Creating an Microsoft Entra Enterprise Application using Terraform

darkedges

DarkEdges

Posted on October 1, 2024

Creating an Microsoft Entra Enterprise Application using Terraform

This will be part of a series of how to get the ForgeRock Identity configured to use Microsoft Entra as an Authentication Provider using Terraform to create the necessary Enterprise Application.

prerequisites

We need to have 2 tools available to help use create the Microsoft Entra Enterprise Application

  • terraform
  • azure cli

The following commands in an Ubuntu environment help us get them

sudo snap install terraform-cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
Enter fullscreen mode Exit fullscreen mode

There are many ways, but the above is quick and dirty and should work with some alterations for other platforms. Once the series is completed I will update this with more details on how to get these tools on other platforms, but in the meantime Google is your friend.

Check out the source repository

We are going to be using the Docker ForgeRock Quickstart repository to get the necessary terraform files. So let do that.

git clone git@github.com:darkedges/devspace-forgerock-quickstart.git
Enter fullscreen mode Exit fullscreen mode

login to Azure Portal

This is needed so that terraform can create the necessary configuration.

az login
Enter fullscreen mode Exit fullscreen mode
  1. A browser should open and ask you to log into your Azure Subscription.
  2. Provide your credentials and if succesful it will tell you the cli has been logged in.
  3. When asked to select your subscription and tenant choose the correct value.

Terraforming

Now we can go through the steps of terraforming.

  • init
  • plan
  • apply

Update the URIs

This step is important as currently the deployment will fail, and it is assumed that you have already registered your domain with Azure. More details if you have not are available here https://learn.microsoft.com/en-us/entra/identity/users/domains-manage

Edit the file terraform.tfvars with the following details updated to your configuration.

applicationIdentifierUris=["https://<Your Domain>/openam/oauth2"]
applicationwebRedirectUris=["https://<Your Domain>/openam/XUI"]
Enter fullscreen mode Exit fullscreen mode

Init

first we need to make sure we are in the correct directory

cd devspace-forgerock-quickstart/docker/terraform/init/entra
Enter fullscreen mode Exit fullscreen mode

next we need to init

terraform init
Enter fullscreen mode Exit fullscreen mode

This will download all the necessary plugins so that the next steps can work. Any failures will need to be addressed, but hopefully there are none.

see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-init

Plan

This phase will go through the configuration and check the known state against Azure. Since this is the first time runnning it should come back all green.

terraform plan
Enter fullscreen mode Exit fullscreen mode

see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-plan

Apply

This phase will go through the configuration and create the necessary resources in Azure. Since this is the first time runnning it should come back all green.

terraform apply --auto-approve
Enter fullscreen mode Exit fullscreen mode

see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-apply

Note: terraform will output the client_id in plain text, but the client_secret will be hidden and needs to collected seperately.

output

Once it has finished you can collect the client_id and client_secret using the following commands.

terraform output client_id
terraform output client_secret
Enter fullscreen mode Exit fullscreen mode

Azure Console

Now we have created the Microsoft Entra Enterprise Application you can view it in the console by going to https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview and then selecting the DFQ Local Development link.

Conclusion

This is enough to get you a basic Microsoft Entra Enterprise Application deployed into your environment. Other the course of the next posts we will see how to configure a Journey in PingAM to use this to SSO from Microsoft Entra into PingAM.

Another post will deep dive into the terraform configuration so that you can understand how it works.

This example is also using the previous version of the Azure Plugin and it will be updated to the latest version shortly and go through a potential rewrite to bring it up to a more meaningful pattern.

馃挅 馃挭 馃檯 馃毄
darkedges
DarkEdges

Posted on October 1, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related