看來我的問題與這篇文章有關,但由于沒有答案,我會再問一次。
我有一個 Azure Devops 專案,我用它通過管道將靜態內容部署到存盤帳戶內的容器中。我最近決定使用 Terraform 以及我的代碼來部署我的基礎設施,但我遇到了一個問題。除了角色分配之外,我設法在我的管道中使用 Terraform 創建了我所有的基礎設施。
我基本上需要通過 Azure 向我的存盤帳戶添加一個新的角色分配:
- 轉到我的存盤帳戶
- 轉到訪問控制 (IAM)
- 添加新的角色分配
- 選擇存盤 Blob 資料貢獻者
- 點擊選擇成員
- 選擇我的Azure Devops 專案
- 審查 分配
根據我在Terraform 檔案中的理解,我應該這樣做:
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
}
resource "azurerm_storage_account" "storage_account" {
name = var.storage_account_name
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_role_assignment" "role_assignment" {
scope = azurerm_storage_account.storage_account.id
role_definition_id = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe" # Which is the Storage Blob Data Contributor role if I'm not mistaken.
principal_id = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" # Which should be the Application ID ?
}
除了它不起作用,當我嘗試在沒有 Azure Pipeline 的情況下在本地運行它以檢查它是否有效時,該程序停留在“仍在創建...”狀態超過 10 分鐘,這似乎很奇怪,因為什么時候你手動做它只需要幾秒鐘。我沒有任何錯誤,只是最終取消了命令。
我在這里錯過了什么/做錯了什么?
uj5u.com熱心網友回復:
我發現了問題所在。對于principal_id您需要放置服務主體的 Object_ID 而不是您的 Application_ID。你最終會得到類似的東西:
主程式
...
locals {
sub = "/subscription"
permission_storage_blob_data_contributor = "providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe"
}
data "azurerm_subscription" "primary" { }
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
}
resource "azurerm_storage_account" "storage_account" {
name = var.storage_account_name
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_role_assignment" "role_assignment" {
scope = azurerm_storage_account.storage_account.id
role_definition_id = join("/", [local.sub, data.azurerm_subscription.primary.subscription_id, local.permission_storage_blob_data_contributor])
principal_id = var.devops_project_object_id
}
...
變數.tf
...
variable "location" {
type = string
description = "Location for the deployment"
default = "West Europe"
}
variable "resource_group_name" {
type = string
description = "Resource Group Name"
}
variable "storage_account_name" {
type = string
description = "Storage Account Name"
}
# yyyyyyyy-yyyy-yyyy-yyyyyyyyyyyy format
variable "devops_project_object_id" {
type = string
description = "Object ID (principal_id) for the Devops Project linked to the Azure Subscription in the Azure Active Directory."
}
...
uj5u.com熱心網友回復:
角色分配可以簡化為這個呼叫:
resource "azurerm_role_assignment" "blob_contributor" {
scope = azurerm_storage_account.storage_account.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = var.devops_project_object_id
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/533843.html