Azure 无法从 terraform 中的角色获取 UUID

问题描述 投票:0回答:2

我正在使用以下命令从 Azure 获取 terraform 中的角色定义:

data "azurerm_role_definition" "test_role" {
  name = "Test Role"
  scope = data.azurerm_subscription.test-subscription.id
}

我正在尝试使用 terraform 创建角色分配:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  ...
}

但是当我运行 terraform plan 时出现错误:

错误:值必须是有效的 UUID

我也试过:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.role_definition_id
  ...
}

这给了我同样的错误信息。

你知道如何在 terraform 中获取角色的 UUID 吗?

azure terraform uuid roles
2个回答
0
投票

如评论中所述:

你混淆了不同的角色分配。你要找的是RBAC赋值azurerm_role_assignment


0
投票

我尝试了下面的代码并收到了同样的错误:

resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         =azurerm_role_definition.aks_cluster_admin_role.id
  principal_object_id = azuread_group.aks_admins_group.id
  resource_object_id  = azurerm_kubernetes_cluster.example.id
}

错误:

Value must be a valid UUID
│
│   with azuread_app_role_assignment.aks_test_assignment,
│   on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
│  225:   resource_object_id  = azurerm_kubernetes_cluster.example.id

这里的 resource_object_id 必须是 service principal object Id 。 服务主体可以通过在 azure ad 中创建应用程序获得。

使用系统分配身份时,必须使用系统管理身份的id。

Azure 广告角色不同于 azurerm 角色:

试试下面的代码:

resource "azurerm_role_assignment" "example" {
  scope              = azurerm_kubernetes_cluster.example.id
  role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
  principal_id=     azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}

resource "azurerm_role_definition" "aks_cluster_admin_role" {
  name        = "Network Contributor" #"AKSClusterAdminRole"
  description = "Allows management network of an AKS cluster"
  scope       = "/subscriptions/f10xxxxa71c"
  permissions {
    actions     = [
      "Microsoft.ContainerService/managedClusters/*",
      "Microsoft.ContainerService/locations/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    azurerm_kubernetes_cluster.example.id
  ]
}

data "azuread_service_principal" "aks-aci_identity" {
  display_name = "sp${azurerm_kubernetes_cluster.example.name}"
  depends_on   = [azurerm_kubernetes_cluster.example]
}

resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
  scope                = azurerm_virtual_network.example.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id
}

resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
  scope                = azurerm_subnet.example-aci.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id

}
resource "azurerm_role_assignment" "example" {
  scope              = azurerm_kubernetes_cluster.example.id
  role_definition_id = "Network Contributor"
  principal_id=     data.azuread_service_principal.aks-aci_identity.id

}

参考:

  1. Aks 问题 | Github
  2. Azure 角色分配 Acr /aks |计算器
© www.soinside.com 2019 - 2024. All rights reserved.