Terraform-provider-azurerm: Assigning role to Managed Service Identity only possible with external script

Created on 20 Oct 2017  ·  3Comments  ·  Source: terraform-providers/terraform-provider-azurerm

I have this usecase in azure with terraform: create a VM and allow it to access data in a storage container. For this I need to assign the MSI principal to a storage role. But I saw no way to get the principal id without the help of a small script (vm_identity.sh) that will query the id.

Did I miss something? Or would it be possible to make the principal id somehow accessible by terraform? Maybe integrate the MSI extension into the VM creation process by using the
--assign-identity (https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_create) parameter and adding the principal id to azurerm_virtual_machine attributes.

Additionally it would make the azurerm_role_assignment usage easier if the RoleAssignmentId would be automatically generated.

Terraform Version

Terraform v0.10.7
terraform-provider-azurerm_v0.3

Affected Resource(s)

  • azurerm_role_assignment

Terraform Configuration Files

resource "azurerm_virtual_machine" "test" {
  ...
}

resource "azurerm_virtual_machine_extension" "msi" {
  name                 = "msi"
  location             = "West Europe"
  resource_group_name  = "${azurerm_resource_group.test.name}"
  virtual_machine_name = "${azurerm_virtual_machine.test.name}"
  publisher            = "Microsoft.ManagedIdentity"
  type                 = "ManagedIdentityExtensionForLinux"
  type_handler_version = "1.0"
  settings             = ""
}

data "external" "principal_id" {
  program = ["./vm_identity.sh"]
  depends_on = ["azurerm_virtual_machine_extension.msi"]
}

resource "azurerm_role_assignment" "celum" {
  name               = "20f63f88-a154-46dc-9764-0cad5cc76eea"
  scope              = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/test/providers/Microsoft.Storage/storageAccounts/test-sa"
  role_definition_id = "${data.azurerm_role_definition.role.id}"
  principal_id       = "${data.external.principal_id.result.id}"
}

vm_identity.sh

#!/bin/bash
ID=$(az resource list -n test-host --query [*].identity.principalId -o json | jq .[0] -r)
jq -n --arg id "$ID" '{"id":$id}'
picture jansepke
👍1

Most helpful comment

I've raised a PR that will expose the principal ID:

picture hbuckle on 3 Nov 2017
👍3

All 3 comments

I've raised a PR that will expose the principal ID:

hbuckle picture hbuckle on 3 Nov 2017
👍3

solved in PR #482

jansepke picture jansepke on 23 Jan 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 31 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MMollyy picture MMollyy  ·  3Comments
mlazowik picture mlazowik  ·  3Comments
tomasaschan picture tomasaschan  ·  3Comments
whytoe picture whytoe  ·  3Comments
akamalov picture akamalov  ·  3Comments