问题
a@cc.com & b@cc.com are E-mail addresses of our organization. These emails are also used as the Azure login accounts. I've set up a Terraform code to use the AzureAD to access to the VM in Azrue. My question is How Can I grand those accounts the role of Virtual Machine User Login?
resource "azurerm_role_assignment" "test" {
scope = "${data.azurerm_management_group.primary.id}"
role_definition_id = "Virtual Machine User Login"
principal_id = "a@cc.com, b@cc.com"
}
The official documents says principal_id is the ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Isn't the that the email address is the ID of the user?
回答1:
The principal_id should be the Object ID of the user.
1.Navigate to the Azure Active Directory in the portal -> Users -> search by the user principal name(email address in your case).
2.Click the user, then you can find the Object ID.
If you want to add a list of users as the role, you could use that as below. In my sample, there are two users with Object ID 65c66b3xxxxxxa623338 and c098bc79xxxxxx58cb26e.
data "azurerm_subscription" "primary" {}
data "azurerm_client_config" "test" {}
variable "ids" {
type = list(string)
default = ["65c66b3xxxxxxa623338","c098bc79xxxxxx58cb26e"]
}
resource "azurerm_role_assignment" "test" {
count = "${length(var.ids)}"
scope = "${data.azurerm_management_group.primary.id}"
role_definition_name = "Virtual Machine User Login"
principal_id = "${element(var.ids, count.index)}"
}
来源:https://stackoverflow.com/questions/58916411/how-to-add-virtual-machine-user-login-roles-to-a-list-of-users-by-terraform