stackoom
  简体   繁体   中英

Terraform-Azure: Grant Access to azure resource for group

 原文  2020-04-08 10:42:35       azure/ terraform-provider-azure/ azure-resource-group

Question

Experts,

I have a situation where I have to grant access on multiple Azure resources to a particular group, and i have to do this using Terraform only. example: Azure Group Name: India-group (5-6 users is there in this group) Azure Subscription name: India Azure Resource SQL Database: SQL-db-1 Azure Resource Key-Vault: India-key-vlt-1 Azure Resource Storage Account: India-acnt-1 and many more like PostgreSQL, storage account, blob.....

1 answers

solution1
 0  2020-04-10 07:52:33

I think you do not need to care about how does the resource group can access the resources. What you need to care about is how to access the resources when it's necessary.

Generally, we use the service principal that assign roles that contain appropriate permission to access the resources. You can take a look at What is role-based access control (RBAC) for Azure resources and Create a service principal via CLI .

In Terraform, I assume you want to get the secrets from the KeyVault. Here is an example:

provider "azurerm" {
  features {}
}

resource "azuread_application" "example" {
  name                       = "example"
  homepage                   = "http://homepage"
  identifier_uris            = ["http://uri"]
  reply_urls                 = ["http://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false

  tags = ["example", "tags", "here"]
}

resource "azurerm_resource_group" "example" {
  name     = "resourceGroup1"
  location = "West US"
}

resource "azurerm_key_vault" "example" {
  name                        = "testvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  soft_delete_enabled         = true
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = var.tenant_id
    object_id = azuread_service_principal.example.object_id

    key_permissions = [
      "get",
    ]

    secret_permissions = [
      "get",
    ]

    storage_permissions = [
      "get",
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

  tags = {
    environment = "Testing"
  }
}

Then you can access the key vault to get the secrets or keys through the service principal. You can also take a look at the example that controls Key Vault via python .

For other resources, you need to learn about the resource itself first, and then you can know how to access it in a suitable way. Finally, you can use Terraform to achieve it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to grant access to azure resource group to an external user programmatically Azure Resource Group Access Terraform grant azure function app with msi access to azure keyvault Azure - Grant resource access to an external application create an azure resource group under a subscription with terraform How to manage existing resource group in azure with terraform Azure resource group creation using terraform Grant Azure AD group to access SQL Server Terraform - 'Objects have changed outside of Terraform' for a new Azure resource group Terraform - Azure Resource Group: Error: ID cannot be a Resource Group ID
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM