Terraform-Azure:授予组访问 azure 资源的权限
[英]Terraform-Azure: Grant Access to azure resource for group
问题描述
Experts,
专家们,
I have a situation where I have to grant access on multiple Azure resources to a particular group, and i have to do this using Terraform only.我有一种情况,我必须将多个 Azure 资源的访问权限授予特定组,并且我必须仅使用 Terraform 来执行此操作。 example: Azure Group Name: India-group (5-6 users is there in this group) Azure Subscription name: India Azure Resource SQL Database: SQL-db-1 Azure Resource Key-Vault: India-key-vlt-1 Azure Resource Storage Account: India-acnt-1 and many more like PostgreSQL, storage account, blob..... example: Azure Group Name: India-group (5-6 users is there in this group) Azure Subscription name: India Azure Resource SQL Database: SQL-db-1 Azure Resource Key-Vault: India-key-vlt-1 Azure Resource存储帐户:India-acnt-1 以及更多类似 PostgreSQL、存储帐户、blob ......
1 个解决方案
解决方案1
0 2020-04-10 07:52:33
I think you do not need to care about how does the resource group can access the resources.我认为您不需要关心资源组如何访问资源。 What you need to care about is how to access the resources when it's necessary.您需要关心的是如何在必要时访问资源。
Generally, we use the service principal that assign roles that contain appropriate permission to access the resources.通常,我们使用分配包含适当权限的角色的服务主体来访问资源。 You can take a look at What is role-based access control (RBAC) for Azure resources and Create a service principal via CLI .您可以查看什么是 Azure 资源的基于角色的访问控制 (RBAC)和通过 CLI 创建服务主体。
In Terraform, I assume you want to get the secrets from the KeyVault.在 Terraform 中,我假设您想从 KeyVault 获取机密。 Here is an example:这是一个例子:
provider "azurerm" {
features {}
}
resource "azuread_application" "example" {
name = "example"
homepage = "http://homepage"
identifier_uris = ["http://uri"]
reply_urls = ["http://replyurl"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
tags = ["example", "tags", "here"]
}
resource "azurerm_resource_group" "example" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_key_vault" "example" {
name = "testvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
soft_delete_enabled = true
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = var.tenant_id
object_id = azuread_service_principal.example.object_id
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
storage_permissions = [
"get",
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
tags = {
environment = "Testing"
}
}
Then you can access the key vault to get the secrets or keys through the service principal.然后,您可以访问密钥保管库以通过服务主体获取机密或密钥。 You can also take a look at the example that controls Key Vault via python .您还可以查看通过 python 控制 Key Vault的示例。
For other resources, you need to learn about the resource itself first, and then you can know how to access it in a suitable way.对于其他资源,你需要先了解资源本身,然后才能知道如何以合适的方式访问它。 Finally, you can use Terraform to achieve it.最后,可以使用 Terraform 来实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.