如何从 Terraform 上的不同订阅导入托管服务标识
How to import a managed service identity from a different subscription on terraform
我有一个托管服务身份 workflow-identity 订阅 A。我设置了另一个订阅 B 并设置了一个存储帐户 storageb。我想设置 azurerm_role_assignment 让 A 访问 storageb。
所以我用了:
>terraform import azurerm_user_assigned_identity.example /subscriptions/[subscription-B]/resourceGroups/[resource-group-id]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/workflow-identity
But it does not work. The reason I guess is because I am trying to import managed service identity from a different subscription. So my question is how to import from a different subscription in my case?
这是我的代码示例:
resource "azurerm_storage_account" "storage1" {
name = var.storage_account
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_user_assigned_identity" "example" {
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
name = "search-api"
# subscription_id = 12333. <---- not working. not supported.
}
resource "azurerm_role_assignment" "storage_role" {
scope = azurerm_storage_account.storage1.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.example.principal_id
}
您需要创建另一个 azure 提供程序并将其范围限定到该订阅并使用该提供程序部署资源:
provider "azurerm" {
version = "~>1.44"
}
provider "azurerm" {
alias = "other_sub"
subscription_id = "xxxx-xxxx-xxxx"
}
resource "azurerm_public_ip" "ipv4" {
provider = "azurerm.other_sub"
name = zzz
resource_group_name = yyy
location = xxx
allocation_method = "Static"
ip_version = "IPv4"
sku = "Standard"
}
我有一个托管服务身份 workflow-identity 订阅 A。我设置了另一个订阅 B 并设置了一个存储帐户 storageb。我想设置 azurerm_role_assignment 让 A 访问 storageb。
所以我用了:
>terraform import azurerm_user_assigned_identity.example /subscriptions/[subscription-B]/resourceGroups/[resource-group-id]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/workflow-identity But it does not work. The reason I guess is because I am trying to import managed service identity from a different subscription. So my question is how to import from a different subscription in my case?
这是我的代码示例:
resource "azurerm_storage_account" "storage1" {
name = var.storage_account
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_user_assigned_identity" "example" {
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
name = "search-api"
# subscription_id = 12333. <---- not working. not supported.
}
resource "azurerm_role_assignment" "storage_role" {
scope = azurerm_storage_account.storage1.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.example.principal_id
}
您需要创建另一个 azure 提供程序并将其范围限定到该订阅并使用该提供程序部署资源:
provider "azurerm" {
version = "~>1.44"
}
provider "azurerm" {
alias = "other_sub"
subscription_id = "xxxx-xxxx-xxxx"
}
resource "azurerm_public_ip" "ipv4" {
provider = "azurerm.other_sub"
name = zzz
resource_group_name = yyy
location = xxx
allocation_method = "Static"
ip_version = "IPv4"
sku = "Standard"
}