专家
在这种情况下,我必须将多个Azure资源的访问权限授予特定组,而我只能使用Terraform进行此操作。 例: Azure组名称:印度组(该组中有5-6个用户) Azure订阅名称:印度 Azure资源SQL数据库:SQL-db-1 Azure资源密钥库:India-key-vlt-1 Azure资源存储帐户:India-acnt-1 还有更多类似PostgreSQL,存储帐户,blob .....
答案 0 :(得分:0)
我认为您不必关心资源组如何访问资源。您需要关心的是在必要时如何访问资源。
通常,我们使用服务主体来分配角色,这些角色包含访问资源的适当权限。您可以看看What is role-based access control (RBAC) for Azure resources和Create a service principal via CLI。
在Terraform中,我假设您想从KeyVault中获取机密。这是一个示例:
provider "azurerm" {
features {}
}
resource "azuread_application" "example" {
name = "example"
homepage = "http://homepage"
identifier_uris = ["http://uri"]
reply_urls = ["http://replyurl"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
tags = ["example", "tags", "here"]
}
resource "azurerm_resource_group" "example" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_key_vault" "example" {
name = "testvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
soft_delete_enabled = true
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = var.tenant_id
object_id = azuread_service_principal.example.object_id
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
storage_permissions = [
"get",
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
tags = {
environment = "Testing"
}
}
然后,您可以访问密钥库以通过服务主体获取机密或密钥。您还可以查看示例controls Key Vault via python。
对于其他资源,您需要首先了解资源本身,然后才能知道如何以合适的方式访问它。最后,您可以使用Terraform来实现。