我正在尝试弄清楚如何将 Azure 中的内置角色分配给我正在创建的 Azure 广告组。 但是我在阅读文档时不明白其中的逻辑。
这是我的地形代码:
az-rbac.tf
data "azurerm_subscription" "current" {
}
output "current_subscription_display_name" {
value = data.azurerm_subscription.current.display_name
}
data "azurerm_client_config" "azuread_sg_cns" {
}
resource "azurerm_role_assignment" "reader-rbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Reader"
principal_id = data.azuread_group.azuread_sg_cns.object_id
}
main.tf
terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.15.0"
}
}
}
#Configure the Azure Resource Management Provider
provider "azurerm" {
subscription_id = var.azure_subscription_id
tenant_id = var.azure_tenant_id
features {}
}
# Configure the Azure Active Directory Provider
provider "azuread" {
tenant_id = var.azure_tenant_id
}
#create azure active directory group
data "azuread_client_config" "current" {}
resource "azuread_group" "azuread_sg" {
display_name = var.azure_sg_name
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure active directory group cns
resource "azuread_group" "azuread_sg_cns" {
display_name = var.azuread_sg_cns
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create cost reader group
resource "azuread_group" "azuread_sg_cost-mgmt" {
display_name = var.azuread_sg_cost-mgmt
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure resource group
resource "azurerm_resource_group" "rg" {
name = var.azure_rg_name
location = var.azure_resource_group_location
}
#create azure key vault
resource "azurerm_key_vault" "akv" {
name = lower("${var.azure_project_code}-${var.azure_env_code}-akv-01")
location = var.azure_resource_group_location
resource_group_name = azurerm_resource_group.rg.name
enabled_for_disk_encryption = true
tenant_id = var.azure_tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
}
resource "azurerm_storage_account" "sa" {
name = lower("${var.azure_project_code}${var.azure_env_code}sa01")
resource_group_name = azurerm_resource_group.rg.name
location = var.azure_resource_group_location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "ctnr" {
name = lower("${var.azure_project_code}${var.azure_env_code}ctnr01")
storage_account_name = azurerm_storage_account.sa.name
container_access_type = "private"
}
变量.tf
variable "azure_resource_group_location" {
default = "west europe"
description = "Location of the resource group."
}
variable "azure_subscription_id" {
type = string
description = "Azure Subscription Id"
}
variable "azure_tenant_id" {
type = string
description = "Azure Tenant Id"
}
variable "azure_sg_name" {
type = string
description = "Azure AD Security Group Name"
}
variable "azuread_sg_cns" {
type = string
description = "Azure AD Security Group Name CNS"
}
variable "azuread_sg_cost-mgmt" {
type = string
description = "Azure AD Security Group Name Cost Mgmt"
}
variable "azure_rg_name" {
type = string
description = "Azure Resource Group Name"
}
variable "azure_client_code" {
type = string
description = "Azure Client code"
}
variable "azure_project_code" {
type = string
description = "Azure Project Code"
}
variable "azure_env_code" {
type = string
description = "Azure Environment Code"
}
env.tfvars
#Azure tenant id
azure_tenant_id ="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure subscription
azure_subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure resource group location
azure_resource_group_location = "west europe"
# #Azure ad Sg
azure_sg_name = "sg - eu-dev-test-testproject"
# #Azure ad Sg CNS
azuread_sg_cns = "sg -cns - eu-dev-test-testproject"
#Azure Cost Reader
azuread_sg_cost-mgmt = "sg - Cost Reader - eu-dev-test-testproject"
#Azure RG name
azure_rg_name = "eu-dev-test-testproject"
#Azure project code
azure_project_code = "testproject"
#Azure client code
azure_client_code = "test"
#Environement code : sbx, dev, ppd, prd
azure_env_code="dev"
所以我尝试创建多个资源,例如:
- Azure 资源组
- azure key 保管库
- 具有 1 个容器的 Azure 存储帐户
- Azure 安全组 x3
我的期望是让 cns sg 组获得创建的资源组的读者角色。 但我一直失败,因为我不明白如何让我的代码理解它必须将资源组级别的角色分配给我在运行代码时创建的安全组 cns。
这是当前代码的错误消息:
最佳答案
My expectation is to have the cns sg group to get reader role on the created resource group.
感谢Kombajn zbożowy提出同样的建议。
If you are using resource block for creation of azure ad group but calling it as data.azuread_group, which is not declared.
您可以使用以下Terraform代码将读者角色分配给资源组级别的组。
provider "azurerm" {
subscription_id = "a34e2b59-xxxxxxxxx-b4a8-ebdc1f96c865"
tenant_id = "89xxxxx-xxxxxxxxx-55277a8d958a"
features {}
}
provider "azuread" {
tenant_id = "xxxxxxxxxxxxxxxxx-55277a8d958a"
}
data "azurerm_client_config" "azuread_sg_cns" {
}
resource "azurerm_resource_group" "venkat-rg"{
name = "venkat-RG"
location = "eastus"
}
resource "azuread_group" "azuread_sg_cns" {
display_name = "azuread_sg_cns"
security_enabled = true
}
resource "azurerm_role_assignment" "reader-rbac" {
scope = azurerm_resource_group.venkat-rg.id
role_definition_name = "Reader"
principal_id = azuread_group.azuread_sg_cns.object_id
}
地形计划:
Terraform 应用:
运行后,将创建上述代码资源,并且读者角色也会应用于该组。
关于azure - 将 Azure RBAC 分配到资源组级别的 Azure AD 安全组,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75848097/