Azure Function 与 Microsoft Sentinel Reader 和 Storage Blob Data Contributor 的 Terraform 角色分配问题

Question

我正在尝试使用 Terraform 部署 AzureRM 内置角色：Microsoft Sentinel Reader 和 Storage Blob Data Contributor。

问题： 内置角色不与属于 Azure Function 的对象 ID 关联。因此，Azure Function 无法获得 Log Analytics 工作区上的 Microsoft Sentinel Reader 角色，也无法获得存储帐户上的存储 Blob 数据贡献者角色。

我已尝试在范围参数旁边以纯文本形式指定 Log Analytics 工作区和存储帐户的资源 ID，但问题仍然存在。 Terraform 计划和应用完成，没有错误，属于 Azure Function 的系统分配标识的对象 ID 正确。

我正在使用以下文档：https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

删除敏感数据的 Terraform 代码：

# Role Assignment for the managed identity to access the storage account - Storage Blob Data Contributor
resource "azurerm_role_assignment" "storage_account_access" {
  scope                = data.azurerm_storage_account.example_sa.id
  role_definition_name = "Storage Blob Data Contributor" # Assign the appropriate role for accessing blob data
  principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
}

# Role Assignment for the managed identity to access the log analytics workspace - Microsoft Sentinel Reader
resource "azurerm_role_assignment" "log_analytics_reader" {
  scope                = data.azurerm_log_analytics_workspace.example_la.id
  role_definition_name = "Microsoft Sentinel Reader" # Assign the appropriate role for accessing log analytics data
  principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
}


# Data block for Windows Function App
data "azurerm_windows_function_app" "example_function" {
  name                = "example_function"
  resource_group_name = "example_rg"
}

# Log Analytics Workspace resource ID
data "azurerm_log_analytics_workspace" "example_la" {
  name                = "example_la"
  resource_group_name = "example_rg"
}

output "log_analytics_workspace_id" {
  value = data.azurerm_log_analytics_workspace.example_la.id
}

# Storage Account resource ID
data "azurerm_storage_account" "example_sa" {
  name                = "example_sa"
  resource_group_name = "example_rg"
}

output "storage_account_id" {
  value = data.azurerm_storage_account.example_sa.id
}

Answer 1

有理由不将角色分配给功能应用身份。请检查以下步骤。

确保使用输出块检查Function App主体 ID，以验证它是否正在获取正确的 ID。
确保您拥有所有者角色或用户访问管理员角色来授予访问权限。
有时会需要时间才能反映在门户中。

这里是将角色分配给带有输出块的功能应用程序身份的代码。

    provider "azurerm" {
      features {}
    }
    
    data "azurerm_windows_function_app" "example_function" {
      name                = "venkat-app"
      resource_group_name = "Venkat"
    }
    
    data "azurerm_storage_account" "example_sa" {
      name                = "venkat8a43"
      resource_group_name = "Venkat"
    }
    
    data "azurerm_log_analytics_workspace" "example_la" {
      name                = "venkat-law"
      resource_group_name = "venkat"
    }
    
    resource "azurerm_role_assignment" "storage_account_access" {
      scope                = data.azurerm_storage_account.example_sa.id
      role_definition_name = "Storage Blob Data Contributor"
      principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
    }
    
    resource "azurerm_role_assignment" "log_analytics_reader" {
      scope                = data.azurerm_log_analytics_workspace.example_la.id
      role_definition_name = "Microsoft Sentinel Reader"
      principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
    }
    
    output "azurerm_windows_function_apps" {
      value = data.azurerm_windows_function_app.example_function.identity[0].principal_id
    }
    
    output "azurerm_role_assignments" {
      value = azurerm_role_assignment.storage_account_access
    }
    
    output "azurerm_role_assignment" {
      value = azurerm_role_assignment.log_analytics_reader
    }

Azure 函数身份：

enter image description here