How to attach an existing rbac role to an Azure VM using Terraform?

2
votes

I'm creating an Azure Virtual Machine using Terraform. But I don't know how to attach an existing rbac role to it. Is there a way to do this without creating a separate resource for role definition/attachment? If separate resource needed how to do it knowing only the rbac role name?

2
azurevirtual-machineterraformrbac
did you check this already ? terraform.io/docs/providers/azurerm/r/role_assignment.htmlAravind

2 Answers

1
votes

From your comment, you want to assign an RBAC role to a user with terraform. You can do it in two steps:

step1: Use this data source to access information about an existing Role Definition referring to this.

data "azurerm_subscription" "primary" {}  # access an existing subscription


data "azurerm_role_definition" "custom" {  # access an existing custom role via role_definition_id
  role_definition_id = "${azurerm_role_definition.custom.role_definition_id}"
  scope              = "${data.azurerm_subscription.primary.id}"              # /subscriptions/00000000-0000-0000-0000-000000000000
}

data "azurerm_role_definition" "custom-byname" { # access an existing custom role via name
  name  = "${azurerm_role_definition.custom.name}"
  scope = "${data.azurerm_subscription.primary.id}"
}

data "azurerm_builtin_role_definition" "builtin" { # access an existing builtin role
  name = "Contributor"
}

step2: Assign the role to a specific Azure AD user. For example, if you want to assign this role to a user at the resource group level, that is to define the scope with the resource group ID. You should have an existing resource group. You can create it with resource "azurerm_resource_group" block or data "azurerm_resource_group", then assigns a given Principal (User or Application) to a given Role with azurerm_role_assignment.

Example Usage (using a built-in Role)

data "azurerm_subscription" "primary" {}

resource "azurerm_resource_group" "myrg" {
  name     = "myrg"
  location = "West US"
}

resource "azurerm_role_assignment" "test" {
  scope                = "${azurerm_resource_group.main.id}"
  role_definition_name = "Reader" # or "${data.azurerm_role_definition.custom-byname.name}"
  principal_id         = "xxxx"
}

The principal_id is the Object ID of the user. You can find it via navigate to the Azure Active Directory in the portal -> Users -> search by the user principal name(email address in your case). You could refer to this answer.

0
votes

What you are looking for I believe is the azurerm_role_definition data source, which allows you to import an already existing role definition into terraform.

See documentation here.

Example:

data "azurerm_subscription" "primary" {}

data "azurerm_role_definition" "my_role" {
  ### Specify either role_definition_id or name of the existing role
  # role_definition_id = "00000000-0000-0000-0000-000000000000"
  # name               = "MyRoleDefinition"

  scope = data.azurerm_subscription.primary.id
}

To assign this role to, for example, a resource group my_rg, set the scope to the resource group id:

resource "azurerm_resource_group" "my_rg" {
  name     = "myRG"
  location = "West US"
}

data "azurerm_client_config" "client_config" {}

resource "azurerm_role_assignment" "my_role_assignment" {
  scope              = azurerm_resource_group.my_rg.id
  role_definition_id = data.azurerm_role_definition.my_role.id
  principal_id       = data.azurerm_client_config.client_config.service_principal_object_id
}