设置根租户组分配通知 azurerm_role_management_policy
每当有人请求激活 PIM 角色时,我都会尝试启用通知(发送电子邮件至 slack 通道)。 Slack 通道包含可以批准请求的管理员。
我无法解决这个问题。
这是 tf 配置:
resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
scope = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"
eligible_assignment_rules {
expiration_required = false
}
active_assignment_rules {
expiration_required = false
require_justification = false
}
activation_rules {
maximum_duration = "PT8H"
require_multifactor_authentication = true
require_justification = true
require_ticket_info = true
require_approval = true
approval_stage {
primary_approver {
object_id = var.groups["ad.azure.admins"].id
type = "Group"
}
}
}
notification_rules {
# Purpose: Sends notifications when users request to activate their eligible roles # When: Triggers on every PIM activation request
eligible_activations {
# Notifies the person requesting activation
assignee_notifications {
notification_level = "All"
default_recipients = true # Include the requestor
additional_recipients = [var.pim_slack_email] # Also notify Slack channel
}
# Notifies the approvers who need to action the request
# approver_notifications {
# notification_level = "Critical"
# default_recipients = true # Include configured approvers
# additional_recipients = [var.pim_slack_email] # Also notify Slack channel
# }
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
# Purpose: Notifies when users are made eligible for roles
# When: Triggers when PIM eligible roles are assigned
eligible_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
# Purpose: Notifies when permanent role assignments are made # When: Triggers for direct (non-PIM) role assignments
active_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false # Skip default admin notifications
additional_recipients = [var.pim_slack_email] # Only notify Slack channel
}
}
}
}
请告知如何启用该配置?
我期望此配置应在用户请求 PIM 批准时启用松弛电子邮件。
设置根租户组分配通知
配置 Azure 角色管理策略以启用发送到 Slack 电子邮件通道的 PIM 角色激活通知时,请按照下面提到的步骤操作
检查提到的电子邮件是否应在 slack 中正确设置以验证电子邮件。如果失败,则会导致阻塞
Eligible_activations 和 Eligible_assignments 块应符合 Terraforms azurerm_role_management_policy 中正确的 Azure 策略结构。
一旦您确认上述两点检查所提供的群组信息有效且可在 IntraID 下使用。
演示配置:
resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
scope = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"
eligible_assignment_rules {
expiration_required = false
}
active_assignment_rules {
expiration_required = false
require_justification = false
}
activation_rules {
maximum_duration = "PT8H"
require_multifactor_authentication = true
require_justification = true
require_ticket_info = true
require_approval = true
approval_stage {
primary_approver {
object_id = var.groups["ad.azure.admins"].id
type = "Group"
}
}
}
notification_rules {
eligible_activations {
assignee_notifications {
notification_level = "All"
default_recipients = true
additional_recipients = [var.pim_slack_email]
}
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
eligible_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
active_assignments {
admin_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = [var.pim_slack_email]
}
}
}
}
参考:
slack 和电子邮件之间的集成: https://clearfeed.ai/blogs/a-short-guide-to-integrating-slack-with-email