在terraform Azure服务器中,我已将ip列入白名单,但除了管理员登录之外,无法访问服务器。是否需要额外的配置/角色来允许我缺少的active directory访问?
脚本:
# Create Server using keyvault secrets for user/pw
resource "azurerm_sql_server" "sqlserver" {
name = "sql-${var.suffix}"
resource_group_name = var.resource_group_name
location = var.location
version = "12.0"
administrator_login = data.azurerm_key_vault_secret.sqlserverusr.value
administrator_login_password = data.azurerm_key_vault_secret.sqlserverpw.value
}
# Create SQL Server firewall rule for Azure resouces access
resource "azurerm_sql_firewall_rule" "azureservicefirewall" {
name = "allow-azure-service"
resource_group_name = var.resource_group_name
server_name = azurerm_sql_server.sqlserver.name
start_ip_address = "0.0.0.0"
end_ip_address = "0.0.0.0"
}
当您在SQL server防火墙中设置start_ip_address = "0.0.0.0"
和end_ip_address = "0.0.0.0"
时,实际上它将允许Azure服务和资源访问此服务器设置为Yes
。这意味着你的服务器接受来自Azure边界内任何子网的通信,即来自被识别为Azure数据中心定义范围内的IP地址之一的通信。
如果要从Internet访问SQL server,则需要添加客户端的公共IP地址。然后改成这样:
start_ip_address = "73.118.x.x"
end_ip_address = "73.118.x.x"
如果要将用户或组设置为Azure SQL server的AD管理员,可以使用azurerm_SQL_active_directory_administrator
data "azurerm_client_config" "current" {}
resource "azurerm_sql_active_directory_administrator" "example" {
server_name = azurerm_sql_server.sqlserver.name
resource_group_name = azurerm_resource_group.example.name
login = "sqladmin"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
}
无论使用何种身份验证方法,您仍然需要确保网络连接成功。