使用 Terraform 为应用程序角色分配托管身份访问权限
Assign a managed identity access to an application role using Terraform
我想使用 Terraform 为应用程序角色分配托管身份访问权限。
我找到了一个类似的程序,但它使用的是 PowerShell。我想用 Terraform 做到这一点。
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell
resource "azuread_application_app_role" "AppRole1" {
application_object_id = azuread_application.ResourceController.id
allowed_member_types = ["Application"]
description = "All access"
display_name = "All access"
is_enabled = true
value = "All"
}
resource "azurerm_role_assignment" "assignment1" {
principal_id = data.azuread_service_principal.website.id # This is a managed identity.
role_definition_id = azuread_application_app_role.AppRole1.id
scope= azuread_application_app_role.ResourceController.id # ???
}
我应该在范围字段中指定什么,或者这在 Terraform 中是不可能的?
范围是您要为托管标识分配角色的资源 ID。例如,您想要将托管标识分配给具有您创建的角色的 VM。那么作用域就是这样的VM资源ID:
"/subscriptions/subscription_id/resourceGroups/group_name/providers/Microsoft.Compute/virtualMachines/vm_name"
当前的 Terraform Azure 提供商可能无法实现。
我在 GitHub 问题上找到了这条评论。
azurerm_role_assignment can be used only to assign role to
Subscription Resources.
https://github.com/terraform-providers/terraform-provider-azurerm/issues/6557#issuecomment-658154929
我想使用 Terraform 为应用程序角色分配托管身份访问权限。
我找到了一个类似的程序,但它使用的是 PowerShell。我想用 Terraform 做到这一点。
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell
resource "azuread_application_app_role" "AppRole1" {
application_object_id = azuread_application.ResourceController.id
allowed_member_types = ["Application"]
description = "All access"
display_name = "All access"
is_enabled = true
value = "All"
}
resource "azurerm_role_assignment" "assignment1" {
principal_id = data.azuread_service_principal.website.id # This is a managed identity.
role_definition_id = azuread_application_app_role.AppRole1.id
scope= azuread_application_app_role.ResourceController.id # ???
}
我应该在范围字段中指定什么,或者这在 Terraform 中是不可能的?
范围是您要为托管标识分配角色的资源 ID。例如,您想要将托管标识分配给具有您创建的角色的 VM。那么作用域就是这样的VM资源ID:
"/subscriptions/subscription_id/resourceGroups/group_name/providers/Microsoft.Compute/virtualMachines/vm_name"
当前的 Terraform Azure 提供商可能无法实现。
我在 GitHub 问题上找到了这条评论。
azurerm_role_assignment can be used only to assign role to Subscription Resources.
https://github.com/terraform-providers/terraform-provider-azurerm/issues/6557#issuecomment-658154929