在 Azure 中通过 Terraform 为 VM 实例创建托管系统标识答案

【问题标题】：Creating Managed System Identity for VM Instances via Terraform in Azure在 Azure 中通过 Terraform 为 VM 实例创建托管系统标识
【发布时间】：2019-02-19 05:40:39
【问题描述】：

尝试使用 Terraform 为 VM 创建托管系统标识。 Status=404 Code="MissingSubscription"

出错了

正在尝试为虚拟机创建托管系统标识。这是代码sn-p：

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

 data "azurerm_builtin_role_definition" "contributor" {
   name = "Contributor"
 }

resource "azurerm_role_assignment" "contributor" {
  name                = "[${element(azurerm_virtual_machine.consul.*.id, count.index + 1)}]"
  scope              = "${var.subscription_id}"
 #scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${var.subscription_id}${data.azurerm_builtin_role_definition.contributor.id}"
  }

运行 terraform apply 会产生以下错误：

错误：

Error: Error applying plan:

1 error(s) occurred:

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

我尝试遵循此处描述的示例 - https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html，但看起来如果我将范围更改回 scope = "${data.azurerm_subscription.primary.id}"，则会出错：

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."

【问题讨论】：

标签： terraform terraform-provider-azure

【解决方案1】：

这里有多个问题：

资源azurerm_role_assignment 的name 字段必须是GUID，在您的代码中它带有方括号。
role_definition_id 必须有一个表达式评估，例如只有${data.azurerm_builtin_role_definition.contributor.id}

创建此示例的正确方法是：

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

data "azurerm_builtin_role_definition" "contributor" {
  name = "Contributor"
}

resource "azurerm_role_assignment" "contributor" {
  name               = "00000000-0000-0000-0000-000000000000"
  scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${data.azurerm_builtin_role_definition.contributor.id}"
}

假设 tenant_object_id 变量确实是您的主要订阅中的现有服务主体 ID。

【讨论】：

非常感谢@J00MZ