通过Azure中的Terraform为VM实例创建受管系统标识

问题描述 投票:1回答:1

尝试使用Terraform为VM创建受管系统标识。这是错误的Status = 404 Code =“MissingSubscription”

尝试为VM创建受管系统标识。这是代码片段:

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

 data "azurerm_builtin_role_definition" "contributor" {
   name = "Contributor"
 }

resource "azurerm_role_assignment" "contributor" {
  name                = "[${element(azurerm_virtual_machine.consul.*.id, count.index + 1)}]"
  scope              = "${var.subscription_id}"
 #scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${var.subscription_id}${data.azurerm_builtin_role_definition.contributor.id}"
  }

运行terraform apply会产生以下错误:

错误:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

我试着按照这里描述的例子 - https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html,但看起来如果我将我的范围改回scope = "${data.azurerm_subscription.primary.id}",它会出错:

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."
terraform terraform-provider-azure
1个回答
1
投票

这里有多个问题:

  1. 资源nameazurerm_role_assignment字段必须是GUID,在你的代码中它有方括​​号。
  2. role_definition_id必须具有单个表达式评估,例如只有${data.azurerm_builtin_role_definition.contributor.id}

创建此示例的正确方法是:

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

data "azurerm_builtin_role_definition" "contributor" {
  name = "Contributor"
}

resource "azurerm_role_assignment" "contributor" {
  name               = "00000000-0000-0000-0000-000000000000"
  scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${data.azurerm_builtin_role_definition.contributor.id}"
}

假设tenant_object_id变量确实是主要订阅中的现有服务主体ID。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.