为多个订阅创建 Azure 服务主体

Question

我已经能够使用以下 terraform 成功创建服务主体机密。但是，对于尝试为多个订阅创建服务主体的正确方法是什么，我有点困惑。我有点新手，不幸的是遇到了这个问题。为多个订阅实施服务主体的最佳/正确方法是什么？

data "azurerm_subscription" "example-subscription" {
    subscription_id = "959e460c-209e-43d7-a6e9-e30c716e0691"
}

# Azure AD App
resource "azuread_application" "example-subscription" {
  name                       = "example-subscription"
  available_to_other_tenants = false
}

# Service Principal associated with the Azure AD App
resource "azuread_service_principal" "example-subscription" {
  application_id = azuread_application.example-subscription.application_id
}

# Random string to be used for Service Principal password
resource "random_password" "password-subscription" {
  length  = 32
  special = true
}

# Service Principal password
resource "azuread_service_principal_password" "example-subscription" {
  service_principal_id = azuread_service_principal.example-subscription.id
  value                = random_password.password-subscription.result
  end_date_relative    = "17520h"
}

# Role assignment for service principal
resource "azurerm_role_assignment" "example-subscription" {
  scope                = data.azurerm_subscription.example-subscription.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.example-subscription.id
}

订阅示例

data "azurerm_subscription" "example-subscription" {
    subscription_id = "959e460c-209e-43d7-a6e9-e30c716e0691"
}

data "azurerm_subscription" "example-subscription2” {
    subscription_id = "b344b74c-4600-470d-ad73-e918b0d0ccd3"
}

data "azurerm_subscription" "example-subscription3” {
    subscription_id = "242d05b2-e06e-4713-8094-44955dab1ee8"
}

Answer 1

服务主体是单个 Azure AD 租户或目录中全局应用程序对象的本地表示或应用程序实例。服务主体是从应用程序对象创建的具体实例，并从该应用程序对象继承某些属性。

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

如果您在一个 Azure AD 租户中有多个 Azure 订阅，您可以在所有 Azure 订阅中使用您的单一服务主体。