我正在尝试使用Terraform设置我的天蓝色基础设施,到目前为止它非常成功。我们的应用程序开发团队需要在AzureAD应用程序的清单中定义应用程序特定的角色,我们目前使用Azure门户处理它,只需修改清单:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"description": "Creators can create Surveys",
"value": "SurveyCreator"
}
]
使用Terraform我创建了一个azurerm_azuread_application
,现在想要相应地修改清单。
resource "azurerm_azuread_application" "test" {
name = "APP"
homepage = "http://APPHOMEPAGE"
identifier_uris = ["http://APPHOMEPAGE"]
reply_urls = ["http://APPHOMEPAGE/REPLYURL"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = false
}
有没有办法通过仅使用Terraform来实现这一目标?
要将角色分配给AD App,您可以参考azurerm_role_assignment。
用法示例(自定义角色和服务主体)
data "azurerm_subscription" "primary" {}
data "azurerm_client_config" "test" {}
resource "azurerm_role_definition" "test" {
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "my-custom-role-definition"
scope = "${data.azurerm_subscription.primary.id}"
permissions {
actions = ["Microsoft.Resources/subscriptions/resourceGroups/read"]
not_actions = []
}
assignable_scopes = [
"${data.azurerm_subscription.primary.id}",
]
}
resource "azurerm_role_assignment" "test" {
name = "00000000-0000-0000-0000-000000000000"
scope = "${data.azurerm_subscription.primary.id}"
role_definition_id = "${azurerm_role_definition.test.id}"
principal_id = "${data.azurerm_client_config.test.service_principal_object_id}"
}