sticky-exabyte-94099
01/03/2022, 8:37 AMbillowy-army-68599
01/03/2022, 3:25 PMsticky-exabyte-94099
01/03/2022, 3:40 PM// Work around a preview issue <https://github.com/pulumi/pulumi-azure/issues/192>
var principalId = apiApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
// Grant App Service access to KV secrets
var policy = new AccessPolicy("api-app-policy", new AccessPolicyArgs
{
KeyVaultId = KeyVault.Apply(t => t.Id),
TenantId = TenantId,
ObjectId = principalId,
SecretPermissions = { "get" },
});
// Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
{
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
TenantId = TenantId,
ObjectId = principalId,
Login = "adadmin",
ServerName = SqlServerName,
});
// Grant access from App Service to the container in the storage
var posterImagesBlobPermission = new Assignment("readposterblobpermission", new AssignmentArgs
{
PrincipalId = principalId,
Scope = Output.Format($"{StorageAccountId}/blobServices/default/containers/{posterImagesStorageContainer.Name}"),
RoleDefinitionName = "Poster Images Storage Blob Data Reader",
});
billowy-army-68599
01/03/2022, 3:44 PMsticky-exabyte-94099
01/03/2022, 3:45 PMbillowy-army-68599
01/03/2022, 3:46 PMsticky-exabyte-94099
01/03/2022, 5:46 PMbillowy-army-68599
01/03/2022, 6:01 PMsticky-exabyte-94099
01/03/2022, 6:10 PMpulumi import azure-native:sql:ServerAzureADAdministrator activeDirectory /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/sqlcrudtest-4799/providers/Microsoft.Sql/servers/sqlcrudtest-6440/administrators/ActiveDirectory
(with my values)
Found this here https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/serverazureadadministrator/billowy-army-68599
01/03/2022, 6:45 PMpulumi destroy
it'll remove the resourcesticky-exabyte-94099
01/03/2022, 6:48 PMbillowy-army-68599
01/03/2022, 6:50 PMsticky-exabyte-94099
01/03/2022, 6:56 PMvar sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
{
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
TenantId = TenantId,
ObjectId = principalId,
Login = "adadmin",
ServerName = SqlServerName,
});
but this (identiyadmin) doesn´t here I always get the already exists error
var sqlAdmin = new ActiveDirectoryAdministrator("identityadmin", new ActiveDirectoryAdministratorArgs
{
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
TenantId = TenantId,
ObjectId = principalId,
Login = "adadmin",
ServerName = SqlServerName,
});
So close... ;-)billowy-army-68599
01/03/2022, 7:19 PMadadmin
- you probably want to use autonamingLogin
fieldsticky-exabyte-94099
01/03/2022, 7:51 PMbillowy-army-68599
01/03/2022, 9:03 PMidentityadmin
it means that already existssticky-exabyte-94099
01/03/2022, 9:05 PMbillowy-army-68599
01/03/2022, 9:12 PMsticky-exabyte-94099
01/06/2022, 12:00 PMbillowy-army-68599
01/06/2022, 2:24 PMpulumi refresh
will get your state in the right place if you manually delete things
pulumi state unprotect
will unprotect resourcessticky-exabyte-94099
01/06/2022, 2:27 PM... create a SQLServer
// use that sql server and create AD
var activeDirectory = new AzureNative.Sql.ServerAzureADAdministrator("activeDirectory", new AzureNative.Sql.ServerAzureADAdministratorArgs
{
AdministratorName = "ActiveDirectory",
AdministratorType = "ActiveDirectory",
Login = "adadmin",
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
ServerName = SqlServer.Apply(t => t.Name),
Sid = "d4aee8f4-2aa3-42cf-b6b0-1260b11516d7",
TenantId = CurrentPricipal,
}
// Create one service
var identityApp = new AppService("IdentityService", new AppServiceArgs
{
... code to create service
}
var principalId1 = identityApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
// Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
var sqlAdmin = new ActiveDirectoryAdministrator("identityadmin", new ActiveDirectoryAdministratorArgs
{
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
TenantId = TenantId,
ObjectId = principalId1, //<-- basically this... how do I tie a sql admin and appservice...
Login = "adadmin",
ServerName = SqlServer.Apply(t => t.Name)
});
And this just works fine...
But then I have another service that I want the service also to be the admin of the SQL server....
// If I try this I get an error telling me a reasource ActiveDirectory already exists..
var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
{
ResourceGroupName = ResourceGroup.Apply(t => t.Name),
TenantId = TenantId,
ObjectId = principalId2, //<-- from service nr 2
Login = "adadmin",
ServerName = SqlServer.Apply(t => t.Name),
});
I get this
A resource with the ID "/subscriptions/.../resourceGroups/beinni-rg52d042de/providers/Microsoft.SQL/servers/sqlserverbeinni5c30eaa/administrators/ActiveDirectory" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_sql_active_directory_administrator" for more information.
and I have no idea how I can then use that AD to connect things together...
What I´m finding is that the examples and explanations are just to shallow (just one service and simple setup) or hard to figure out... this is e.g. the only example of ActiveDirectoryAdministrator usage I can find .. https://github.com/pulumi/examples/blob/258d3bad0a00020704743e37911c51be63c06bb4/classic-azure-cs-msi-keyvault-rbac/AppStack.cs
I would benefit from a larger more complex examples and setup...
Hope you can assist me soon. thank you and sorry for being so daft!var sqlAdmin = ActiveDirectoryAdministrator.Get("identityadmin");
sqlAdmin.ObjectId = principalId;
but ObjectId is read only...billowy-army-68599
01/07/2022, 2:06 PMsticky-exabyte-94099
01/07/2022, 2:17 PMbillowy-army-68599
01/07/2022, 2:22 PMsticky-exabyte-94099
01/07/2022, 2:35 PMbillowy-army-68599
01/07/2022, 5:42 PMsticky-exabyte-94099
01/07/2022, 6:03 PMActiveDirectoryAdministrator
and then assign the services principal to that admin and do it once for each service?
I sure hope you can point me in the right direction here or give me any idea at all what to do...