Hi im currently working on trying to figure out how to assign an application as contributor within a specific resource group in azure with Terraform.
any working examples is much appreciated.
If you want to assign a given Principal (User or Application) to a given Role with Terraform. You can use azurerm_role_assignment and Data Source: azurerm_resource_group, azurerm_client_config
Example Usage, Create a built-in role as a contributor within a specific resource group.
data "azurerm_resource_group" "primary" {}
data "azurerm_client_config" "test" {}
resource "azurerm_role_assignment" "test" {
scope = "${data.azurerm_resource_group.primary.id}"
role_definition_name = "Contributor"
principal_id = "${data.azurerm_client_config.test.service_principal_object_id}"
}
Related
I need to add azure keyvault read access right to the azure app service
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_key_vault.this.id
principal_id = azurerm_linux_web_app.this.identity.0.principal_id
role_definition_name = "Reader" # Seems not correct
}
Where can I find the correct role_definition_name for different resource type for Terraform? I think the role name is different between and Azure Container Registry and Azure Keyvault?
I found the role-based access control roleon this page But can I directly use these role names? for example
role_definition_name = "Key Vault Secrets User"
You van have a look at the Azure build in RBAC roles
It would come down to:
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_key_vault.this.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_linux_web_app.this.identity.0.principal_id
}
This will only work for key vaults that use the Azure role-based access control permission model.
By Terraform I have to do a role assignment to storage account and assign access to an application (which is created by app registration and have API permission of Azure Storage)
But when I am defining role assignment as
resource "azurerm_role_assignment" "storage_app_access_new" {
role_definition_name = "Storage Blob Data Contributor"
principal_id = module.ad_application.id
scope = module.storage_account.id
}
The apply command is hanging for longer time without error. I am suspecting the issue is with principal id can you help?
You need to use the object ID, not the application ID.
resource "azurerm_role_assignment" "storage_app_access_new" {
role_definition_name = "Storage Blob Data Contributor"
principal_id = module.ad_application.object_id
scope = module.storage_account.id
}
I don't know what you have in that module, so I cannot tell if it has the key like this. You need to check how to get the object ID from that module.
With the az cli you would get it like this:
az ad sp show --id <app-id> --query objectId -o tsv
I have created some resources in Azure using Terraform and a Service principal:
A resource group
A virtual network
A virtual machine
Now, I need to create a virtual Gateway from this resource group and virtual network, but using a personal Azure account in the same Organization.
How can I add my user email as a Administrator to this resource group, from Terraform, using the Service Principal credentials?
You can use Terraform resource azurerm_role_assignment to add Owner permissions for your user to this resource group.
Example:
resource "azurerm_resource_group" "this" {
name = "example"
location = "West Europe"
}
resource "azurerm_role_assignment" "this" {
scope = azurerm_resource_group.this.id
role_definition_name = "Owner"
principal_id = "<Your user object id>"
}
Register an application with the Microsoft identity platform can be found here
Each time when I redeploy the application, the registration will be deleted from the identity platform, and I don't want to do doing the registration again by click around in the portal.
Can I doing this via Terraform azure provider code?
You could use the terraform Azure Active Directory provider to manage it. You could refer to samples in this blog for more details.
For example, you may want to registry a basic application and associated it with a service principal then assign a contributor role to it.
# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {}
provider "azurerm" {
features {}
}
data "azurerm_subscription" "primary" {
}
# Create an application
resource "azuread_application" "example" {
display_name = "example"
}
# Create a service principal
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
# Assign a Contributor role
resource "azurerm_role_assignment" "test" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.example.object_id
}
I am having one resource group in my azure subscription name "demoterraform"
Now I would like to create one windows VM in this resource group, So I don't deploy new VM in existing resource group.
Use the azurerm_resource_group data source.
data "azurerm_resource_group" "demo" {
name = "demoterraform"
}
in the rest of the code you can refer to it with a similar expression data.azurerm_resource_group.demo.id.