在 Azure 中通过 Terraform 为 VM 实例创建托管系统标识
Creating Managed System Identity for VM Instances via Terraform in Azure
正在尝试使用 Terraform 为 VM 创建托管系统标识。 Status=404 Code="MissingSubscription"
出错
正在尝试为 VM 创建托管系统标识。这是代码片段:
###############################################################################
# Create Managed System Identity for VMs
###############################################################################
data "azurerm_subscription" "primary" {}
data "azurerm_builtin_role_definition" "contributor" {
name = "Contributor"
}
resource "azurerm_role_assignment" "contributor" {
name = "[${element(azurerm_virtual_machine.consul.*.id, count.index + 1)}]"
scope = "${var.subscription_id}"
#scope = "${data.azurerm_subscription.primary.id}"
principal_id = "${var.tenant_object_id}"
role_definition_id = "${var.subscription_id}${data.azurerm_builtin_role_definition.contributor.id}"
}
运行 terraform apply 产生以下错误:
错误:
Error: Error applying plan:
1 error(s) occurred:
* azurerm_role_assignment.contributor: 1 error(s) occurred:
* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
我尝试按照此处描述的示例 - https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html,但看起来如果我将范围改回 scope = "${data.azurerm_subscription.primary.id}",它会出错:
* azurerm_role_assignment.contributor: 1 error(s) occurred:
* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."
这里有多个问题:
- 资源
azurerm_role_assignment 的 name 字段必须是 GUID,在您的代码中它有方括号。
- role_definition_id 必须有一个表达式求值,例如只有
${data.azurerm_builtin_role_definition.contributor.id}
创建此示例的正确方法是:
###############################################################################
# Create Managed System Identity for VMs
###############################################################################
data "azurerm_subscription" "primary" {}
data "azurerm_builtin_role_definition" "contributor" {
name = "Contributor"
}
resource "azurerm_role_assignment" "contributor" {
name = "00000000-0000-0000-0000-000000000000"
scope = "${data.azurerm_subscription.primary.id}"
principal_id = "${var.tenant_object_id}"
role_definition_id = "${data.azurerm_builtin_role_definition.contributor.id}"
}
假设 tenant_object_id 变量确实是您的主要订阅中的现有服务主体 ID。
正在尝试使用 Terraform 为 VM 创建托管系统标识。 Status=404 Code="MissingSubscription"
出错正在尝试为 VM 创建托管系统标识。这是代码片段:
###############################################################################
# Create Managed System Identity for VMs
###############################################################################
data "azurerm_subscription" "primary" {}
data "azurerm_builtin_role_definition" "contributor" {
name = "Contributor"
}
resource "azurerm_role_assignment" "contributor" {
name = "[${element(azurerm_virtual_machine.consul.*.id, count.index + 1)}]"
scope = "${var.subscription_id}"
#scope = "${data.azurerm_subscription.primary.id}"
principal_id = "${var.tenant_object_id}"
role_definition_id = "${var.subscription_id}${data.azurerm_builtin_role_definition.contributor.id}"
}
运行 terraform apply 产生以下错误:
错误:
Error: Error applying plan:
1 error(s) occurred:
* azurerm_role_assignment.contributor: 1 error(s) occurred:
* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
我尝试按照此处描述的示例 - https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html,但看起来如果我将范围改回 scope = "${data.azurerm_subscription.primary.id}",它会出错:
* azurerm_role_assignment.contributor: 1 error(s) occurred:
* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."
这里有多个问题:
- 资源
azurerm_role_assignment的name字段必须是 GUID,在您的代码中它有方括号。 - role_definition_id 必须有一个表达式求值,例如只有
${data.azurerm_builtin_role_definition.contributor.id}
创建此示例的正确方法是:
###############################################################################
# Create Managed System Identity for VMs
###############################################################################
data "azurerm_subscription" "primary" {}
data "azurerm_builtin_role_definition" "contributor" {
name = "Contributor"
}
resource "azurerm_role_assignment" "contributor" {
name = "00000000-0000-0000-0000-000000000000"
scope = "${data.azurerm_subscription.primary.id}"
principal_id = "${var.tenant_object_id}"
role_definition_id = "${data.azurerm_builtin_role_definition.contributor.id}"
}
假设 tenant_object_id 变量确实是您的主要订阅中的现有服务主体 ID。