我需要为每个循环实现嵌套,以定义服务帐户map(object)
计划创建什么,以及visibility
将有权访问存储在Azure密钥库中的机密,该密钥库为RBAC设置,包含其密码
我检查了多篇文章,并尝试应用它们,但未能使其发挥作用。这里的问题是,当每个都已经有时,要获得单独的principal_id
变量定义:
variable "user_collection" {
type = map(object({
name = string,
role = string,
namespace = string,
warehouse = string,
## What user (ObjectID within AAD should have access to generated password)
visibility = list(string)
}))
}
提供价值观,在这里我试图为两个人提供访问用户密码的权限:
module "SVC_USERS" {
source = "./user-module"
user_collection = {
user_1 = {
name = "TEST_SVC_1"
namespace = "ADMINISTRATION"
role = "PUBLIC"
warehouse = "ADMIN_WH"
visibility = ["b9ad7db3-ea64-4815-aad5-a5a72b5bbee9", "d634ebdf-6928-427c-9678-fc3bad8eccc4"]
}
}
}
设置对创建的秘密的基于角色的访问
# Provide access to see generated passwords for key users
resource "azurerm_role_assignment" "secret_access_provision" {
for_each = var.user_collection
scope = "${module.variables.keyVault-id}/secrets/${replace(each.value["name"] , "_", "-")}"
role_definition_name = "Key Vault Secrets User"
principal_id = each.value.visibility
}
如果我理解正确,我相信你需要用每个可见性id来压平用户对象的乘积。我相信你可以这样做。
注意:我已经将user_collection
的缩写版本显示为本地版本,但您可以将local.user_collection
替换为var
。
locals {
user_collection = {
user_1 = {
name = "TEST_SVC_1"
visibility = ["b9ad7db3-ea64-4815-aad5-a5a72b5bbee9", "d634ebdf-6928-427c-9678-fc3bad8eccc4"]
}
}
user_vis = flatten([
for user, cfg in local.user_collection : [
for id in cfg.visibility : {
user = user
cfg = cfg
id = id
}
]
])
}
然后你可以做这样的事情:
resource "azurerm_role_assignment" "secret_access_provision" {
for_each = { for uv in local.user_vis : "${uv.user}-${uv.id}" => uv }
scope = "${module.variables.keyVault-id}/secrets/${replace(each.value.cfg.name, "_", "-")}"
role_definition_name = "Key Vault Secrets User"
principal_id = each.value.id
}
其中,每个用户/可见性组合将获得一个azurerm_role_assignment
。
由于我无法获得用于澄清的测试azure输出,我创建此输出是为了说明。
output "user_vis" {
value = { for uv in local.user_vis : "${uv.user}-${uv.id}" => uv }
}
哪个给出:
Changes to Outputs:
+ user_vis = {
+ user_1-b9ad7db3-ea64-4815-aad5-a5a72b5bbee9 = {
+ cfg = {
+ name = "TEST_SVC_1"
+ visibility = [
+ "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9",
+ "d634ebdf-6928-427c-9678-fc3bad8eccc4",
]
}
+ id = "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9"
+ user = "user_1"
}
+ user_1-d634ebdf-6928-427c-9678-fc3bad8eccc4 = {
+ cfg = {
+ name = "TEST_SVC_1"
+ visibility = [
+ "b9ad7db3-ea64-4815-aad5-a5a72b5bbee9",
+ "d634ebdf-6928-427c-9678-fc3bad8eccc4",
]
}
+ id = "d634ebdf-6928-427c-9678-fc3bad8eccc4"
+ user = "user_1"
}
}