时间戳

首页 > 解决方案 > Terraform:如何最好地遍历一组目录并为每次迭代应用带有 azure 广告查找的 gen2 ace 块

azure - Terraform:如何最好地遍历一组目录并为每次迭代应用带有 azure 广告查找的 gen2 ace 块

问题描述

无论如何,我都不是 terraform 方面的专家,所以这在技术上可能是不可能的。

我的用例是:我有一个 adls gen2 文件系统,我需要在该文件系统中创建目录。显然,这些目录将有一个短名称,并且需要将 ace 块 (acl) 应用于每个目录。我想要某种方式将目录名称与 azure 广告组相关联,然后我可以使用 azuread_group 数据源查找该组并获取该组的对象 ID 以将其应用到新目录。

我将尝试绘制我正在尝试做的事情:

dir_group_assoc = {
  "folder_name_1": "Azure AD Group 1",
  "folder_name_2": "Azure AD Group 2"
}

data "azuread_group" "group-name" {
  display_name = "Azure AD Group *" <-- replaced with the value from above K/V pair.
}

resource "azurerm_storage_data_lake_gen2_path" "sftp-root-subdirs" {
  for_each           = toset(["keys from K/V pair above"])
  path               = each.key
  filesystem_name    = azurerm_storage_data_lake_gen2_filesystem.sftp-root.name
  storage_account_id = azurerm_storage_account.working-storage_account.id
  resource           = "directory"

  ace {
    scope       = "access"
    type        = "group"
    permissions = "rwx"
    id          = data.azurerm_client_config.current_client_config.object_id["value from K/V pair above"]
  }
}

我不知道最好的方法,如果有的话,去解决这个问题。我喜欢一些建议。

标签: azureazure-active-directoryterraformterraform-provider-azure

解决方案

这就是我最终想出的似乎可行的方法。如果这不是最好的方法,我愿意接受建议,但它让我到达了我需要的地方。

variable "folder-ad-group" {
  type = map(string)
  default = {
    "folder_name_1" = "Azure AD Group 1",
    "folder_name_2" = "Azure AD Group 2"
  }
}

data "azuread_group" "ad-group-lookup" {
  for_each     = var.folder-ad-group
  display_name = lookup(var.folder-ad-group, each.key)
}

resource "azurerm_storage_data_lake_gen2_filesystem" "data-lake-sftp-path" {
  for_each           = data.azuread_group.ad-group-lookup
  name               = each.key
  storage_account_id = azurerm_storage_account.working-storage_account.id

  ace {
    scope       = "access"
    type        = "group"
    id          = lookup(data.azuread_group.ad-group-lookup, each.key).object_id
    permissions = "rwx"
  }
}

我的输出完全符合您的预期。ACE 块看起来像:

  # azurerm_storage_data_lake_gen2_filesystem.data-lake-sftp-path["folder_name_1"] will be created
  + resource "azurerm_storage_data_lake_gen2_filesystem" "data-lake-sftp-path" {
      + id                 = (known after apply)
      + name               = "folder_name_1"
      + storage_account_id = "super subscription"

      + ace {
          + id          = "object_id_of_azure_ad_group_1"
          + permissions = "rwx"
          + scope       = "access"
          + type        = "group"
        }
    }

  # azurerm_storage_data_lake_gen2_filesystem.data-lake-sftp-path["folder_name_2"] will be created
  + resource "azurerm_storage_data_lake_gen2_filesystem" "data-lake-sftp-path" {
      + id                 = (known after apply)
      + name               = "folder_name_2"
      + storage_account_id = "super subscription"

      + ace {
          + id          = "object_id_of_azure_ad_group_2"
          + permissions = "rwx"
          + scope       = "access"
          + type        = "group"
        }
    }

推荐阅读