[英]Accessing/referencing resources created by for_each
我目前正在尝试为我的所有订阅创建多个azurerm_role_definition
及其对应的azurerm_role_assignment
。 我想动态地执行此操作,而不是使用subscription_id
值进行硬编码。 我能够创建一个 map 的subscriptions_map
,然后使用for_each
创建azurerm_role_defitions
(s)。 但是,现在我需要引用azurerm_role_assignment
中的定义。 最好的方法是什么?
# Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
}
# AD App
resource "azuread_application" "test-app" {
display_name = "test-app"
}
# Service Principal
resource "azuread_service_principal" "test-app" {
application_id = azuread_application.test-app.application_id
}
# Available subscriptions
data "azurerm_subscriptions" "available" {
}
locals {
subscriptions_map = {
for obj in data.azurerm_subscriptions.available.subscriptions.* : obj.display_name => obj
}
}
# Role definition
resource "azurerm_role_definition" "test-app" {
for_each = local.subscriptions_map
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "custom-role-definition-${each.value.display_name}"
scope = each.value.id
permissions {
actions = ["Microsoft.Resources/subscriptions/resourceGroups/read"]
not_actions = []
}
assignable_scopes = [
each.value.id,
]
}
# Role assignment
resource "azurerm_role_assignment" "test-app" {
for_each = local.subscriptions_map
name = "00000000-0000-0000-0000-000000000000"
scope = each.value.id
#Help here
role_definition_id = azurerm_role_definition.test-app.*.role_definition_resource_id
principal_id = azuread_service_principal.test-app.object_id
}
由于您在azurerm_role_definition.test-app
中使用了for_each
,因此您可以参考由键名创建的各个定义。 所以你的azurerm_role_assignment.test-app
可能是:
# Role assignment
resource "azurerm_role_assignment" "test-app" {
for_each = local.subscriptions_map
name = "00000000-0000-0000-0000-000000000000"
scope = each.value.id
#Help here
role_definition_id = azurerm_role_definition.test-app[each.key].role_definition_resource_id
principal_id = azuread_service_principal.test-app.object_id
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.