Azure AD SP-rbac的等效terraform代码是什么?

时间:2019-04-25 14:31:55

标签: azure azure-active-directory terraform azure-cli

对于集成,服务定义了以下要运行的命令

az ad sp create-for-rbac --role reader --scopes /subscriptions/{subscription_id}

我不是在运行命令,而是想知道az ad sp create-for-rbac的等效Terraform代码是什么?

2 个答案:

答案 0 :(得分:1)

provider "azuread" {
  version = "=0.3.0"
}

resource "azuread_application" "auth" {
  name = "auth"
}

resource "azuread_service_principal" "auth" {
  application_id = "${azuread_application.auth.application_id}"
}

resource "random_string" "password" {
  length = 16
  special = true
  override_special = "/@\" "
}

resource "azuread_service_principal_password" "auth" {
  service_principal_id = "${azuread_service_principal.auth.id}"
  value                = "${random_string.password.result}"
  end_date_relative    = "240h"
}

output "client_secret" {
  value = "${random_string.password.result}"
  description = "Client Secret"
}

provider "azurerm" {
  version = "=1.24.0"
}

data "azurerm_subscription" "primary" {}

data "azurerm_client_config" "current" {}

resource "azurerm_role_assignment" "auth" {
  scope                = "${data.azurerm_subscription.primary.id}"
  role_definition_name = "Reader"
  principal_id         = "${azuread_service_principal.auth.id}"
}

答案 1 :(得分:0)

我必须在第二个提供者中添加一个别名,这样我才能正常工作。 Terraform 0.12不允许我有2个没有别名的天蓝色的不同提供程序。 Azure资源管理和Azure活动目录


provider "azuread" {
 version = "~> 0.3"

}

provider "azurerm" {
 version = "~>1.44.0"
 alias   = "azure_rm"
}

data "azurerm_subscription" "primary" {
 provider = azurerm.azure_rm
}


resource "azuread_application" "auth" {
 name = "${var.application_name}"
}

resource "azuread_service_principal" "auth" {
 application_id = "${azuread_application.auth.application_id}"
}

resource "azuread_service_principal_password" "auth" {
 service_principal_id = "${azuread_service_principal.auth.id}"
 value                = "${random_string.password.result}"
 end_date_relative    = "240h" 
}

resource "random_string" "password" {
 length = "${var.password_length}"
 special = "${var.password_special}"
 override_special = "${var.password_override_special}"
}

resource "azurerm_role_assignment" "auth" {
 provider = azurerm.azure_rm
 scope                = "${data.azurerm_subscription.primary.id}"
 role_definition_name = "Contributor"
 principal_id         = "${azuread_service_principal.auth.id}"
}

output "subscription-id" {
 value = "${data.azurerm_subscription.primary.id}"
 description = "subscription"
}

output "tenant" {
 value = "${data.azurerm_subscription.primary.tenant_id}"
 description = "tenant"
}

output "password" {
 value = "${random_string.password.result}"
 description = "password"
}

output "name" {
 value = "${azuread_application.auth.application_id}"
 description = "name"
}
相关问题
最新问题