我正在使用以下命令从 Azure 获取 terraform 中的角色定义:
data "azurerm_role_definition" "test_role" {
name = "Test Role"
scope = data.azurerm_subscription.test-subscription.id
}
我正在尝试使用 terraform 创建角色分配:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.id
...
}
但是当我运行 terraform plan 时出现错误:
错误:值必须是有效的 UUID
我也试过:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.role_definition_id
...
}
这给了我同样的错误信息。
你知道如何在 terraform 中获取角色的 UUID 吗?
如评论中所述:
你混淆了不同的角色分配。你要找的是RBAC赋值azurerm_role_assignment
我尝试了下面的代码并收到了同样的错误:
resource "azuread_app_role_assignment" "aks_test_assignment" {
app_role_id =azurerm_role_definition.aks_cluster_admin_role.id
principal_object_id = azuread_group.aks_admins_group.id
resource_object_id = azurerm_kubernetes_cluster.example.id
}
错误:
Value must be a valid UUID
│
│ with azuread_app_role_assignment.aks_test_assignment,
│ on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
│ 225: resource_object_id = azurerm_kubernetes_cluster.example.id
这里的 resource_object_id 必须是 service principal object Id 。 服务主体可以通过在 azure ad 中创建应用程序获得。
或
使用系统分配身份时,必须使用系统管理身份的id。
Azure 广告角色不同于 azurerm 角色:
试试下面的代码:
resource "azurerm_role_assignment" "example" {
scope = azurerm_kubernetes_cluster.example.id
role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
principal_id= azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}
或
resource "azurerm_role_definition" "aks_cluster_admin_role" {
name = "Network Contributor" #"AKSClusterAdminRole"
description = "Allows management network of an AKS cluster"
scope = "/subscriptions/f10xxxxa71c"
permissions {
actions = [
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/locations/*"
]
not_actions = []
}
assignable_scopes = [
azurerm_kubernetes_cluster.example.id
]
}
data "azuread_service_principal" "aks-aci_identity" {
display_name = "sp${azurerm_kubernetes_cluster.example.name}"
depends_on = [azurerm_kubernetes_cluster.example]
}
resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
scope = azurerm_virtual_network.example.id
role_definition_name = "Reader"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
scope = azurerm_subnet.example-aci.id
role_definition_name = "Network Contributor"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "example" {
scope = azurerm_kubernetes_cluster.example.id
role_definition_id = "Network Contributor"
principal_id= data.azuread_service_principal.aks-aci_identity.id
}
参考: