Я пытаюсь создать сценарий terraform, который зарегистрирует приложение в Azure AD.
Мне удалось создать сценарий, который читает только из областей Microsoft Graph. Но у меня возникли проблемы с определением эквивалента этих областей в Business Central (облачная версия).
Для Microsoft Graph у меня есть следующие разрешения:
- Эл. адрес
- offline_access
- Openid
- профиль
- Financials.ReadWrite.All
- User.Read
И я читал их так в терраформе:
provider "azuread" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "~> 0.10"
subscription_id = var.subscription_id
}
data "azuread_service_principal" "graph-api" {
display_name = "Microsoft Graph"
}
locals {
MAIL_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
USER_READ_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
OFFLINE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
OPENID_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
PROFILE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}
Кажется, что все работает нормально. Я просто пытаюсь найти аналогичный способ сделать это для Dynamics 365 Business Central
Меня интересуют эти:
- app_access
- Financials.ReadWrite.All
- user_impersonation
Кто-нибудь знает, как может выглядеть эта конечная точка? Документация очень ограничена.
РЕДАКТИРОВАТЬ:
Это последний сценарий для всех, кто заинтересован в настройке регистрации приложения Business Central.
variable "subscription_id" {
type = string
}
variable "app_name" {
type = string
}
variable "app_homepage" {
type = string
}
variable "app_reply_urls" {
type = list(string)
}
provider "azuread" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "~> 0.10"
subscription_id = var.subscription_id
}
data "azuread_service_principal" "graph-api" {
display_name = "Microsoft Graph"
}
data "azuread_service_principal" "d365bc" {
display_name = "Dynamics 365 Business Central"
}
locals {
APP_ACCESS_PERMISSION = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
USER_IMPERSONATION_PERMISSION = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
BC_FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
GRAPH_FINANCIAL_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
MAIL_READ_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
MAIL_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
OFFLINE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
OPENID_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
PROFILE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}
resource "azuread_application" "businessCentral" {
name = var.app_name
homepage = var.app_homepage
identifier_uris = []
reply_urls = var.app_reply_urls
available_to_other_tenants = true
type = "webapp/api"
required_resource_access {
resource_app_id = data.azuread_service_principal.graph-api.application_id
resource_access {
id = local.GRAPH_FINANCIAL_READ_WRITE_PERMISSION
type = "Scope"
}
resource_access {
id = local.MAIL_PERMISSION
type = "Scope"
}
resource_access {
id = local.MAIL_READ_PERMISSION
type = "Scope"
}
resource_access {
id = local.OFFLINE_PERMISSION
type = "Scope"
}
resource_access {
id = local.OPENID_PERMISSION
type = "Scope"
}
resource_access {
id = local.PROFILE_PERMISSION
type = "Scope"
}
}
required_resource_access {
resource_app_id = data.azuread_service_principal.d365bc.application_id
resource_access {
id = local.APP_ACCESS_PERMISSION
type = "Role"
}
resource_access {
id = local.USER_IMPERSONATION_PERMISSION
type = "Scope"
}
resource_access {
id = local.BC_FINANCIALS_READ_WRITE_PERMISSION
type = "Scope"
}
}
app_role {
allowed_member_types = [
"Application"
]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
is_enabled = true
value = "Admin"
}
}
Следует отметить, что app_access
- это Role
, а остальные разрешения API - Scope
.
Вы можете вызвать вышеуказанную терраформу с помощью:
terraform plan -var="subscription_id={your_scription_id}" -var='app_reply_urls={your_urls_array}' -var="app_name={your_app_name}" -var="app_homepage={your_app_homepage}"