azure - 使用 for_each 将 RAC 角色分配范围限定为文件共享

Question

我创建了一个 terraform 模板，该模板使用完美运行的 for_each 循环在存储帐户上创建 3 个文件共享。

我正在尝试使用 for_each 循环分配 RBAC 角色分配，范围仅限于每个文件共享，但是我不断收到以下错误，并且不确定如何实现此目的？

ma​​in.tf

###########################
# RESOURCE GROUP CREATION #
###########################
resource "azurerm_resource_group" "rg" {
    name = var.rg.name
    location = var.rg.location

    # tag is a test to see if I can get them to use a variable map
    tags = "${var.tags}"
}

############################
# STORAGE ACCOUNT CREATION #
############################
resource "azurerm_storage_account" "storage_account" {
    name = var.storage_account.name
    resource_group_name = azurerm_resource_group.rg.name
    location = azurerm_resource_group.rg.location
    account_tier = var.storage_account.account_tier
    account_replication_type = var.storage_account.account_replication_type
    allow_nested_items_to_be_public = false

    azure_files_authentication {
      directory_type = var.storage_account.directory_type
      active_directory {
        storage_sid = var.storage_account.storage_sid
        domain_name = var.storage_account.domain_name
        domain_sid = var.storage_account.domain_sid
        domain_guid = var.storage_account.domain_guid
        forest_name = var.storage_account.forest_name
        netbios_domain_name = var.storage_account.netbios_domain_name
      }
    }
}

########################################
# STORAGE ACCOUNT FILE SHARES CREATION #
########################################
resource "azurerm_storage_share" "file_shares" {
    for_each = var.file_shares
    name = each.value.name
    storage_account_name = azurerm_storage_account.storage_account.name
    quota = each.value.quota
}

########################
# RBAC ROLE ASSIGNMENT #
########################
resource "azurerm_role_assignment" "rbac" {
    for_each = var.rbac
    scope = azurerm_storage_share.file_shares.*.id
    role_definition_name = each.value.role_definition_name
    principal_id = each.value.principal_id
}

变量.tf

#######################################
# STORAGE ACCOUNT FILE SHARE SETTINGS #
#######################################
variable "file_shares" {
    description = "storage account file share settings"
    default = {
        profiles = {
            name = "profiles"
            quota = "5120"
        }
        o365 = {
            name = "o365"
            quota = "5120"
        }
        msix = {
            name = "msix"
            quota = "5120"
        }
    }
}

#################################
# RBAC ROLE ASSIGNMENT SETTINGS #
#################################
variable "rbac" {
    description = "rbac assignment to storage account, principal id is the object id of the security group listed in Azure AD"
    default = {
        back_office = {
            role_definition_name = "Storage File Data SMB Share Contributor"
            principal_id = "e93a67c7-4bfc-4bbd-a720-b26d9291fa28"
        }
        front_office = {
            role_definition_name = "Storage File Data SMB Share Contributor"
            principal_id = "0280b0c9-295a-4d75-b8d0-a092cf52dabc"
        }
        dev_dev = {
            role_definition_name = "Storage File Data SMB Share Contributor"
            principal_id = "512be349-5444-45b0-80f5-8e59046a0175"
        }
        dev_prod = {
            role_definition_name = "Storage File Data SMB Share Contributor"
            principal_id = "0a676556-cf96-4318-b229-503808da7e1c"
        }
        admins = {
            role_definition_name = "Storage File Data SMB Share Elevated Contributor"
            principal_id = "b0bde374-eb5d-4967-9a4f-cdd41fd7bb23"
        }
    }
}

错误

╵
╷
│ Error: Unsupported attribute
│ 
│   on storage_account/main.tf line 51, in resource "azurerm_role_assignment" "rbac":
│   51:     scope = azurerm_storage_share.file_shares.*.id
│ 
│ This object does not have an attribute named "id".
╵
╷
│ Error: Unsupported attribute
│ 
│   on storage_account/main.tf line 51, in resource "azurerm_role_assignment" "rbac":
│   51:     scope = azurerm_storage_share.file_shares.*.id
│ 
│ This object does not have an attribute named "id".
╵
╷
│ Error: Unsupported attribute
│ 
│   on storage_account/main.tf line 51, in resource "azurerm_role_assignment" "rbac":
│   51:     scope = azurerm_storage_share.file_shares.*.id
│ 
│ This object does not have an attribute named "id".
╵
╷
│ Error: Unsupported attribute
│ 
│   on storage_account/main.tf line 51, in resource "azurerm_role_assignment" "rbac":
│   51:     scope = azurerm_storage_share.file_shares.*.id
│ 
│ This object does not have an attribute named "id".
╵
╷
│ Error: Unsupported attribute
│ 
│   on storage_account/main.tf line 51, in resource "azurerm_role_assignment" "rbac":
│   51:     scope = azurerm_storage_share.file_shares.*.id
│ 
│ This object does not have an attribute named "id".
╵
##[warning]Can't find loc string for key: TerraformPlanFailed
##[error]Error: TerraformPlanFailed 1

Answer 1

您需要使用flatten功能。将以下代码添加到您的 locals 中:

locals {
  rbac_assignment = flatten([
    for rbac_key, rbac in var.rbac : [
      for file_key, file in azurerm_storage_share.file_shares : {
        rbac_key             = rbac_key
        file_key             = file_key
        scope                = azurerm_storage_share.file_shares[file_key].resource_manager_id
        role_definition_name = rbac.role_definition_name
        principal_id         = rbac.principal_id
      }
    ]
  ])
 }
}

然后在您的 azurerm_role_assignment 资源中，使用以下 for_each:

resource "azurerm_role_assignment" "rbac" {
  for_each             = { for rbac_assignment in local.rbac_assignment : "${rbac_assignment.rbac_key}.${rbac_assignment.file_key}" => rbac_assignment }
  scope                = each.value.scope
  role_definition_name = each.value.role_definition_name
  principal_id         = each.value.principal_id
}

我还更改了文件共享的属性引用，它必须使用resource_manager_id，而不是使用id。