azureazure-active-directoryterraformrbacazure-rm
Assign Azure RBAC to Azure AD security group on resource group level
I am trying to figure out how to assign a built-in role from azure to an azure ad group I am creating. However I don't not understand the logic while reading the documentation.
Here's my terraform code:
az-rbac.tf
data "azurerm_subscription" "current" {
}
output "current_subscription_display_name" {
value = data.azurerm_subscription.current.display_name
}
data "azurerm_client_config" "azuread_sg_cns" {
}
resource "azurerm_role_assignment" "reader-rbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Reader"
principal_id = data.azuread_group.azuread_sg_cns.object_id
}
main.tf
terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.15.0"
}
}
}
#Configure the Azure Resource Management Provider
provider "azurerm" {
subscription_id = var.azure_subscription_id
tenant_id = var.azure_tenant_id
features {}
}
# Configure the Azure Active Directory Provider
provider "azuread" {
tenant_id = var.azure_tenant_id
}
#create azure active directory group
data "azuread_client_config" "current" {}
resource "azuread_group" "azuread_sg" {
display_name = var.azure_sg_name
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure active directory group cns
resource "azuread_group" "azuread_sg_cns" {
display_name = var.azuread_sg_cns
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create cost reader group
resource "azuread_group" "azuread_sg_cost-mgmt" {
display_name = var.azuread_sg_cost-mgmt
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
#create azure resource group
resource "azurerm_resource_group" "rg" {
name = var.azure_rg_name
location = var.azure_resource_group_location
}
#create azure key vault
resource "azurerm_key_vault" "akv" {
name = lower("${var.azure_project_code}-${var.azure_env_code}-akv-01")
location = var.azure_resource_group_location
resource_group_name = azurerm_resource_group.rg.name
enabled_for_disk_encryption = true
tenant_id = var.azure_tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
}
resource "azurerm_storage_account" "sa" {
name = lower("${var.azure_project_code}${var.azure_env_code}sa01")
resource_group_name = azurerm_resource_group.rg.name
location = var.azure_resource_group_location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "ctnr" {
name = lower("${var.azure_project_code}${var.azure_env_code}ctnr01")
storage_account_name = azurerm_storage_account.sa.name
container_access_type = "private"
}
variable.tf
variable "azure_resource_group_location" {
default = "west europe"
description = "Location of the resource group."
}
variable "azure_subscription_id" {
type = string
description = "Azure Subscription Id"
}
variable "azure_tenant_id" {
type = string
description = "Azure Tenant Id"
}
variable "azure_sg_name" {
type = string
description = "Azure AD Security Group Name"
}
variable "azuread_sg_cns" {
type = string
description = "Azure AD Security Group Name CNS"
}
variable "azuread_sg_cost-mgmt" {
type = string
description = "Azure AD Security Group Name Cost Mgmt"
}
variable "azure_rg_name" {
type = string
description = "Azure Resource Group Name"
}
variable "azure_client_code" {
type = string
description = "Azure Client code"
}
variable "azure_project_code" {
type = string
description = "Azure Project Code"
}
variable "azure_env_code" {
type = string
description = "Azure Environment Code"
}
env.tfvars
#Azure tenant id
azure_tenant_id ="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure subscription
azure_subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
#Azure resource group location
azure_resource_group_location = "west europe"
# #Azure ad Sg
azure_sg_name = "sg - eu-dev-test-testproject"
# #Azure ad Sg CNS
azuread_sg_cns = "sg -cns - eu-dev-test-testproject"
#Azure Cost Reader
azuread_sg_cost-mgmt = "sg - Cost Reader - eu-dev-test-testproject"
#Azure RG name
azure_rg_name = "eu-dev-test-testproject"
#Azure project code
azure_project_code = "testproject"
#Azure client code
azure_client_code = "test"
#Environement code : sbx, dev, ppd, prd
azure_env_code="dev"
So I tried to create multiples resources such as:
- azure resource group
- azure key vault
- azure storage account with 1 container
- azure security group x3
My expectation is to have the cns sg group to get reader role on the created resource group. But I keep failing as I don't understand how to make my code understand it has to assign the role to the resource group level to the security group cns I am creating while running the code.
Here's the error message with the current code:
Solution
My expectation is to have the cns sg group to get reader role on the created resource group.
Thanks to Kombajn zbożowy for suggesting same.
If you are using resource block for creation of azure ad group but calling it as data.azuread_group, which is not declared.
You can use the following Terraform code to assign the Reader role to a group at the resource group level.
provider "azurerm" {
subscription_id = "a34e2b59-xxxxxxxxx-b4a8-ebdc1f96c865"
tenant_id = "89xxxxx-xxxxxxxxx-55277a8d958a"
features {}
}
provider "azuread" {
tenant_id = "xxxxxxxxxxxxxxxxx-55277a8d958a"
}
data "azurerm_client_config" "azuread_sg_cns" {
}
resource "azurerm_resource_group" "venkat-rg"{
name = "venkat-RG"
location = "eastus"
}
resource "azuread_group" "azuread_sg_cns" {
display_name = "azuread_sg_cns"
security_enabled = true
}
resource "azurerm_role_assignment" "reader-rbac" {
scope = azurerm_resource_group.venkat-rg.id
role_definition_name = "Reader"
principal_id = azuread_group.azuread_sg_cns.object_id
}
Terraform plan:
Terraform apply:
Once ran the above code resources are created and Reader role are also applied to the group.
