Azure
data "azuread_client_config" "current" {}
data "azurerm_subscription" "current" {}
resource "azuread_application" "cloudplans_application" {
display_name = "cloudplans_application"
owners = [data.azuread_client_config.current.object_id]
}
resource "azuread_service_principal" "cloudplans_sp" {
client_id = azuread_application.cloudplans_application.client_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
resource "azurerm_role_definition" "example" {
name = "cloudplans_role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform for CloudPlans"
permissions {
actions = [
"Microsoft.Compute/locations/runCommands/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/hostGroups/hosts/read",
"Microsoft.Compute/hostGroups/read",
"Microsoft.Compute/proximityPlacementGroups/read",
"Microsoft.Compute/hostGroups/hosts/hostSizes/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/sharedVMExtensions/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/manualUpgrade/action"
]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id, # /subscriptions/00000000-0000-0000-0000-000000000000
]
}
resource "azurerm_role_assignment" "assignment" {
principal_id = azuread_service_principal.cloudplans_sp.id
scope = data.azurerm_subscription.current.id
role_definition_name = var.rolename
skip_service_principal_aad_check = true
}
Last updated