azure - 错误 "GroupsClient.BaseClient.Post() An invalid operation was included in the following modified references: ' Members'"是什么意思？

Question

我正在尝试通过 Terraform 将现有的 Azure 注册应用程序添加到现有的 Azure Active Directory 组。我使用以下顺序来完成任务:

// References the existing AAD group
data "azuread_group" "existing_aad_group" {
  display_name = "<display name of the aad group>"
  security_enabled = true
}

// References the existing registered application
data "azuread_application" "existing_registered_application" {
  display_name = "<display name of the registered application>"
}

// --> Adds the application as a member of the AAD group.
resource "azuread_group_member" "registered_app_member" {
  group_object_id = data.azuread_group.existing_aad_group.object_id
  member_object_id  = data.azuread_application.existing_registered_application.object_id
}

上面的代码失败并出现以下错误:

╷
│ Error: Adding group member "ceb93cb8XXXXX" to group "2f16446cXXXX"
│ 
│   with module.service.azuread_group_member.function_app,
│   on ../../resources/aad_group.tf line 6, in resource "azuread_group_member" "function_app":
│    6: resource "azuread_group_member" "function_app" {
│ 
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error:
│ Request_BadRequest: An invalid operation was included in the following
│ modified references: 'members'.
╵

问题

此错误意味着什么以及如何修复它？

Answer 1

我尝试在我的环境中重现相同的内容:

使用的代码:

resource "azuread_group" "example" {
  display_name     = "kavyaMyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true

  members = [
    azuread_user.example.object_id,
    # more users 
   ]
}

resource "azuread_group_member" "registered_app_member" {
  group_object_id = azuread_group.example.object_id
  member_object_id  = azuread_application.example.object_id
}

resource "azuread_application" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"


  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }
}

收到相同的错误:

azuread_group_member.registered_app_member: Creating... │ Error:Adding group member "xxx" to group "xxxx"

│ with azuread_group_member.registered_app_member, │ on main.tfline 84, in resource "azuread_group_member" "registered_app_member": │84: resource "azuread_group_member" "registered_app_member" {

│ GroupsClient.BaseClient.Post(): unexpected status 400 with ODataerror: Request_BadRequest: An invalid operation │ was included inthe following modified references: 'members'.

由于无法直接添加应用程序，我尝试创建现有应用程序的服务主体，然后使用其对象 ID 分配给该组:

代码:

resource "azuread_application" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }
}


resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

#below code adds Enterprise app to required group

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

使用 terraform apply 成功运行 Terraform 代码

<小时/>

可以看到应用程序以企业应用程序的形式添加到组中，因为我们正在使用应用程序的服务主体:

<小时/>

应用程序:

引用: azuread_service_principal | Resources | hashicorp/azuread | Terraform Registry