terraform-az-rbac-pim-assignment's People
Contributors
Stargazers
Watchers
Forkers
sbeaglesdpu suryendub alk4 dfw1n cyborganizer1 jljane cocallaw mobindaraie craigthackerx stephenboothe velmuaz jofem48terraform-az-rbac-pim-assignment's Issues
Can't use resource groups managed from Terraform maps/lookups with Resource Group PIM assignment
I am trying to use the PIM Assignment - Resource Group module with for_each and lookups in TF. The use case is so that we can set a security group as a variable, then have that security group be granted RBAC roles, and in this case, the PIM assignment as well.
I am using the branch linked in issue #1.
When I run terraform plan, I receive the following error output:
│ Error: Invalid value for module argument
│
│ on testVDI.tf line 59, in module "pim_assignment_2":
│ 59: resource_group_name = azurerm_resource_group.test-vdi-rg[each.key]
│
│ The given value is not suitable for child module variable "resource_group_name" defined at PIM Assignment - Resource Group\main.tf:24,1-31: string required.
I tried changing the Resource Group PIM assignment main.tf resource_group name to a map as follows:
variable "resource_group_name" {
type = string
}
After doing this and saving, I get the following error:
│ Error: Incorrect attribute value type
│
│ on PIM Assignment - Resource Group\main.tf line 44, in resource "random_uuid" "eligible_schedule_request_id":
│ 44: keepers = {
│ 45: principalId = var.principal_id
│ 46: roleDefinitionId = data.azurerm_role_definition.role.id
│ 47: requestType = var.request_type
│ 48: startDateTime = "${formatdate("YYYY-MM-DD", time_rotating.eligible_schedule_request_start_date.id)}T${formatdate("HH:mm:ss.0000000+02:00", time_rotating.eligible_schedule_request_start_date.id)}"
│ 49: duration = "P${tostring(var.assignment_days)}D"
│ 50: resource_group_name = var.resource_group_name
│ 51: }
│ ├────────────────
│ │ data.azurerm_role_definition.role.id will be known only after apply
│ │ time_rotating.eligible_schedule_request_start_date.id will be known only after apply
│ │ var.assignment_days is a number, known only after apply
│ │ var.principal_id is a string, known only after apply
│ │ var.request_type is a string, known only after apply
│ │ var.resource_group_name is a map of dynamic, known only after apply
│
│ Inappropriate value for attribute "keepers": element "resource_group_name": string required.
I'm defining resource groups in the root main.tf as follows:
resource "azurerm_resource_group" "test-vdi-rg" {
for_each = var.team_name
name = "${each.value}-VDI"
location = var.location
tags = {
Owner = lookup(var.Owner, each.key)
TechnicalContact = lookup(var.TechnicalContact, each.key)
Location = lookup(var.City, each.key)
DepartmentName = lookup(var.DepartmentName, each.key)
}
}
Can't use PIM Assignment - Resource Group with for_each
I am trying to use the PIM Assignment - Resource Group module with for_each and lookups in TF. The use case is so that we can set a security group as a variable, then have that security group be granted RBAC roles, and in this case, the PIM assignment as well.
The main.tf portion is as follows:
module "pim_assignment_2" {
source = "./PIM Assignment - Resource Group"
for_each = var.team_name
resource_group_name = azurerm_resource_group.test-vdi-rg.name
principal_id = lookup(var.SecurityGroup, each.key)
role_definition_name = "Virtual Machine Administrator Login"
}
When I run terraform plan, I get the following error:
│ Error: Module module.pim_assignment_2 contains provider configuration
│
│ Providers cannot be configured within modules using count, for_each or depends_on.
How should we utilize the module to create one PIM assignment in a for_each situation?
Assign to a specific subscription in the code
By using Azure DevOps pipeline, I have tried to run the code but the problem is i can not assign the PIM to a Subscription or even more by using code.
I changed the logic to below but the logic doesn’t work. It only assigned the PIM to the Subscription that i logged-in.
setPim.tf
module "PIM_reader" {
source = "./modules/pim_assignment_to_subscription"
subscription_ids = [
"XXXXXXXXXXXXXXXXXXXXXX" , # lz-prod-01
"YYYYYYYYYYYYYYYYYYYYYYY" # lz-prod-02
]
location = var.location
role_definition_name = "Reader"
member = module.ni_reader_group.aad_group
assignment_days = 365
state = "Enabled" # Deleted => for removing PIM assignment | Enabled => for assign a PIM
}
./modules/pim_assignment_to_subscription/main.tf
locals {
request_type = var.state == "Enabled" ? "AdminUpdate" : (var.state == "Deleted" ? "AdminRemove" : "")
}
// Use data resource to get the role definition ID if not provided
data "azurerm_role_definition" "role" {
for_each = { for sub_id in var.subscription_ids : sub_id => sub_id }
name = var.role_definition_name
scope = "/subscriptions/${each.value}"
}
resource "random_uuid" "eligible_schedule_request_id" {
for_each = { for sub_id in var.subscription_ids : sub_id => sub_id }
keepers = {
principalId = var.member
roleDefinitionId = data.azurerm_role_definition.role[each.key].id
requestType = local.request_type
startDateTime = "${formatdate("YYYY-MM-DD", time_rotating.eligible_schedule_request_start_date.id)}T${formatdate("HH:mm:ss.0000000+02:00", time_rotating.eligible_schedule_request_start_date.id)}"
duration = "P${tostring(var.assignment_days)}D"
}
}
resource "time_rotating" "eligible_schedule_request_start_date" {
rotation_days = floor(var.assignment_days / 2)
}
# Deploy the eligible schedule request using ARM template
resource "azurerm_subscription_template_deployment" "eligible_schedule_request" {
for_each = { for sub_id in var.subscription_ids : sub_id => sub_id }
name = random_uuid.eligible_schedule_request_id[each.key].id
# id = random_uuid.eligible_schedule_request_id[each.key].id
location = var.location
template_content = file("${path.module}/pim_assignment.json")
// Send parameters to ARM template
parameters_content = jsonencode({
"principalId" = {
value = var.member
},
"roleDefinitionId" = {
value = data.azurerm_role_definition.role[each.key].id
},
"requestType" = {
value = local.request_type
},
"id" = {
value = random_uuid.eligible_schedule_request_id[each.key].id
}
"startDateTime" = {
value = "${formatdate("YYYY-MM-DD", time_rotating.eligible_schedule_request_start_date.id)}T${formatdate("HH:mm:ss.0000000+02:00", time_rotating.eligible_schedule_request_start_date.id)}"
}
"duration" = {
value = "P${tostring(var.assignment_days)}D"
}
"scope" = {
value = "/subscriptions/${each.value}"
}
})
timeouts {
create = "120s"
}
lifecycle {
ignore_changes = [
template_content
]
}
}
When it creates, the value of "azurerm_subscription_template_deployment.eligible_schedule_request.id" contains none of the subscription ids.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.