Application"
    ]
    description  = "Admins can manage roles and perform all task actions"
    display_name = "Admin"
    is_enabled   = true
    value        = "Admin"
  }
}

Следует отметить, что app_access - это Role, а остальные разрешения API - Scope.

Вы можете вызвать вышеуказанную терраформу с помощью:

terraform plan -var="subscription_id={your_scription_id}" -var='app_reply_urls={your_urls_array}' -var="app_name={your_app_name}" -var="app_homepage={your_app_homepage}"