azure - 将 Azure RBAC 分配到资源组级别的 Azure AD 安全组

Question

我正在尝试弄清楚如何将 Azure 中的内置角色分配给我正在创建的 Azure 广告组。 但是我在阅读文档时不明白其中的逻辑。

这是我的地形代码:

az-rbac.tf

data "azurerm_subscription" "current" {
}

output "current_subscription_display_name" {
  value = data.azurerm_subscription.current.display_name
}

data "azurerm_client_config" "azuread_sg_cns" {
}

resource "azurerm_role_assignment" "reader-rbac" {
  scope                = data.azurerm_subscription.current.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_group.azuread_sg_cns.object_id
}

main.tf

terraform {

  required_version = ">=0.12"
  
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.15.0"
    }
  }
}
#Configure the Azure Resource Management Provider
provider "azurerm" {
    subscription_id = var.azure_subscription_id
    tenant_id = var.azure_tenant_id
  features {}
}

# Configure the Azure Active Directory Provider
provider "azuread" {
  tenant_id = var.azure_tenant_id
}

#create azure active directory group
data "azuread_client_config" "current" {}

resource "azuread_group" "azuread_sg" {
  display_name     = var.azure_sg_name
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create azure active directory group cns

resource "azuread_group" "azuread_sg_cns" {
  display_name     = var.azuread_sg_cns
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create cost reader group
resource "azuread_group" "azuread_sg_cost-mgmt" {
  display_name     = var.azuread_sg_cost-mgmt
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create azure resource group
resource "azurerm_resource_group" "rg" {
  name     = var.azure_rg_name
  location = var.azure_resource_group_location
}

#create azure key vault
resource "azurerm_key_vault" "akv" {
  name                        = lower("${var.azure_project_code}-${var.azure_env_code}-akv-01")
  location                    = var.azure_resource_group_location
  resource_group_name = azurerm_resource_group.rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.azure_tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

}

resource "azurerm_storage_account" "sa" {
  name                     = lower("${var.azure_project_code}${var.azure_env_code}sa01")
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.azure_resource_group_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_storage_container" "ctnr" {
  name                  = lower("${var.azure_project_code}${var.azure_env_code}ctnr01")
  storage_account_name  = azurerm_storage_account.sa.name
  container_access_type = "private"
}

变量.tf

variable "azure_resource_group_location" {
  default = "west europe"
  description   = "Location of the resource group."
}

variable "azure_subscription_id" {
  type        = string
  description = "Azure Subscription Id"
}

variable "azure_tenant_id" {
  type        = string
  description = "Azure Tenant Id"
}

variable "azure_sg_name" {
  type        = string
  description = "Azure AD Security Group Name"
}

variable "azuread_sg_cns" {
  type        = string
  description = "Azure AD Security Group Name CNS"
}

variable "azuread_sg_cost-mgmt" {
  type        = string
  description = "Azure AD Security Group Name Cost Mgmt"
}

variable "azure_rg_name" {
  type        = string
  description = "Azure Resource Group Name"
}

variable "azure_client_code" {
  type        = string
  description = "Azure Client code"
}

variable "azure_project_code" {
  type        = string
  description = "Azure Project Code"
}

variable "azure_env_code" {
  type        = string
  description = "Azure Environment Code"
}

env.tfvars

#Azure tenant id
azure_tenant_id ="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure subscription
azure_subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure resource group location
azure_resource_group_location = "west europe"
# #Azure ad Sg
azure_sg_name = "sg - eu-dev-test-testproject"
# #Azure ad Sg CNS
azuread_sg_cns = "sg -cns - eu-dev-test-testproject"
#Azure Cost Reader
azuread_sg_cost-mgmt = "sg - Cost Reader - eu-dev-test-testproject"
#Azure RG name
azure_rg_name = "eu-dev-test-testproject"
#Azure project code
azure_project_code = "testproject"
#Azure client code
azure_client_code = "test"
#Environement code : sbx, dev, ppd, prd
azure_env_code="dev"

所以我尝试创建多个资源，例如:

• Azure 资源组
• azure key 保管库
• 具有 1 个容器的 Azure 存储帐户
• Azure 安全组 x3

我的期望是让 cns sg 组获得创建的资源组的读者角色。 但我一直失败，因为我不明白如何让我的代码理解它必须将资源组级别的角色分配给我在运行代码时创建的安全组 cns。

这是当前代码的错误消息:

Answer 1

My expectation is to have the cns sg group to get reader role on the created resource group.

感谢Kombajn zbożowy提出同样的建议。

If you are using resource block for creation of azure ad group but calling it as data.azuread_group, which is not declared.

您可以使用以下Terraform代码将读者角色分配给资源组级别的组。

provider  "azurerm" {
subscription_id =  "a34e2b59-xxxxxxxxx-b4a8-ebdc1f96c865"
tenant_id =  "89xxxxx-xxxxxxxxx-55277a8d958a"
features {}
}
provider  "azuread" {
tenant_id =  "xxxxxxxxxxxxxxxxx-55277a8d958a"
}
data  "azurerm_client_config"  "azuread_sg_cns" {
}
resource  "azurerm_resource_group"  "venkat-rg"{
name =  "venkat-RG"
location =  "eastus"
}
resource  "azuread_group"  "azuread_sg_cns" {
display_name =  "azuread_sg_cns"
security_enabled =  true
}
resource  "azurerm_role_assignment"  "reader-rbac" {
scope =  azurerm_resource_group.venkat-rg.id
role_definition_name =  "Reader"
principal_id =  azuread_group.azuread_sg_cns.object_id
}

地形计划:

Terraform 应用:

运行后，将创建上述代码资源，并且读者角色也会应用于该组。