Azure Terraform 使用基础设施即代码构建通用组件

Azure Terraform Build Generic Components using Infrastructure as Code

我是 Terraform 和 Azure 的新手。我正在尝试使用 Terraform 构建资源组/资源。下面是相同的设计。

我已经编写了 Terraform 代码来构建 Log Analytics 工作区和自动化帐户。 下面是我的问题:

  1. 成本管理/Azure Monitor/Network Watcher/Defender for Cloud?我可以使用此资源组中的 Terraform 代码构建所有这些,还是需要从 Azure 门户手动构建。当我们在左侧创建任何资源时,成本估算器/管理等选项已经可用。这是否意味着可以在使用时轻松地从那里选择它们,而无需从 Terraform 代码构建?
  2. 我们如何从 Terraform 代码应用角色授权/策略分配?

这是我为构建自动化帐户/日志分析而编写的代码

terraform {

  required_version = ">=0.12"
  
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
    }
  }
}

provider "azurerm" {
  features {}
}

  resource "azurerm_resource_group" "management" {
 
  # Mandatory resource attributes
  name     = "k8s-log-analytics-test"
  location = "eastus"
  
}

resource "random_id" "workspace" {
  keepers = {
    # Generate a new id each time we switch to a new resource group
    group_name = azurerm_resource_group.management.name
  }

  byte_length = 8
}

resource "azurerm_log_analytics_workspace" "management" {
  

  # Mandatory resource attributes
  name                = "k8s-workspace-${random_id.workspace.hex}"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name

  # Optional resource attributes 
  retention_in_days          = 30
  sku                        = "PerGB2018"


}

resource "azurerm_log_analytics_solution" "management" {

  # Mandatory resource attributes
  solution_name         = "mgmyloganalytsolution"
  location              = azurerm_resource_group.management.location
  resource_group_name   = azurerm_resource_group.management.name
  workspace_resource_id = azurerm_log_analytics_workspace.management.id
  workspace_name        = azurerm_log_analytics_workspace.management.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/ContainerInsights"
  }


}

resource "azurerm_automation_account" "management" {
  
  # Mandatory resource attributes
  name                = "mgmtautomationaccount"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name 
  sku_name = "Basic"
 

}

resource "azurerm_log_analytics_linked_service" "management" {

  # Mandatory resource attributes
  resource_group_name = azurerm_resource_group.management.name
  workspace_id        = azurerm_log_analytics_workspace.management.id
  read_access_id  = azurerm_automation_account.management.id
 

}

Cost Mgmt / Azure Monitor / Network Watcher / Defender for Cloud ? Can I build all these using Terraform code in this resource group or they need to manually built from Azure portal. When we create any resource on the left hand side options like Cost estimator / management are already available. Does that mean they can be easily selected from there on usage and no need to build from Terraform code ?

是的,您可以使用 terraform 资源块创建 Network Watcher、Azure Monitor 资源和成本管理,如 azurerm_network_watcherazurerm_network_watcher_flow_logazurerm_monitor_metric_alert ...azurerm_resource_group_cost_management_exportazurerm_consumption_budget_resource_groupDefender for Cloud 无法从 terraform 构建。是的,你是对的,成本管理、监控等也可在门户上使用,但需要创建其资源,如预算警报等。为了简化,它已作为 blade 添加到门户中。

How does we apply Role Entitlement / Policy Assignment from Terraform code ?

您可以使用azurerm_role_assignment分配built-in角色并使用azurerm_role_definition创建自定义角色然后分配。对于策略分配,您可以使用此 azurerm_resource_policy_assignment 并使用 azurerm_policy_insights_remediation.

进行补救

所有的Azure资源块可以参考Official Registry Documentation of Terraform AzureRM Provider & Terraform AzureAD Provider.