How to add Virtual Machine User Login roles to a list of users by Terraform?

1
votes

[email protected] & [email protected] are E-mail addresses of our organization. These emails are also used as the Azure login accounts. I've set up a Terraform code to use the AzureAD to access to the VM in Azrue. My question is How Can I grand those accounts the role of Virtual Machine User Login?

resource "azurerm_role_assignment" "test" {
  scope              = "${data.azurerm_management_group.primary.id}"
  role_definition_id = "Virtual Machine User Login"
  principal_id       = "[email protected], [email protected]"
}

The official documents says principal_id is the ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Isn't the that the email address is the ID of the user?

1
azureterraform

1 Answers

2
votes

The principal_id should be the Object ID of the user.

1.Navigate to the Azure Active Directory in the portal -> Users -> search by the user principal name(email address in your case).

enter image description here

2.Click the user, then you can find the Object ID.

enter image description here

If you want to add a list of users as the role, you could use that as below. In my sample, there are two users with Object ID 65c66b3xxxxxxa623338 and c098bc79xxxxxx58cb26e.

data "azurerm_subscription" "primary" {}

data "azurerm_client_config" "test" {}

variable "ids" {
  type    = list(string)
  default = ["65c66b3xxxxxxa623338","c098bc79xxxxxx58cb26e"]
}

resource "azurerm_role_assignment" "test" {
  count                = "${length(var.ids)}"
  scope                = "${data.azurerm_management_group.primary.id}"
  role_definition_name = "Virtual Machine User Login"
  principal_id         = "${element(var.ids, count.index)}"
}