如何从 terraform 上的不同订阅导入托管服务标识

Question

我有一个托管服务身份 workflow-identity 以订阅 A 为生。我设置了另一个订阅 B 并设置了一个存储帐户 storageb。我想设置azurerm_role_assignment 让A 访问storageb。 所以我用了：

>terraform import azurerm_user_assigned_identity.example /subscriptions/[subscription-B]/resourceGroups/[resource-group-id]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/workflow-identity 但它不起作用。我猜的原因是因为我试图从不同的订阅导入托管服务标识。所以我的问题是在我的情况下如何从不同的订阅导入？

这是我的代码示例：

resource "azurerm_storage_account" "storage1" {
    name                     = var.storage_account
    resource_group_name      = azurerm_resource_group.rg.name
    location                 = azurerm_resource_group.rg.location
    account_tier             = "Standard"
    account_replication_type = "LRS"
}

resource "azurerm_user_assigned_identity" "example" {
    resource_group_name = azurerm_resource_group.example.name
    location            = azurerm_resource_group.example.location
    name = "search-api"
    # subscription_id = 12333.   <---- not working. not supported.
}

resource "azurerm_role_assignment" "storage_role" {
  scope                = azurerm_storage_account.storage1.id
  role_definition_name = "Storage Blob Data Contributor"
  principal_id         = azurerm_user_assigned_identity.example.principal_id
}

Answer 1

您需要创建另一个 azure 提供程序并将其范围限定为该订阅并使用该提供程序来部署资源：

provider "azurerm" {
  version = "~>1.44"
}

provider "azurerm" {
  alias           = "other_sub"
  subscription_id = "xxxx-xxxx-xxxx"
}

resource "azurerm_public_ip" "ipv4" {
    provider = "azurerm.other_sub"
    name = zzz
    resource_group_name = yyy
    location = xxx
    allocation_method = "Static"
    ip_version = "IPv4"
    sku = "Standard"
}