如何将 Azure 用户分配的托管标识添加到 Terraform 中的 Azure AD 组?
How to add Azure User Assigned Managed Identity to Azure AD group in Terraform?
我正在尝试将用户分配的托管标识分配给 AAD 组。我有以下 Terraform 代码:
resource "azurerm_user_assigned_identity" "myid" {
name = "my_identity"
resource_group_name = azurerm_resource_group.somerg.name
location = azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "existing_group"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.id
}
在 plan 操作期间,出现以下错误:
Error: Value must be a valid UUID
当我在上面代码的最后一行将 myid.id 更改为 myid.principal_id 时,在 apply 操作期间出现错误:
Error: Could not retrieve member principal object "4e83cd6b-d984-4484-8fb2-3ae6e1667ef9"
ODataId was nil
当我尝试使用 myid.client_id 时,我在 apply 期间得到了这个:
Error: Could not retrieve principal object "838c2662-5fe2-484c-bb52-f70994fa1d8b"
DirectoryObjects.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b": GET https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b giving up after 9 attempt(s)
我做错了什么?
如果您只提供 myid.principal_id,它将起作用。请使用最新版本即 terraform 版本 v1.1.0 , azuread 版本 v2.13.0 和 azurerm 版本 v2.89.0 :
我在我的环境中测试了相同的代码,如下所示:
provider "azuread"{}
provider "azurerm"{
features {}
}
data "azurerm_resource_group" "somerg"{
name = "ansuman-resourcegroup"
}
resource "azurerm_user_assigned_identity" "myid" {
name = "ansuman-identity"
resource_group_name = data.azurerm_resource_group.somerg.name
location = data.azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "TestQA"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.principal_id
}
输出:
我正在尝试将用户分配的托管标识分配给 AAD 组。我有以下 Terraform 代码:
resource "azurerm_user_assigned_identity" "myid" {
name = "my_identity"
resource_group_name = azurerm_resource_group.somerg.name
location = azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "existing_group"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.id
}
在 plan 操作期间,出现以下错误:
Error: Value must be a valid UUID
当我在上面代码的最后一行将 myid.id 更改为 myid.principal_id 时,在 apply 操作期间出现错误:
Error: Could not retrieve member principal object "4e83cd6b-d984-4484-8fb2-3ae6e1667ef9"
ODataId was nil
当我尝试使用 myid.client_id 时,我在 apply 期间得到了这个:
Error: Could not retrieve principal object "838c2662-5fe2-484c-bb52-f70994fa1d8b"
DirectoryObjects.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b": GET https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b giving up after 9 attempt(s)
我做错了什么?
如果您只提供 myid.principal_id,它将起作用。请使用最新版本即 terraform 版本 v1.1.0 , azuread 版本 v2.13.0 和 azurerm 版本 v2.89.0 :
我在我的环境中测试了相同的代码,如下所示:
provider "azuread"{}
provider "azurerm"{
features {}
}
data "azurerm_resource_group" "somerg"{
name = "ansuman-resourcegroup"
}
resource "azurerm_user_assigned_identity" "myid" {
name = "ansuman-identity"
resource_group_name = data.azurerm_resource_group.somerg.name
location = data.azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "TestQA"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.principal_id
}
输出: