Azure 无法从 Terraform 中的角色获取 UUID。

huangapple go评论68阅读模式
英文:

Azure cannot get UUID from role in terraform

问题

我正在使用以下命令从 Azure 中获取 Terraform 中的角色定义:

data "azurerm_role_definition" "test_role" {
  name  = "Test Role"
  scope = data.azurerm_subscription.test-subscription.id
}

使用角色的 ID,我尝试使用 Terraform 创建角色分配:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  ...
}

但是,当我运行 terraform plan 时,我收到以下错误:

> Error: Value must be a valid UUID

我还尝试过:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.role_definition_id
  ...
}

这给了我相同的错误消息。你知道如何在 Terraform 中获取角色的 UUID 吗?

英文:

I am getting a role definition in terraform from azure with the following command:

data "azurerm_role_definition" "test_role" {
  name = "Test Role"
  scope = data.azurerm_subscription.test-subscription.id
}

With the id of the role I am trying to create a role assignment with terraform:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  ...
}

But when I run terraform plan I am getting the error:

> Error: Value must be a valid UUID

I also tried:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.role_definition_id
  ...
}

This gave me the same error message.

Do you have any idea how to get the UUID of a role in terraform?

答案1

得分: 2

我尝试了下面的代码并收到了相同的错误:

resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         = azurerm_role_definition.aks_cluster_admin_role.id
  principal_object_id = azuread_group.aks_admins_group.id
  resource_object_id  = azurerm_kubernetes_cluster.example.id
}

错误信息:

值必须是有效的 UUID
│
│   在 azuread_app_role_assignment.aks_test_assignment 中,
│   位于 main.tf 第 225 行,在 resource "azuread_app_role_assignment" "aks_test_assignment" 中:
│  225:   resource_object_id  = azurerm_kubernetes_cluster.example.id

这里 resource_object_id 必须是服务主体对象的 ID。服务主体可以从 Azure AD 中创建的应用程序中获取。

或者

当使用系统分配的身份时,必须使用系统托管身份的 ID。

Azure AD 角色与 azurerm 角色不同:

尝试以下代码:

resource "azurerm_role_assignment" "example" {
  scope              = azurerm_kubernetes_cluster.example.id
  role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
  principal_id       = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}

resource "azurerm_role_definition" "aks_cluster_admin_role" {
  name        = "Network Contributor" 
  description = "允许管理 AKS 集群的网络"
  scope       = "/subscriptions/f10xxxxa71c"
  permissions {
    actions     = [
      "Microsoft.ContainerService/managedClusters/*",
      "Microsoft.ContainerService/locations/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    azurerm_kubernetes_cluster.example.id
  ]
}

data "azuread_service_principal" "aks-aci_identity" {
  display_name = "sp${azurerm_kubernetes_cluster.example.name}"
  depends_on   = [azurerm_kubernetes_cluster.example]
}

resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
  scope                = azurerm_virtual_network.example.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id
}

resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
  scope                = azurerm_subnet.example-aci.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id
}
resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
  principal_id       = azuread_service_principal.aks-aci_identity.id
  role_definition_name = "Contributor"
}

另外,以下代码也可用:

resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
  role_definition_name = "Contributor"
  principal_id  = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}

参考链接:

  1. Aks issues | Github
  2. Azure role assignment Acr /aks | StackOverflow
英文:

I tried below code and receieved same error:

resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         =azurerm_role_definition.aks_cluster_admin_role.id
  principal_object_id = azuread_group.aks_admins_group.id
  resource_object_id  = azurerm_kubernetes_cluster.example.id
}

Error:

Value must be a valid UUID
│
│   with azuread_app_role_assignment.aks_test_assignment,
│   on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
│  225:   resource_object_id  = azurerm_kubernetes_cluster.example.id

Azure 无法从 Terraform 中的角色获取 UUID。

Here resource_object_id must be service principal object Id .
Service principal can be obtained from creating application in azure ad.

Or

When the system assigned identity is used, the id of the system managed identity must be used.

Azure ad role is different from azurerm role:

Azure 无法从 Terraform 中的角色获取 UUID。

Try below code:

resource "azurerm_role_assignment" "example" {
  scope              = azurerm_kubernetes_cluster.example.id
  role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
  principal_id=     azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}

or

resource "azurerm_role_definition" "aks_cluster_admin_role" {
  name        = "Network Contributor" #"AKSClusterAdminRole"
  description = "Allows management network of an AKS cluster"
  scope       = "/subscriptions/f10xxxxa71c"
  permissions {
    actions     = [
      "Microsoft.ContainerService/managedClusters/*",
      "Microsoft.ContainerService/locations/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    azurerm_kubernetes_cluster.example.id
  ]
}

data "azuread_service_principal" "aks-aci_identity" {
  display_name = "sp${azurerm_kubernetes_cluster.example.name}"
  depends_on   = [azurerm_kubernetes_cluster.example]
}

resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
  scope                = azurerm_virtual_network.example.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id
}

resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
  scope                = azurerm_subnet.example-aci.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id

}


  resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
  principal_id=     azuread_service_principal.aks-aci_identity.id
  role_definition_name = "Contributor"
}

Azure 无法从 Terraform 中的角色获取 UUID。

Azure 无法从 Terraform 中的角色获取 UUID。

Also below code worked:

resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1" #azurerm_container_registry.acr.id
  role_definition_name = "Contributor"
  principal_id  = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
 
}

Azure 无法从 Terraform 中的角色获取 UUID。

Reference :

  1. Aks issues | Github
  2. Azure role assignment Acr /aks | StackOverflow

答案2

得分: 1

如在评论中讨论:

您混淆了不同的角色分配。您正在寻找的是RBAC分配azurerm_role_assignment

英文:

As discussed in the comments:

You mixed up the different role assignments. What you are looking for is the RBAC assignment azurerm_role_assignment

huangapple
  • 本文由 发表于 2023年3月3日 18:59:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/75626206.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定