我正在尝试在 Azure 的管理级别管理策略。我找到了一个创建管理组、设置策略并将策略分配给管理组的模板。问题是当我用它创建一个管理组时,我无法用“terraform destroy”进行破坏。所以现在我想编写一个引用现有管理组的代码并设置新的策略和分配。
这是我找到的代码。
data "azurerm_client_config" "config" {}
data "azurerm_subscrition" "sub" {}
resource "azurerm_management_group" "group1" {
name = "MyManagementGroup"
subscription_ids = [
"00000000-0000-0000-0000-000000000000",
"11111111-1111-1111-1111-111111111111",
"22222222-2222-2222-2222-222222222222",
]
}
resource "azurerm_role_definition" "roledefinition1" {
role_definition_id = "00000000-0000-0000-0000-000000000000"
name = "Role Definition"
scope = "${azurerm_management_group.group1.id}"
description = "Custom role"
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
"${data.azurerm_subscription.sub.id}",
]
}
resource "azurerm_role_assignment" "roleassignment1" {
scope = "${azurerm_management_group.group1.id}"
role_definition_name = "${azurerm_role_definition.roledefinition1.name}"
principal_id = "${data.azurerm_client_config.config.service_principal_object_id}"
}
resource "azurerm_policy_definition" "policy" {
name = "TestPolicy"
policy_type = "Custom"
display_name = "Test policy definition"
scope = "${azurerm_management_group.group1.id}"
policy_rule = <<POLICY_RULE
{
"if": {
"true"
},
"then": {
"effect": "audit"
}
}
POLICY_RULE
}
resource "azurerm_policy_assignment" "test" {
name = "example-policy-assignment"
scope = "${azurerm_management_group.group1.id}"
policy_definition_id = "${azurerm_policy_definition.policy.id}"
description = "Policy Assignment"
display_name = "Test Policy Assignment"