使用 terraform 设置 azurerm_container_registry,我想知道如何更改某些用户的权限(例如 ReadOnly),或者创建一个 access_key 可以从我的 CI-Pipeline 使用,但根本不需要用户。
最佳答案
此 Terraform 配置创建 ACR 注册表和 Azure 服务主体,
并授予 SP 贡献者 对 ACR 注册表的访问权限。这可以更新为阅读器。
更多信息可以在服务主体的 ACR 身份验证 here 上找到。 .
resource "azurerm_resource_group" "acr-rg" {
name = "acr-rg-007"
location = "West US"
}
resource "azurerm_container_registry" "acr" {
name = "acr00722"
resource_group_name = "${azurerm_resource_group.acr-rg.name}"
location = "${azurerm_resource_group.acr-rg.location}"
sku = "standard"
}
resource "azurerm_azuread_application" "acr-app" {
name = "acr-app"
}
resource "azurerm_azuread_service_principal" "acr-sp" {
application_id = "${azurerm_azuread_application.acr-app.application_id}"
}
resource "azurerm_azuread_service_principal_password" "acr-sp-pass" {
service_principal_id = "${azurerm_azuread_service_principal.acr-sp.id}"
value = "Password12"
end_date = "2020-01-01T01:02:03Z"
}
resource "azurerm_role_assignment" "acr-assignment" {
scope = "${azurerm_container_registry.acr.id}"
role_definition_name = "Contributor"
principal_id = "${azurerm_azuread_service_principal_password.acr-sp-pass.service_principal_id}"
}
output "docker" {
value = "docker login ${azurerm_container_registry.acr.login_server} -u ${azurerm_azuread_service_principal.acr-sp.application_id} -p ${azurerm_azuread_service_principal_password.acr-sp-pass.value}"
}
关于使用 Terraform 的 Azure 容器注册表权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51783221/