-1

Experts,

I have a situation where I have to grant access on multiple Azure resources to a particular group, and i have to do this using Terraform only. example: Azure Group Name: India-group (5-6 users is there in this group) Azure Subscription name: India Azure Resource SQL Database: SQL-db-1 Azure Resource Key-Vault: India-key-vlt-1 Azure Resource Storage Account: India-acnt-1 and many more like PostgreSQL, storage account, blob.....

Levi Lu-MSFT
  • 27,483
  • 2
  • 31
  • 43
RanaSingh
  • 1
  • 3
  • You have multiple resources and I think there are different types to access them or group. So you need to choose which type you use for every resource and try it yourself. Communities only can help you solve the issues if you have, but cannot do everything for you. – Charles Xu Apr 09 '20 at 01:30
  • So can you update your questions more clearly? – Charles Xu Apr 10 '20 at 06:58
  • Thank You for your comment, Charles. I do understand this, as I am new for Terraform, I was just hoping to have some sample terraform to grant access to the resource with the role, that's why I provide some sample name, and then I will follow that same approach to make that for all other resource type and role by myself. I will concentrate on learning. But I must say "Thank You Very Much for your valuable comment and time, I really appreciate it". – RanaSingh Apr 10 '20 at 07:02
  • Well, I will show you an example. And I'm also glad to help you if you have more questions. – Charles Xu Apr 10 '20 at 07:07
  • Does it help you solve the problem? Please let me know. – Charles Xu Apr 13 '20 at 02:24
  • Do you still work on this problem? I didn't see any updates. – Charles Xu Apr 16 '20 at 01:46

1 Answers1

0

I think you do not need to care about how does the resource group can access the resources. What you need to care about is how to access the resources when it's necessary.

Generally, we use the service principal that assign roles that contain appropriate permission to access the resources. You can take a look at What is role-based access control (RBAC) for Azure resources and Create a service principal via CLI.

In Terraform, I assume you want to get the secrets from the KeyVault. Here is an example:

provider "azurerm" {
  features {}
}

resource "azuread_application" "example" {
  name                       = "example"
  homepage                   = "http://homepage"
  identifier_uris            = ["http://uri"]
  reply_urls                 = ["http://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false

  tags = ["example", "tags", "here"]
}

resource "azurerm_resource_group" "example" {
  name     = "resourceGroup1"
  location = "West US"
}

resource "azurerm_key_vault" "example" {
  name                        = "testvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  soft_delete_enabled         = true
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = var.tenant_id
    object_id = azuread_service_principal.example.object_id

    key_permissions = [
      "get",
    ]

    secret_permissions = [
      "get",
    ]

    storage_permissions = [
      "get",
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

  tags = {
    environment = "Testing"
  }
}

Then you can access the key vault to get the secrets or keys through the service principal. You can also take a look at the example that controls Key Vault via python.

For other resources, you need to learn about the resource itself first, and then you can know how to access it in a suitable way. Finally, you can use Terraform to achieve it.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39