英文:
Azure cannot get UUID from role in terraform
问题
我正在使用以下命令从 Azure 中获取 Terraform 中的角色定义:
data "azurerm_role_definition" "test_role" {
name = "Test Role"
scope = data.azurerm_subscription.test-subscription.id
}
使用角色的 ID,我尝试使用 Terraform 创建角色分配:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.id
...
}
但是,当我运行 terraform plan
时,我收到以下错误:
> Error: Value must be a valid UUID
我还尝试过:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.role_definition_id
...
}
这给了我相同的错误消息。你知道如何在 Terraform 中获取角色的 UUID 吗?
英文:
I am getting a role definition in terraform from azure with the following command:
data "azurerm_role_definition" "test_role" {
name = "Test Role"
scope = data.azurerm_subscription.test-subscription.id
}
With the id of the role I am trying to create a role assignment with terraform:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.id
...
}
But when I run terraform plan I am getting the error:
> Error: Value must be a valid UUID
I also tried:
resource "azuread_app_role_assignment" "test_assignment" {
app_role_id = data.azurerm_role_definition.test_role.role_definition_id
...
}
This gave me the same error message.
Do you have any idea how to get the UUID of a role in terraform?
答案1
得分: 2
我尝试了下面的代码并收到了相同的错误:
resource "azuread_app_role_assignment" "aks_test_assignment" {
app_role_id = azurerm_role_definition.aks_cluster_admin_role.id
principal_object_id = azuread_group.aks_admins_group.id
resource_object_id = azurerm_kubernetes_cluster.example.id
}
错误信息:
值必须是有效的 UUID
│
│ 在 azuread_app_role_assignment.aks_test_assignment 中,
│ 位于 main.tf 第 225 行,在 resource "azuread_app_role_assignment" "aks_test_assignment" 中:
│ 225: resource_object_id = azurerm_kubernetes_cluster.example.id
这里 resource_object_id
必须是服务主体对象的 ID。服务主体可以从 Azure AD 中创建的应用程序中获取。
或者
当使用系统分配的身份时,必须使用系统托管身份的 ID。
Azure AD 角色与 azurerm 角色不同:
尝试以下代码:
resource "azurerm_role_assignment" "example" {
scope = azurerm_kubernetes_cluster.example.id
role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
principal_id = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}
或
resource "azurerm_role_definition" "aks_cluster_admin_role" {
name = "Network Contributor"
description = "允许管理 AKS 集群的网络"
scope = "/subscriptions/f10xxxxa71c"
permissions {
actions = [
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/locations/*"
]
not_actions = []
}
assignable_scopes = [
azurerm_kubernetes_cluster.example.id
]
}
data "azuread_service_principal" "aks-aci_identity" {
display_name = "sp${azurerm_kubernetes_cluster.example.name}"
depends_on = [azurerm_kubernetes_cluster.example]
}
resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
scope = azurerm_virtual_network.example.id
role_definition_name = "Reader"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
scope = azurerm_subnet.example-aci.id
role_definition_name = "Network Contributor"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
principal_id = azuread_service_principal.aks-aci_identity.id
role_definition_name = "Contributor"
}
另外,以下代码也可用:
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
role_definition_name = "Contributor"
principal_id = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}
参考链接:
英文:
I tried below code and receieved same error:
resource "azuread_app_role_assignment" "aks_test_assignment" {
app_role_id =azurerm_role_definition.aks_cluster_admin_role.id
principal_object_id = azuread_group.aks_admins_group.id
resource_object_id = azurerm_kubernetes_cluster.example.id
}
Error:
Value must be a valid UUID
│
│ with azuread_app_role_assignment.aks_test_assignment,
│ on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
│ 225: resource_object_id = azurerm_kubernetes_cluster.example.id
Here resource_object_id must be service principal object Id .
Service principal can be obtained from creating application in azure ad.
Or
When the system assigned identity is used, the id of the system managed identity must be used.
Azure ad role is different from azurerm role:
Try below code:
resource "azurerm_role_assignment" "example" {
scope = azurerm_kubernetes_cluster.example.id
role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
principal_id= azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}
or
resource "azurerm_role_definition" "aks_cluster_admin_role" {
name = "Network Contributor" #"AKSClusterAdminRole"
description = "Allows management network of an AKS cluster"
scope = "/subscriptions/f10xxxxa71c"
permissions {
actions = [
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/locations/*"
]
not_actions = []
}
assignable_scopes = [
azurerm_kubernetes_cluster.example.id
]
}
data "azuread_service_principal" "aks-aci_identity" {
display_name = "sp${azurerm_kubernetes_cluster.example.name}"
depends_on = [azurerm_kubernetes_cluster.example]
}
resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
scope = azurerm_virtual_network.example.id
role_definition_name = "Reader"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
scope = azurerm_subnet.example-aci.id
role_definition_name = "Network Contributor"
principal_id = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
principal_id= azuread_service_principal.aks-aci_identity.id
role_definition_name = "Contributor"
}
Also below code worked:
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1" #azurerm_container_registry.acr.id
role_definition_name = "Contributor"
principal_id = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}
Reference :
答案2
得分: 1
如在评论中讨论:
您混淆了不同的角色分配。您正在寻找的是RBAC分配azurerm_role_assignment。
英文:
As discussed in the comments:
You mixed up the different role assignments. What you are looking for is the RBAC assignment azurerm_role_assignment
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论