如何在资源范围配置azurerm_role_management_policy?

问题描述 投票:0回答:1

我创建了不同的 Terraform 模块来管理 3 个不同级别的范围。订阅、资源组和资源。前两个工作正常,因为它们本质上非常通用。然而,对于最后一个,我面临范围问题。有人可以建议在特定资源级别配置范围的方式应该是什么,以允许我配置 azurerm_role_management_policy 规则吗?



resource "azurerm_role_management_policy" "role_policy_resource" {
  for_each = toset(var.role_definition_names)
  scope              = data.azurerm_key_vault.statickv.id           # Scope of the role management policy
  role_definition_id = data.azurerm_role_definition.roles[each.value].id  # ID of the role definition

  active_assignment_rules {
    expire_after = var.role_policy_rules.active_assignment_rules_expire_after  # Expiration period for active assignments
  }

  eligible_assignment_rules {
    expiration_required = false  # Whether expiration is required for eligible assignments
  }

  activation_rules {
    maximum_duration = var.role_policy_rules.activation_rules_maximum_duration  # Maximum duration for activation
    require_approval = var.role_policy_rules.activation_rules_require_approval   # Whether approval is required for activation
    dynamic "approval_stage" {
      for_each = var.role_policy_rules.activation_rules_require_approval ? ["this"] : []
        content{
          primary_approver {
          object_id = var.role_policy_rules.activation_rules_approver_object_id  # Primary approver for activation
          type = var.role_policy_rules.activation_rules_approver_type  # Type of the primary approver
          }
        }
    }
  }
  notification_rules {
    eligible_assignments {
      admin_notifications {
        notification_level    = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_notification_level                     # Notification level for admin notifications
        default_recipients    = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_default_recipients                          # Whether to use default recipients for admin notifications
        additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_additional_recipients       # Additional recipients for admin notifications
      }
      approver_notifications {
        notification_level    = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_notification_level                    # Notification level for approver notifications
        default_recipients    = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_default_recipients                          # Whether to use default recipients for approver notifications
        additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_additional_recipients       # Additional recipients for approver notifications
      }
      assignee_notifications {
        notification_level    = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_default_recipients                         # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_additional_recipients
      }
    }
    eligible_activations {
      admin_notifications {
        notification_level    = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_default_recipients                         # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_additional_recipients
      }
      assignee_notifications {
        notification_level    = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_default_recipients                        # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_additional_recipients
      }
    }
    active_assignments {
      admin_notifications {
        notification_level    = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_default_recipients                         # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_additional_recipients
      }
      approver_notifications {
        notification_level    = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_default_recipients                          # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_additional_recipients
      }
      assignee_notifications {
        notification_level    = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_notification_level                     # Notification level for assignee notifications
        default_recipients    = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_default_recipients                          # Whether to use default recipients for assignee notifications
        additional_recipients = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_additional_recipients
      }
    }
  }
  timeouts {
    create = "10m"
    delete = "10m"
  }
}

下面是我尝试创建上述资源时遇到的错误。

Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": parsing segment "providers": parsing the ManagementGroup ID: the segment at position 0 didn't match
│
│ Expected a ManagementGroup ID that matched:
│
│ > /providers/Microsoft.Management/managementGroups/groupIdValue
│
│ However this value was provided:
│
│ > /subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv
│
│ The parsed Resource ID was missing a value for the segment at position 0
│ (which should be the literal value "providers").
│
│
│
│   with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│   on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│    6:   scope              = data.azurerm_key_vault.statickv.id           # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│   with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│   on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│    6:   scope              = data.azurerm_key_vault.statickv.id           # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│   with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│   on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│    6:   scope              = data.azurerm_key_vault.statickv.id           # Scope of the role management policy
terraform-provider-azure
1个回答
0
投票

如何在资源范围配置azurerm_role_management_policy?

您遇到的错误是因为

Terraform
不支持管理策略的资源级别分配。它仅支持 
management groups
subscriptions
resource groups
,而不支持角色管理策略块中的资源级别。请参阅
Terraform
注册表此处了解更多详细信息。

enter image description here

当我尝试在 Key Vault 资源级别分配策略时,遇到相同的错误

    provider "azurerm" {
      features {}
    }
    
    data "azurerm_key_vault" "example" {
      name                = "venkatvault567"
      resource_group_name = "venkatesan-rg"
    }
    
    data "azurerm_role_definition" "mg_contributor" {
      name  = "Owner"
      scope = data.azurerm_key_vault.example.id
    }
    
    data "azuread_group" "example" {
      display_name     = "Venkatgroup"
      security_enabled = true
    }
    
    
    data "azurerm_role_management_policy" "example" {
      scope              = data.azurerm_key_vault.example.id
      role_definition_id = data.azurerm_role_definition.mg_contributor.id
    }
    
    resource "azurerm_role_management_policy" "example" {
      scope              =  data.azurerm_key_vault.example.id
      role_definition_id = data.azurerm_role_definition.mg_contributor.id
    
      active_assignment_rules {
        expire_after = "P365D"
      }
    
      eligible_assignment_rules {
        expiration_required = false
      }
    
      activation_rules {
        maximum_duration = "PT1H"
        require_approval = true
        approval_stage {
          primary_approver {
            object_id = data.azuread_group.example.object_id
            type      = "Group"
          }
        }
      }
    
      notification_rules {
        eligible_assignments {
          approver_notifications {
            notification_level    = "Critical"
            default_recipients    = false
            additional_recipients = ["[email protected]"]
          }
        }
        eligible_activations {
          assignee_notifications {
            notification_level    = "All"
            default_recipients    = true
            additional_recipients = ["[email protected]"]
          }
        }
      }
    }

回复:

enter image description here

参考Microsoft.Authorization roleManagementPolicyAssignments

在哪里可以找到角色管理策略? 作者:

VasimTamboli

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.