我正在尝试注册两个应用程序,一个是前端应用程序,另一个是后端应用程序。我也为他们提供了相应的网络应用程序。 我正在使用 Terraform 来部署我的应用程序和所有基础设施。 但是在运行 TF 计划时我遇到了循环错误。请在下面找到我的代码。 谁能帮我纠正这个问题
Web 应用程序 FE 代码
resource "azurerm_app_service" "fe" {
location = module.resourcegroup.resource_group.location
resource_group_name = module.resourcegroup.resource_group.name
tags = module.resourcegroup.resource_group.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = module.names-web-app-fe.location.app_service.name_unique
identity { type = "SystemAssigned" }
auth_settings {
enabled = true
default_provider = "AzureActiveDirectory"
issuer = format("https://sts.windows.net/%s/", data.azurerm_client_config.default.tenant_id)
runtime_version = "~1"
token_store_enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
additional_login_params = {
"response_type" = "code id_token",
"resource" = azuread_application.app-fe.application_id
}
active_directory {
client_id = azuread_application.app-fe.object_id
client_secret = azuread_application_password.fe-app-sp-secret.application_object_id
allowed_audiences = [format("https://%s.azurewebsites.net", module.names-web-app-fe.location.app_service.name_unique)]
}
}
site_config {
always_on = true
app_command_line = ""
default_documents = []
dotnet_framework_version = "v4.0"
ftps_state = "Disabled"
health_check_path = ""
http2_enabled = true
linux_fx_version = "STATICSITE|1.0"
local_mysql_enabled = false
managed_pipeline_mode = "Integrated"
min_tls_version = "1.2"
#pre_warmed_instance_count = 0
python_version = "3.4"
remote_debugging_enabled = false
remote_debugging_version = "VS2019"
use_32_bit_worker_process = false
websockets_enabled = false
windows_fx_version = ""
cors {
allowed_origins = []
support_credentials = false
}
}
app_settings = {
"WEBSITE_DNS_SERVER" = "168.63.129.16"
"WEBSITE_VNET_ROUTE_ALL" = "1"
}
}
Web 应用程序 BE 代码
resource "azurerm_app_service" "be" {
location = module.resourcegroup.resource_group.location
resource_group_name = module.resourcegroup.resource_group.name
tags = module.resourcegroup.resource_group.tags
app_service_plan_id = azurerm_app_service_plan.default.id
name = module.names-web-app-be.location.app_service.name_unique
identity { type = "SystemAssigned" }
auth_settings {
enabled = true
default_provider = "AzureActiveDirectory"
issuer = format("https://sts.windows.net/%s/", data.azurerm_client_config.default.tenant_id)
runtime_version = "~1"
token_store_enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
additional_login_params = {
"response_type" = "code id_token",
"resource" = azuread_application.app-be.application_id
}
active_directory {
client_id = azuread_application.app-be.object_id
client_secret = azuread_application_password.be-app-sp-secret.application_object_id
allowed_audiences = []
}
}
site_config {
always_on = true
app_command_line = ""
default_documents = []
dotnet_framework_version = "v4.0"
ftps_state = "AllAllowed"
health_check_path = ""
http2_enabled = true
linux_fx_version = "DOTNETCORE|3.1"
local_mysql_enabled = false
managed_pipeline_mode = "Integrated"
min_tls_version = "1.2"
python_version = "3.4"
remote_debugging_enabled = false
remote_debugging_version = "VS2019"
use_32_bit_worker_process = false
windows_fx_version = ""
websockets_enabled = true
cors {
allowed_origins = [format("https://%s", azurerm_app_service.fe.default_site_hostname)]
support_credentials = true
}
}
app_settings = {
"WEBSITE_DNS_SERVER" = "168.63.129.16"
"WEBSITE_VNET_ROUTE_ALL" = "1"
}
}
UUID 代码
resource "random_uuid" "qb2-sal" {}
FE 应用程序注册代码
resource "azuread_application" "app-fe" {
display_name = format("%s-fe", var.project.name)
api {
oauth2_permission_scope {
admin_consent_description = "Allows the app to read and write data"
admin_consent_display_name = local.oauth2_permissions.read-and-write.admin_consent_display_name
enabled = true
id = random_uuid.qb2-sal.results
type = "User"
value = "read-and-write"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Application administrators have the ability to administer the application."
display_name = local.app_roles.application-administrator.display_name
enabled = true
id = "02c4e591-d667-51db-5597-e2c446ec246b"
value = "application-administrator"
}
web {
logout_url = format("https://%s.azurewebsites.net/.auth/logout", module.names-web-app-fe.location.app_service.name_unique)
redirect_uris = [format("https://%s.azurewebsites.net/.auth/login/aad/callback", module.names-web-app-fe.location.app_service.name_unique)]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
required_resource_access {
resource_app_id = azuread_application.app-be.application_id # Microsoft Graph
resource_access {
id = "02c4e591-d667-51db-5597-e2c446ec246b" # User.Read.All
type = "Role"
}
}
}
FE 应用 SP secret
resource "azuread_application_password" "fe-app-sp-secret" {
application_object_id = azuread_application.app-fe.object_id
}
BE 应用注册
resource "azuread_application" "app-be" {
display_name = format("%s-be", var.project.name)
api {
oauth2_permission_scope {
admin_consent_description = "Allows the app to read and write data"
admin_consent_display_name = local.oauth2_permissions.read-and-write.admin_consent_display_name
enabled = true
id = random_uuid.qb2-sal.result
type = "User"
value = "read-and-write"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Application administrators have the ability to administer the application."
display_name = local.app_roles.application-administrator.display_name
enabled = true
id = "02c4e591-d667-51db-5597-e2c446ec246b"
value = "application-administrator"
}
web {
logout_url = format("https://%s.azurewebsites.net/.auth/logout", module.names-web-app-be.location.app_service.name_unique)
redirect_uris = [format("https://%s.azurewebsites.net/.auth/login/aad/callback", module.names-web-app-be.location.app_service.name_unique)]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
}
BE 应用 SP secret
resource "azuread_application_password" "be-app-sp-secret" {
application_object_id = azuread_application.app-be.object_id
}
执行 TF 计划时出错
Error: .group_membership_claims: missing expected [
最佳答案
您的代码存在资源依赖性问题。您可能需要使用 terraform graph 命令 terraform graph -draw-cycles 或手动绘制依赖关系图(尽管这很痛苦)来了解到底发生了什么。检查this answer了解更多信息。
看看你的代码,你似乎有:
azurerm_app_service.fe取决于azureread_application.app-feazurerm_app_service.be取决于azurerm_app_service.beazurerm_app_service.be取决于azurerm_app_service.fe
这似乎就是你的周期所在。您的 FE AppService 依赖于要创建的 BE AppService,但 BE AppService 依赖于 FE AppService 的主机名。
我相信作为一个快速修复,您可以尝试删除此行来修复它(尽管我还没有尝试过)。否则,重新引用,甚至尝试在部署后添加它。
allowed_origins = [format("https://%s", azurerm_app_service.fe.default_site_hostname)]
关于azure - 在进行 Azure 应用程序注册时,Terraform 出现循环错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69616479/