我试图弄清楚如何从azure中分配一个内置角色到我正在创建的azure广告组。但是我在阅读文档时不明白其中的逻辑。
下面是我的terraform代码:
az-rbac.tf
data "azurerm_subscription" "current" {
}
output "current_subscription_display_name" {
value = data.azurerm_subscription.current.display_name
}
data "azurerm_client_config" "azuread_sg_cns" {
}
resource "azurerm_role_assignment" "reader-rbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Reader"
principal_id = data.azuread_group.azuread_sg_cns.object_id
}
main.tf
terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.15.0"
}
}
}
#Configure the Azure Resource Management Provider
provider "azurerm" {
subscription_id = var.azure_subscription_id
tenant_id = var.azure_tenant_id
features {}
}
# Configure the Azure Active Directory Provider
provider "azuread" {
tenant_id = var.azure_tenant_id
}
#create azure active directory group
data "azuread_client_config" "current" {}
resource "azuread_group" "azuread_sg" {
display_name = var.azure_sg_name
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure active directory group cns
resource "azuread_group" "azuread_sg_cns" {
display_name = var.azuread_sg_cns
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create cost reader group
resource "azuread_group" "azuread_sg_cost-mgmt" {
display_name = var.azuread_sg_cost-mgmt
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure resource group
resource "azurerm_resource_group" "rg" {
name = var.azure_rg_name
location = var.azure_resource_group_location
}
#create azure key vault
resource "azurerm_key_vault" "akv" {
name = lower("${var.azure_project_code}-${var.azure_env_code}-akv-01")
location = var.azure_resource_group_location
resource_group_name = azurerm_resource_group.rg.name
enabled_for_disk_encryption = true
tenant_id = var.azure_tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
}
resource "azurerm_storage_account" "sa" {
name = lower("${var.azure_project_code}${var.azure_env_code}sa01")
resource_group_name = azurerm_resource_group.rg.name
location = var.azure_resource_group_location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "ctnr" {
name = lower("${var.azure_project_code}${var.azure_env_code}ctnr01")
storage_account_name = azurerm_storage_account.sa.name
container_access_type = "private"
}
variable.tf
variable "azure_resource_group_location" {
default = "west europe"
description = "Location of the resource group."
}
variable "azure_subscription_id" {
type = string
description = "Azure Subscription Id"
}
variable "azure_tenant_id" {
type = string
description = "Azure Tenant Id"
}
variable "azure_sg_name" {
type = string
description = "Azure AD Security Group Name"
}
variable "azuread_sg_cns" {
type = string
description = "Azure AD Security Group Name CNS"
}
variable "azuread_sg_cost-mgmt" {
type = string
description = "Azure AD Security Group Name Cost Mgmt"
}
variable "azure_rg_name" {
type = string
description = "Azure Resource Group Name"
}
variable "azure_client_code" {
type = string
description = "Azure Client code"
}
variable "azure_project_code" {
type = string
description = "Azure Project Code"
}
variable "azure_env_code" {
type = string
description = "Azure Environment Code"
}
env.tfvars
#Azure tenant id
azure_tenant_id ="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure subscription
azure_subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure resource group location
azure_resource_group_location = "west europe"
# #Azure ad Sg
azure_sg_name = "sg - eu-dev-test-testproject"
# #Azure ad Sg CNS
azuread_sg_cns = "sg -cns - eu-dev-test-testproject"
#Azure Cost Reader
azuread_sg_cost-mgmt = "sg - Cost Reader - eu-dev-test-testproject"
#Azure RG name
azure_rg_name = "eu-dev-test-testproject"
#Azure project code
azure_project_code = "testproject"
#Azure client code
azure_client_code = "test"
#Environement code : sbx, dev, ppd, prd
azure_env_code="dev"
因此,我尝试创建多个资源,例如:
- 蔚蓝资源集团
- Azure Key Vault
- 具有1个容器的Azure存储帐户
- Azure安全组x3
我的期望是让cns sg组在创建的资源组上获得reader角色,但我一直失败,因为我不知道如何让我的代码理解它必须在运行代码时将角色分配给我创建的安全组cns。
下面是当前代码的错误消息:
1条答案
按热度按时间68de4m5k1#
我的期望是让cns sg组在创建的资源组上获得reader角色。
感谢Kombajn zbođowy提出同样的建议。
如果您正在使用资源块创建Azure广告组,但将其称为data.azuread_group,这是未声明的。
您可以使用以下Terraform代码,在资源组级别为组分配Reader角色。
地形图:
地形应用:
运行后,创建上述代码资源,并将Reader角色应用于组。