How Do I Add Active Directory To APIM Using Terraform?

0
votes

Following this article you can link Azure API Management to Users/Groups in Azure Active Directory.

At the moment I am creating the APIM instance with Terraform

resource "azurerm_api_management" "test" {
  name                = "example-apim"
  location            = "${azurerm_resource_group.test.location}"
  resource_group_name = "${azurerm_resource_group.test.name}"
  publisher_name      = "My Company"
  publisher_email     = "[email protected]"

  sku {
    name     = "Developer"
    capacity = 1
  }
}

How do I add the Active Directory Identity Provider to this?

3
terraformazure-api-management

3 Answers

1
votes

Terraform added support for this in December 2019

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_identity_provider_aad

You can now link it with:

resource "azurerm_api_management_identity_provider_aad" "example" {
  resource_group_name = azurerm_resource_group.example.name
  api_management_name = azurerm_api_management.example.name
  client_id           = "00000000-0000-0000-0000-000000000000"
  client_secret       = "00000000000000000000000000000000"
  allowed_tenants     = ["00000000-0000-0000-0000-000000000000"]
}
0
votes

This doesn't seem to be possible with terraform, however, it can be added by calling the REST API from the Azure CLI.

az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01" -b "{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}"

The body -b is json that has been formatted to a single line.

You need to look up the clientId from active directory and know what the clientSecret is.

You can embedd this command in terraform if you wish:

resource "null_resource" "add-ad-identity-provider" {
  provisioner "local-exec" {
    command = "az rest -m put -u \"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/my-resource-group/providers/Microsoft.ApiManagement/service/my-apim/identityProviders/aad?api-version=2019-01-01\" -b \"{'properties':{'clientId':'xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx','clientSecret':'super-secret-password','allowedTenants':['mysite.com']}}\""
  }
  depends_on = ["azurerm_api_management.test"]
}
0
votes

the original answer from March 4th mostly works. However, a piece is missing. You also need to set up an app registration via https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad That supplies the answers you need (Other than the allowed tenants, which is the tenant-id's to allow).

And that is also missing a piece, which is to, when configurating the app registration, to also go to API Permissions, add a new permission for Azure Active Directory Graph (in supported legacy APIs), create an Application permission, and add Directory.Read.All. Then grant admin consent.