在资源组级别将Azure RBAC分配给Azure AD安全组

14ifxucb  于 2023-03-31  发布在  其他
关注(0)|答案(1)|浏览(136)

我试图弄清楚如何从azure中分配一个内置角色到我正在创建的azure广告组。但是我在阅读文档时不明白其中的逻辑。
下面是我的terraform代码:
az-rbac.tf

data "azurerm_subscription" "current" {
}

output "current_subscription_display_name" {
  value = data.azurerm_subscription.current.display_name
}

data "azurerm_client_config" "azuread_sg_cns" {
}

resource "azurerm_role_assignment" "reader-rbac" {
  scope                = data.azurerm_subscription.current.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_group.azuread_sg_cns.object_id
}

main.tf

terraform {

  required_version = ">=0.12"
  
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.15.0"
    }
  }
}
#Configure the Azure Resource Management Provider
provider "azurerm" {
    subscription_id = var.azure_subscription_id
    tenant_id = var.azure_tenant_id
  features {}
}

# Configure the Azure Active Directory Provider
provider "azuread" {
  tenant_id = var.azure_tenant_id
}

#create azure active directory group
data "azuread_client_config" "current" {}

resource "azuread_group" "azuread_sg" {
  display_name     = var.azure_sg_name
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create azure active directory group cns

resource "azuread_group" "azuread_sg_cns" {
  display_name     = var.azuread_sg_cns
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create cost reader group
resource "azuread_group" "azuread_sg_cost-mgmt" {
  display_name     = var.azuread_sg_cost-mgmt
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

#create azure resource group
resource "azurerm_resource_group" "rg" {
  name     = var.azure_rg_name
  location = var.azure_resource_group_location
}

#create azure key vault
resource "azurerm_key_vault" "akv" {
  name                        = lower("${var.azure_project_code}-${var.azure_env_code}-akv-01")
  location                    = var.azure_resource_group_location
  resource_group_name = azurerm_resource_group.rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.azure_tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"

}

resource "azurerm_storage_account" "sa" {
  name                     = lower("${var.azure_project_code}${var.azure_env_code}sa01")
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.azure_resource_group_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_storage_container" "ctnr" {
  name                  = lower("${var.azure_project_code}${var.azure_env_code}ctnr01")
  storage_account_name  = azurerm_storage_account.sa.name
  container_access_type = "private"
}

variable.tf

variable "azure_resource_group_location" {
  default = "west europe"
  description   = "Location of the resource group."
}

variable "azure_subscription_id" {
  type        = string
  description = "Azure Subscription Id"
}

variable "azure_tenant_id" {
  type        = string
  description = "Azure Tenant Id"
}

variable "azure_sg_name" {
  type        = string
  description = "Azure AD Security Group Name"
}

variable "azuread_sg_cns" {
  type        = string
  description = "Azure AD Security Group Name CNS"
}

variable "azuread_sg_cost-mgmt" {
  type        = string
  description = "Azure AD Security Group Name Cost Mgmt"
}

variable "azure_rg_name" {
  type        = string
  description = "Azure Resource Group Name"
}

variable "azure_client_code" {
  type        = string
  description = "Azure Client code"
}

variable "azure_project_code" {
  type        = string
  description = "Azure Project Code"
}

variable "azure_env_code" {
  type        = string
  description = "Azure Environment Code"
}

env.tfvars

#Azure tenant id
azure_tenant_id ="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure subscription
azure_subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure resource group location
azure_resource_group_location = "west europe"
# #Azure ad Sg
azure_sg_name = "sg - eu-dev-test-testproject"
# #Azure ad Sg CNS
azuread_sg_cns = "sg -cns - eu-dev-test-testproject"
#Azure Cost Reader
azuread_sg_cost-mgmt = "sg - Cost Reader - eu-dev-test-testproject"
#Azure RG name
azure_rg_name = "eu-dev-test-testproject"
#Azure project code
azure_project_code = "testproject"
#Azure client code
azure_client_code = "test"
#Environement code : sbx, dev, ppd, prd
azure_env_code="dev"

因此,我尝试创建多个资源,例如:

  • 蔚蓝资源集团
  • Azure Key Vault
  • 具有1个容器的Azure存储帐户
  • Azure安全组x3

我的期望是让cns sg组在创建的资源组上获得reader角色,但我一直失败,因为我不知道如何让我的代码理解它必须在运行代码时将角色分配给我创建的安全组cns。
下面是当前代码的错误消息:

68de4m5k

68de4m5k1#

我的期望是让cns sg组在创建的资源组上获得reader角色。
感谢Kombajn zbođowy提出同样的建议。
如果您正在使用资源块创建Azure广告组,但将其称为data.azuread_group,这是未声明的。
您可以使用以下Terraform代码,在资源组级别为组分配Reader角色。

provider  "azurerm" {
subscription_id =  "a34e2b59-xxxxxxxxx-b4a8-ebdc1f96c865"
tenant_id =  "89xxxxx-xxxxxxxxx-55277a8d958a"
features {}
}
provider  "azuread" {
tenant_id =  "xxxxxxxxxxxxxxxxx-55277a8d958a"
}
data  "azurerm_client_config"  "azuread_sg_cns" {
}
resource  "azurerm_resource_group"  "venkat-rg"{
name =  "venkat-RG"
location =  "eastus"
}
resource  "azuread_group"  "azuread_sg_cns" {
display_name =  "azuread_sg_cns"
security_enabled =  true
}
resource  "azurerm_role_assignment"  "reader-rbac" {
scope =  azurerm_resource_group.venkat-rg.id
role_definition_name =  "Reader"
principal_id =  azuread_group.azuread_sg_cns.object_id
}

地形图:

地形应用:

运行后,创建上述代码资源,并将Reader角色应用于组。

相关问题