Develop Reference

adding RBAC role for a Managed identity on multiple resource groups via automation

Is there a way to add RBAC role for a usr based managed identity on multiple resource groups via automation (CLI, PowerShell, Terraform etc). It would save me time of manually adding the permissions on on multiple resource groups.
I started with this, which gets me an object ID of the Managed identity.
az resource list -g "RG Name" --query "[?identity!=null].{name: name, objectIds: identity.principalId}"
Thanks!

RBAC role for a usr based managed identity on multiple resource groups
via automation (CLI, PowerShell, Terraform etc).
Here are the codes for RBAC rules for different services Terraform CLI and PowerShell.
CLI:
az role assignment create --role
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {ForeignGroup, Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--resource-group]
[--scope]
PowerShell:
New-AzRoleAssignment
-ObjectId <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-Description <String>]
[-Condition <String>]
[-ConditionVersion <String>]
[-ObjectType <String>]
[-AllowDelegation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Terraform:
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "example" {
}
resource "azurerm_role_definition" "example" {
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "my-custom-role-definition"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.Resources/subscriptions/resourceGroups/read"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
resource "azurerm_role_assignment" "example" {
name = "00000000-0000-0000-0000-000000000000"
scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.example.role_definition_resource_id
principal_id = data.azurerm_client_config.example.object_id
}

I want to assign User Assigned managed Identity to VMSS created in MC resource group through Terraform

I want to assign User Assigned managed Identity to VMSS created in MC resource group so that all the pods created in K8S have access to associated Key Vault.
I have done it through powershell script, Here's the Script:
$aksNodeVmss = Get-AzVmss -ResourceGroupName "$aksMcRg"
Update-AzVmss -ResourceGroupName $aksMcRg -Name $aksNodeVmss.Name -IdentityType UserAssigned -IdentityID $id
But I want to do it in Terraform but I'm unable to find a solution to it.

The VMSS identity is the kubelet identity of your nodepool. AKS nowadays supporting "bring your own" kubelet identity while creating the cluster, so no need for updating the identities.
resource "azurerm_user_assigned_identity" "kubelet" {
name = "uai-kubelet"
location = <YOUR_LOCATION>
resource_group_name = <YOUR_RG>
}
resource "azurerm_user_assigned_identity" "aks" {
name = "uai-aks"
location = <YOUR_LOCATION>
resource_group_name = <YOUR_RG>
}
# This can be also a custom role with Microsoft.ManagedIdentity/userAssignedIdentities/assign/action allowed
resource "azurerm_role_assignment" "this" {
scope = <YOUR_RG>
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_user_assigned_identity.aks.principal_id
}
Then assign the identity to the kublet:
resource "azurerm_kubernetes_cluster" "aks" {
...
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.aks.id]
}
kubelet_identity {
client_id = azurerm_user_assigned_identity.kubelet.client_id
object_id = azurerm_user_assigned_identity.kubelet.principal_id
user_assigned_identity_id = azurerm_user_assigned_identity.kubelet.id
}
}

AKS integration with ACR

trying to create ACR and integrate the same with existing AKS cluster
below is the resource block where will be doing role assignment {User Assigned Managed Identity} to aks nodepool and trying datablock to fetch existing aks details
#Create Resource Group
resource "azurerm_resource_group" "acr_rg" {
location = var.location
name = "${var.global-prefix}-${var.repo-id}-rg"
}
#Create ACR Registry for Powerme
resource "azurerm_container_registry" "acr" {
name = var.repo-id
resource_group_name = azurerm_resource_group.acr_rg.name
location = azurerm_resource_group.acr_rg.location
sku = "Premium"
admin_enabled = true
}
#Featching AKS details for Integration with ACR
data "azurerm_kubernetes_cluster" "aks_cluster" {
resource_group_name = var.aks_rg
name = var.k8s_cluster
}
#Role assignment of vmss to acr
resource "azurerm_role_assignment" "acrpull_role" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = data.azurerm_kubernetes_cluster.aks_cluster.kubelet_identity[0].object_id
}
error
$ terraform plan
╷
│ Error: Error: Managed Kubernetes Cluster "mycluster" was not found in Resource Group "myresource"
│
│ with data.azurerm_kubernetes_cluster.aks_cluster,
│ on acr.tf line 17, in data "azurerm_kubernetes_cluster" "aks_cluster":
│ 17: data "azurerm_kubernetes_cluster" "aks_cluster" {
╵

If you have multiple subscriptions access, Please ensure you are setting the subscription that has the aks cluster and the resource group by using the below command:
az account set --subscription "your subscription you want to use"
After the Subscription is set , You will be successfully able to get the AKS cluster and resource group using the same code .

Terraform identity access for ADF and storage account

I would like to create ADF and storage account using terraform which I know how to do it. After this I want to give ADF identity access to storage account. I can do this using powershell. But idempotency issues will be there when I use powershell. Is it possible to implement access with terraform itself without using powershell?

You should create an azurerm_role_assignment to grant ADF access to the Azure Storage account.
Kindly check the example below. This code snippet assigns Storage Blob Data Reader role to the ADF.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_factory" "example" {
name = "example524657"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account" "example" {
name = "examplestr524657"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "RAGRS"
}
resource "azurerm_role_assignment" "example" {
scope = azurerm_storage_account.example.id
role_definition_name = "Storage Blob Data Reader"
principal_id = azurerm_data_factory.example.identity[0].principal_id
}

Terraform with Azure Key Vault to get secret value

Is there any way to get the value of a secret from Azure Key Vault?
Doesn't look like value gets exposed in the key vault secret object here.

Now you can do it with azurerm_key_vault_secret data source.
I'm enjoying without any scripting.
data "azurerm_key_vault" "example" {
name = "mykeyvault"
resource_group_name = "some-resource-group"
}
data "azurerm_key_vault_secret" "test" {
name = "secret-sauce"
key_vault_id = data.azurerm_key_vault.example.id
# vault_uri is deprecated in latest azurerm, use key_vault_id instead.
# vault_uri = "https://mykeyvault.vault.azure.net/"
}
output "secret_value" {
value = "${data.azurerm_key_vault_secret.test.value}"
}

You first need to create a data resource to the azure key vault to get the key vault resource ID:
data "azurerm_key_vault" "keyvault" {
name = "${var.keyvault_name}"
resource_group_name = "${var.resourcegroup_name}"
}
And then use azurerm_key_vault_secret to get the secret with the key vault resource Id:
data "azurerm_key_vault_secret" "win_admin_pass" {
name = "${var.secret_name}"
key_vault_id = "${data.azurerm_key_vault.keyvault.id}"
}
Please note that the use of vault_uri in azurerm_key_vault_secret is deprecated and not recommended.

I've been working on this to get password from key vault secret. The code below worked for me , Give it a try.
data "azurerm_key_vault" "terrakv" {
name = "terrakv" // KeyVault name
resource_group_name = "mykv" // resourceGroup
}
data "azurerm_key_vault_secret" "kvsecret" {
name = "secret" // Name of secret
key_vault_id = data.azurerm_key_vault.terrakv.id
}
os_profile {
computer_name = "vm-01"
admin_username = "testadmin"
admin_password = data.azurerm_key_vault_secret.kvsecret.value // Toget actual value
}
I hope it will help you for sure.

Is there any way to get the value of a secret from Azure Key Vault?
As a workaround, we can use PowerShell to get this value, like this:
$a = Get-AzureKeyVaultSecret -VaultName "jasonkey" -Name "jason"
$a.SecretValueText

Unfortunately, this is not currently possible in Terraform. Terraform will only output the secret ID and version. If you need to retrieve azure keyvault secrets, the best method is to use the Azure-CLI, or Powershell if that's not available.
Using Azure-CLI (2.0)
az keyvault secret show --vault-name <vault-name> --name <secret-name>
Syntax:
az keyvault secret show --name
--vault-name
[--version]
For more, see: Managing Azure Keyvault Secrets with Azure-CLi
Using Powershell: Get-AzureKeyVaultSecret
get-azurekeyvaultsecret -vaultName "<vault-name>" -name "<secret-name>"

I have a key vault and I need a few secrets from it so this is my approach.
I've used for-each approach
data "azurerm_key_vault" "keyvault_devops" {
name = "keyVaultName"
resource_group_name = "resourceGroupName"
}
data "azurerm_key_vault_secrets" "global_devops" {
key_vault_id = data.azurerm_key_vault.keyvault_devops.id
}
data "azurerm_key_vault_secret" "global_devops" {
for_each = toset(data.azurerm_key_vault_secrets.global_devops.names)
name = each.key
key_vault_id = data.azurerm_key_vault.global_devops.id
}
Then I use it like this :
value = data.azurerm_key_vault_secret.global_devops["secret-name"].value