terraform - Terraform azurerm 自定义 rbac 角色在角色分配时出现连接错误
问题描述
我正在尝试创建自定义 RBAC 角色定义和分配以分配给应用注册。所有资源和定义都可以创建,但是当它执行 azurerm_role_assignment 资源时,我得到:
服务返回错误。Status=400 Code="InvalidRoleDefinitionId" Message="角色定义 ID 'xxxx-xxxx-xxxx-xxxx-xxxx' 无效
我可能有点代码盲,因为我看不出有什么问题,有什么想法吗?
resource "random_password" "aad-app-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "random_password" "aad-sp-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "azuread_application" "myrbac" {
name = "my-app-registration"
homepage = "https://localhost"
identifier_uris = [""]
reply_urls = [""]
available_to_other_tenants = false
oauth2_allow_implicit_flow = false
}
resource "azuread_application_password" "myrbac" {
application_object_id = azuread_application.myrbac.id
description = "myrbac client secret"
value = random_password.aad-app-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azuread_service_principal" "myrbac" {
application_id = azuread_application.myrbac.application_id
}
resource "azuread_service_principal_password" "myrbac" {
service_principal_id = azuread_service_principal.myrbac.id
value = random_password.aad-sp-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azurerm_role_definition" "myrbac" {
name = "my role definition"
scope = data.azurerm_subscription.current.id
description = "my role definition"
permissions {
actions = [
"Microsoft.Authorization/permissions/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/*/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read"
]
not_actions = []
}
assignable_scopes = [data.azurerm_subscription.current.id]
}
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_definition_id = azurerm_role_definition.myrbac.id
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
}
注释代码已被清理,为简洁起见,总角色 defs 已被削减。
解决方案
您可以使用参数role_definition_name
代替role_definition_id
并添加depends_on
如下内容:
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = azurerm_role_definition.myrbac.name
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
depends_on = [azurerm_role_definition.myrbac]
}
它会为你工作。
推荐阅读
- php - .htaccess 从带有数字参数的 URL 重定向到带有文本参数的 URL
- python - 在 Python 中查找和连接具有多个列名的数据框
- php - 究竟是什么导致了这个 PHP 代码中的错误?
- java - 为什么我们不能使用 (==) 而不是 .equals() 方法来比较字符串对象?
- typescript - 使用 jest 时 Graphql-modules Schema 无效
- c - 如果在消息队列打开之前调用 c mq_open() 则不会连接
- php - curl_exec($handle) 不返回任何内容
- c# - 为什么我可以将 T[] 转换为 IEnumerable
尝试转换任务时出错 到任务 >? - javascript - 即使在解析输入值之后,我也会得到 NaN 作为答案
- python - Pygame 渲染文本,不显示任何内容