I have created some resources in Azure using Terraform and a Service principal:
A resource group
A virtual network
A virtual machine
Now, I need to create a virtual Gateway from this resource group and virtual network, but using a personal Azure account in the same Organization.
How can I add my user email as a Administrator to this resource group, from Terraform, using the Service Principal credentials?
You can use Terraform resource azurerm_role_assignment to add Owner permissions for your user to this resource group.
Example:
resource "azurerm_resource_group" "this" {
name = "example"
location = "West Europe"
}
resource "azurerm_role_assignment" "this" {
scope = azurerm_resource_group.this.id
role_definition_name = "Owner"
principal_id = "<Your user object id>"
}
Related
I need to add azure keyvault read access right to the azure app service
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_key_vault.this.id
principal_id = azurerm_linux_web_app.this.identity.0.principal_id
role_definition_name = "Reader" # Seems not correct
}
Where can I find the correct role_definition_name for different resource type for Terraform? I think the role name is different between and Azure Container Registry and Azure Keyvault?
I found the role-based access control roleon this page But can I directly use these role names? for example
role_definition_name = "Key Vault Secrets User"
You van have a look at the Azure build in RBAC roles
It would come down to:
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_key_vault.this.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_linux_web_app.this.identity.0.principal_id
}
This will only work for key vaults that use the Azure role-based access control permission model.
By Terraform I have to do a role assignment to storage account and assign access to an application (which is created by app registration and have API permission of Azure Storage)
But when I am defining role assignment as
resource "azurerm_role_assignment" "storage_app_access_new" {
role_definition_name = "Storage Blob Data Contributor"
principal_id = module.ad_application.id
scope = module.storage_account.id
}
The apply command is hanging for longer time without error. I am suspecting the issue is with principal id can you help?
You need to use the object ID, not the application ID.
resource "azurerm_role_assignment" "storage_app_access_new" {
role_definition_name = "Storage Blob Data Contributor"
principal_id = module.ad_application.object_id
scope = module.storage_account.id
}
I don't know what you have in that module, so I cannot tell if it has the key like this. You need to check how to get the object ID from that module.
With the az cli you would get it like this:
az ad sp show --id <app-id> --query objectId -o tsv
we deploy resources in our Azure tenant through Jenkins which uses terraform to provision infra resources.
and we use service principal for authentication and infra provisioning which are in same tenant. in our infra deployment we also create VNET peering with the new Vnet which get deployed and our central VNET which has all the infra resources like monitoring and logging platform.
now we have a use case where by using the same Jenkins and terraform scripts we want to provision resources on different tenant. this can be done by using the service principal of remote tenant.
but now issue is service principal of TenantB do not have rights to create network resources in TenantA. to make this happen service principal of TenantB should have access on Vnet in TenantA.
i am looking for documentation or guidance how we can give access to service principal of TenantB in our TenantA?
Hoping that you have created a service principal a service principal
using multi-tenant authentication (if single-tenant please change the
authentication method to multi-tenant) , add a redirect uri
https://www.microsoft.com.
After you have created the service principal you can open the below url in a private browser for adding it on another tenant:
https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Application (client in tenant A)
ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
It will ask for authorization on behalf of organization , you can
accept it.
After the above is done , then you can login to portal of that tenant
and go to enterprise application you will see that , provide role
assignment for that subscription (owner/contributor).
After this is done you can use something like the below terraform
script:
provider "azurerm" {
alias = "tenantA"
subscription_id = "b83c1ed3-xxxxx-xxxxxx-xxxxxx-xxxxxx" #subid for tenant A
tenant_id = "72f988bf-xxxxxx-xxxxx-xxxxxxx-xxxxxx"#tenantid of tenant A
client_id = "f6a2f33d-xxxx-xxxx-xxxxx-xxxxxxxx"#client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxx"#client secret of service principal in tenant A
auxiliary_tenant_ids = ["ab078f81-xxxxxx-xxxxxxxx-xxxxxx"]# tenant id of tenant B
features {}
}
provider "azurerm"{
alias = "tenantB"
subscription_id = "88073b30-xxx-xxxxx-xxxxx-xxxxxxx"#sub id of tenant B
tenant_id = "ab078f81-xxxxx-xxxxxxx-xxxxxxxxx" # tenant id of tenant B
client_id = "f6a2f33d-xxxx-xxxxxx-xxxxxx-xxxxxx" #client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxxx" #client secret of service principal in tenant A
auxiliary_tenant_ids = ["72f988bf-xxxx-xxxxx-xxxxxxxxxx-xx"] # tenant id of tenant A
features {}
}
data "azurerm_resource_group" "tenantARG"{
provider = azurerm.tenantA
name = "reswourcegroup"
}
data "azurerm_resource_group" "tenantBRG"{
provider = azurerm.tenantB
name = "ansuman-resourcegroup"
}
data "azurerm_virtual_network" "GlobalVnet"{
provider = azurerm.tenantA
name = "ansuman-vnet"
resource_group_name= data.azurerm_resource_group.tenantARG.name
}
data "azurerm_virtual_network" "tenantBVnet"{
provider = azurerm.tenantB
name = "test-vnet"
resource_group_name= data.azurerm_resource_group.tenantBRG.name
}
resource "azurerm_virtual_network_peering" "example-1" {
provider= azurerm.tenantA
name = "peer1to2"
resource_group_name = data.azurerm_resource_group.tenantARG.name
virtual_network_name = data.azurerm_virtual_network.GlobalVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.tenantBVnet.id
}
resource "azurerm_virtual_network_peering" "example-2" {
provider = azurerm.tenantB
name = "peer2to1"
resource_group_name = data.azurerm_resource_group.tenantBRG.name
virtual_network_name = data.azurerm_virtual_network.tenantBVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.GlobalVnet.id
}
Output:
Note: In my test case , I have used 2 vnets present in different tenants. I created a service principal in tenant A and provided contributor permissions to it in tenant B using the above methods and then used terraform to perform the vnet peering.
Register an application with the Microsoft identity platform can be found here
Each time when I redeploy the application, the registration will be deleted from the identity platform, and I don't want to do doing the registration again by click around in the portal.
Can I doing this via Terraform azure provider code?
You could use the terraform Azure Active Directory provider to manage it. You could refer to samples in this blog for more details.
For example, you may want to registry a basic application and associated it with a service principal then assign a contributor role to it.
# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {}
provider "azurerm" {
features {}
}
data "azurerm_subscription" "primary" {
}
# Create an application
resource "azuread_application" "example" {
display_name = "example"
}
# Create a service principal
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
# Assign a Contributor role
resource "azurerm_role_assignment" "test" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.example.object_id
}
Hi im currently working on trying to figure out how to assign an application as contributor within a specific resource group in azure with Terraform.
any working examples is much appreciated.
If you want to assign a given Principal (User or Application) to a given Role with Terraform. You can use azurerm_role_assignment and Data Source: azurerm_resource_group, azurerm_client_config
Example Usage, Create a built-in role as a contributor within a specific resource group.
data "azurerm_resource_group" "primary" {}
data "azurerm_client_config" "test" {}
resource "azurerm_role_assignment" "test" {
scope = "${data.azurerm_resource_group.primary.id}"
role_definition_name = "Contributor"
principal_id = "${data.azurerm_client_config.test.service_principal_object_id}"
}