如何解决Terraform Azurerm自定义rbac角色在角色分配时给出连接错误
我正在尝试创建自定义RBAC角色定义和分配以分配给应用程序注册。 所有资源和定义都可以正常创建,但是当执行azurerm_role_assignment资源时,我得到了:
服务返回了错误。 Status = 400 Code =“ InvalidRoleDeFinitionId” Message =“角色定义ID'xxxx-xxxx-xxxx-xxxx-xxxx'无效
我可能看不清代码,因为有什么想法吗?
resource "random_password" "aad-app-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "random_password" "aad-sp-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "azuread_application" "myrbac" {
name = "my-app-registration"
homepage = "https://localhost"
identifier_uris = [""]
reply_urls = [""]
available_to_other_tenants = false
oauth2_allow_implicit_flow = false
}
resource "azuread_application_password" "myrbac" {
application_object_id = azuread_application.myrbac.id
description = "myrbac client secret"
value = random_password.aad-app-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azuread_service_principal" "myrbac" {
application_id = azuread_application.myrbac.application_id
}
resource "azuread_service_principal_password" "myrbac" {
service_principal_id = azuread_service_principal.myrbac.id
value = random_password.aad-sp-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azurerm_role_deFinition" "myrbac" {
name = "my role deFinition"
scope = data.azurerm_subscription.current.id
description = "my role deFinition"
permissions {
actions = [
"Microsoft.Authorization/permissions/read","Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachinescaleSets/read","Microsoft.Compute/virtualMachinescaleSets/virtualMachines/*/read","Microsoft.Network/networkInterfaces/read","Microsoft.Network/publicIPAddresses/read","Microsoft.Network/virtualNetworks/read"
]
not_actions = []
}
assignable_scopes = [data.azurerm_subscription.current.id]
}
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_deFinition_id = azurerm_role_deFinition.myrbac.id
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
}
笔记代码已经过清理,为简洁起见,整个角色定义也已减少。
解决方法
您可以使用参数role_definition_name
代替role_definition_id
并添加depends_on
,如下所示:
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = azurerm_role_definition.myrbac.name
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
depends_on = [azurerm_role_definition.myrbac]
}
它将为您工作。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。