Vault - 为一个身份组分配多个别名
Vault - Assign multiple aliases for one identity group
我一直在尝试将多个组别名(即我们公司的多个 AD 组)分配到一个身份组中。到目前为止,我们已经为每个别名创建了一个身份组,但我们意识到这没有意义,因为它们都采用相同的策略。
我们正在使用 Terraform 来维护和配置我们的基础设施。
这是我期望的形式:
resource "vault_identity_group" "saas-mfi" {
metadata = {
productname = "mfi"
}
name = "saas-mfi"
policies = [
"eaas-key",
"secret-store-mfi"
]
type = "external"
}
resource "vault_identity_group_alias" "alias_1" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_1"
}
resource "vault_identity_group_alias" "alias_2" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_2"
}
resource "vault_identity_group_alias" "alias_3" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_3"
}
当我尝试应用此配置时,出现以下错误:
错误:提供商在应用后产生了不一致的结果
当然,这个问题与提供者无关。但似乎一个身份组不能拥有多个别名。这很奇怪,就像在 UI 中一样,有一个名为“别名”的身份组选项卡,复数形式。
如果有人有任何关于此事的信息,我将不胜感激。
我试图做同样的事情,但在身份文档中看到了以下段落:
External group serves as a mapping to a group that is outside of the identity store. External groups can have one (and only one) alias. This alias should map to a notion of group that is outside of the identity store.
部分
我一直在尝试将多个组别名(即我们公司的多个 AD 组)分配到一个身份组中。到目前为止,我们已经为每个别名创建了一个身份组,但我们意识到这没有意义,因为它们都采用相同的策略。
我们正在使用 Terraform 来维护和配置我们的基础设施。
这是我期望的形式:
resource "vault_identity_group" "saas-mfi" {
metadata = {
productname = "mfi"
}
name = "saas-mfi"
policies = [
"eaas-key",
"secret-store-mfi"
]
type = "external"
}
resource "vault_identity_group_alias" "alias_1" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_1"
}
resource "vault_identity_group_alias" "alias_2" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_2"
}
resource "vault_identity_group_alias" "alias_3" {
canonical_id = vault_identity_group.saas-mfi.id
mount_accessor = var.org_local_mount_accessor
name = "alias_3"
}
当我尝试应用此配置时,出现以下错误:
错误:提供商在应用后产生了不一致的结果
当然,这个问题与提供者无关。但似乎一个身份组不能拥有多个别名。这很奇怪,就像在 UI 中一样,有一个名为“别名”的身份组选项卡,复数形式。
如果有人有任何关于此事的信息,我将不胜感激。
我试图做同样的事情,但在身份文档中看到了以下段落:
部分External group serves as a mapping to a group that is outside of the identity store. External groups can have one (and only one) alias. This alias should map to a notion of group that is outside of the identity store.