个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
34
4
我正在关注教程Implementing Terraform on Microsoft Azure至此。到目前为止一切顺利,我已经到达了使用 terraform 工作区从 Azure DevOps CI/CD 管道创建环境的模块。模块名称为“使用 Azure DevOps”
Azure DevOps 项目已公开 - https://dev.azure.com/MarkKharitonov0271/_git/Globomantics-testing
运行workspaces发布管道对我来说始终失败:
2020-01-19T03:23:20.5420275Z Error: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '0e648d2d-a49f-407e-99de-9d6343876a8c' with object id '0e648d2d-a49f-407e-99de-9d6343876a8c' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3' or the scope is invalid. If access was recently granted, please refresh your credentials."
2020-01-19T03:23:20.5420512Z
2020-01-19T03:23:20.5420989Z on vnet-peering.tf line 52, in resource "azurerm_role_definition" "vnet-peering":
2020-01-19T03:23:20.5421339Z 52: resource "azurerm_role_definition" "vnet-peering" {
(您可以在项目存储库中查看 vnet-peering.tf - https://dev.azure.com/MarkKharitonov0271/_git/Globomantics-testing?path=%2Fnetworking%2Fvnet-peering.tf )
无论如何,如果我正确理解错误消息,它声称服务主体 0e648d2d-a49f-407e-99de-9d6343876a8c 无权在订阅中创建新的角色定义2b38509c-a310-4c8f-bd78-9e400cc874e3
所以,我检查了服务主体:
PS /home/mark> az ad sp show --id '0e648d2d-a49f-407e-99de-9d6343876a8c'
{
"accountEnabled": "True",
"addIns": [],
"alternativeNames": [],
"appDisplayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
"appId": "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8",
"appOwnerTenantId": "717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4",
"appRoleAssignmentRequired": false,
"appRoles": [],
"applicationTemplateId": null,
"deletionTimestamp": null,
"displayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
"errorUrl": null,
"homepage": "https://VisualStudio/SPN",
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"keyCredentials": [],
"logoutUrl": null,
"notificationEmailAddresses": [],
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
"id": "d0f141b9-fc6b-4f3c-9217-018d74712ee1",
"isEnabled": true,
"userConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on your behalf.",
"userConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
}
],
"objectId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
"objectType": "ServicePrincipal",
"odata.metadata": "https://graph.windows.net/717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"passwordCredentials": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyEndDateTime": null,
"preferredTokenSigningKeyThumbprint": null,
"publisherName": "Default Directory",
"replyUrls": [
"https://VisualStudio/SPN"
],
"samlMetadataUrl": null,
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
"0ae4ffc7-149d-45ac-ab15-c9f61e4591f8"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
请注意,服务主体的 appId 等于 0ae4ffc7-149d-45ac-ab15-c9f61e4591f8。
它似乎与 Azure DevOps 创建的任务相对应,当我将 Terraform 任务添加到管道时,它想要授权对订阅的访问。确实:
现在,terraform apply 步骤引用相同的服务主体:
最后,此服务主体似乎具有订阅的贡献者访问权限:
PS /home/mark> az role assignment list --assignee '0e648d2d-a49f-407e-99de-9d6343876a8c'
[
{
"canDelegate": null,
"id": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleAssignments/346f1b92-0621-44c0-b88a-343c52637a0f",
"name": "346f1b92-0621-44c0-b88a-343c52637a0f",
"principalId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
"principalName": "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
"principalType": "ServicePrincipal",
"roleDefinitionId": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDefinitionName": "Contributor",
"scope": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3",
"type": "Microsoft.Authorization/roleAssignments"
}
]
PS /home/mark>
所以,我不明白发生了什么。
编辑 1
因此,我能够使用 Azure Cloud Shell 中完全相同的服务主体运行完全相同的 terraform 配置。
首先,我重置凭据,注销并以该服务主体身份重新登录:
PS /home/mark/terraform> az ad sp credential reset --name https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b
{
"appId": "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8",
"name": "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
"password": "e...3",
"tenant": "717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4"
}
PS /home/mark/terraform> az account clear
Logout successful. Re-login to your initial Cloud Shell identity with 'az login --identity'. Login with a new identity with 'az login'.
PS /home/mark/terraform> az login --service-principal -u https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b -p e...3 --tenant 717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
{
"cloudName": "AzureCloud",
"id": "2b38509c-a310-4c8f-bd78-9e400cc874e3",
"isDefault": true,
"name": "Visual Studio Enterprise",
"state": "Enabled",
"type": "servicePrincipal"
}
}
]
然后我克隆了 Git 存储库以获取 Terraform 代码,并复制了从先前模块保存的后端配置:
PS /home/mark/terraform> git clone https://<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4f022e3d2404272e3d263b202120397f7d787e0f2b2a39612e353a3d2a612c2022" rel="noreferrer noopener nofollow">[email protected]</a>/MarkKharitonov0271/Globomantics-testing/_git/Globomantics-testing
Cloning into 'Globomantics-testing'...
remote: Azure Repos
remote: We noticed you're using an older version of Git. For the best experience, upgrade to a newer version.
remote: Found 9 objects to send. (2 ms)
Unpacking objects: 100% (9/9), done.
Checking connectivity... done.
PS /home/mark/terraform> cd ./Globomantics-testing/networking/
PS /home/mark/terraform/Globomantics-testing/networking> dir
Directory: /home/mark/terraform/Globomantics-testing/networking
Mode LastWriteTime Length Name
---- ------------- ------ ----
------ 1/19/20 4:41 AM 40 backend.tf
------ 1/19/20 4:41 AM 2256 main.tf
------ 1/19/20 4:41 AM 436 terraform.tfvars
------ 1/19/20 4:41 AM 2423 vnet-peering.tf
------ 1/19/20 4:41 AM 279 workspacetest.sh
PS /home/mark/terraform/Globomantics-testing/networking> copy ../../1-main-vnet/backend-config.txt .
现在我准备初始化 Terraform 并设置开发工作区:
PS /home/mark/terraform/Globomantics-testing/networking> terraform init -backend-config='backend-config.txt'
Initializing modules...
Downloading Azure/vnet/azurerm 1.2.0 for vnet-main...
- vnet-main in .terraform/modules/vnet-main
Successfully configured the backend "azurerm"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "azurerm" (hashicorp/azurerm) 1.41.0...
- Downloading plugin for provider "template" (hashicorp/template) 2.1.2...
...
PS /home/mark/terraform/Globomantics-testing/networking> terraform workspace select development
Switched to workspace "development".
现在地形计划:
PS /home/mark/terraform/Globomantics-testing/networking> terraform plan -var sec_client_secret='F...$' -out main.tfplan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.template_file.subnet_prefixes[0]: Refreshing state...
data.template_file.subnet_prefixes[1]: Refreshing state...
data.template_file.subnet_prefixes[2]: Refreshing state...
azurerm_resource_group.main: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet]
data.azurerm_subscription.current: Refreshing state...
module.vnet-main.azurerm_resource_group.vnet: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet]
module.vnet-main.azurerm_virtual_network.vnet: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet]
module.vnet-main.azurerm_subnet.subnet[0]: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet/subnets/web]
module.vnet-main.azurerm_subnet.subnet[2]: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet/subnets/app]
module.vnet-main.azurerm_subnet.subnet[1]: Refreshing state... [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet/subnets/database]
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azurerm_role_assignment.vnet will be created
+ resource "azurerm_role_assignment" "vnet" {
+ id = (known after apply)
+ name = (known after apply)
+ principal_id = "63309b8d-908a-4dcf-b95b-25eae33aaceb"
+ principal_type = (known after apply)
+ role_definition_id = (known after apply)
+ role_definition_name = (known after apply)
+ scope = "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet"
+ skip_service_principal_aad_check = (known after apply)
}
# azurerm_role_definition.vnet-peering will be created
+ resource "azurerm_role_definition" "vnet-peering" {
+ assignable_scopes = [
+ "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3",
]
+ id = (known after apply)
+ name = "allow-vnet-peer-action-development"
+ role_definition_id = (known after apply)
+ scope = "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3"
+ permissions {
+ actions = [
+ "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
+ "Microsoft.Network/virtualNetworks/peer/action",
+ "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
+ "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
]
+ not_actions = []
}
}
# azurerm_virtual_network_peering.main will be created
+ resource "azurerm_virtual_network_peering" "main" {
+ allow_forwarded_traffic = (known after apply)
+ allow_gateway_transit = (known after apply)
+ allow_virtual_network_access = (known after apply)
+ id = (known after apply)
+ name = "development_2_sec"
+ remote_virtual_network_id = "/subscriptions/2b1285d1-f4a7-4cc3-a7b1-0d0fc31d6192/resourceGroups/security/providers/Microsoft.Network/virtualNetworks/security"
+ resource_group_name = "development-vnet"
+ use_remote_gateways = (known after apply)
+ virtual_network_name = "development-vnet"
}
# azurerm_virtual_network_peering.sec will be created
+ resource "azurerm_virtual_network_peering" "sec" {
+ allow_forwarded_traffic = (known after apply)
+ allow_gateway_transit = (known after apply)
+ allow_virtual_network_access = (known after apply)
+ id = (known after apply)
+ name = "sec_2_development"
+ remote_virtual_network_id = "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet"
+ resource_group_name = "security"
+ use_remote_gateways = (known after apply)
+ virtual_network_name = "security"
}
Plan: 4 to add, 0 to change, 0 to destroy.
...
------------------------------------------------------------------------
This plan was saved to: main.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "main.tfplan"
最后应用 terraform:
PS /home/mark/terraform/Globomantics-testing/networking> terraform apply main.tfplan
azurerm_role_definition.vnet-peering: Creating...
azurerm_role_definition.vnet-peering: Creation complete after 1s [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleDefinitions/b9614597-de13-c2c6-a275-9186847642ed]
azurerm_role_assignment.vnet: Creating...
azurerm_role_assignment.vnet: Creation complete after 1s [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet/providers/Microsoft.Authorization/roleAssignments/7f6a642d-d43e-05b5-cf34-3d20d02cd255]
azurerm_virtual_network_peering.main: Creating...
azurerm_virtual_network_peering.sec: Creating...
azurerm_virtual_network_peering.main: Still creating... [10s elapsed]
azurerm_virtual_network_peering.sec: Still creating... [10s elapsed]
azurerm_virtual_network_peering.main: Creation complete after 11s [id=/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet/virtualNetworkPeerings/development_2_sec]
azurerm_virtual_network_peering.sec: Creation complete after 11s [id=/subscriptions/2b1285d1-f4a7-4cc3-a7b1-0d0fc31d6192/resourceGroups/security/providers/Microsoft.Network/virtualNetworks/security/virtualNetworkPeerings/sec_2_development]
...
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
Outputs:
resource_group_name = development-vnet
vnet_id = /subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/resourceGroups/development-vnet/providers/Microsoft.Network/virtualNetworks/development-vnet
vnet_name = development-vnet
使用 Azure DevOps 创建的完全相同的服务主体,一切都可以正常工作。
接下来我将尝试删除 Azure DevOps 项目上的服务连接,手动创建一个新连接并重试发布。
编辑2
新服务连接出现同样的错误。我不明白。我觉得“奇怪”的是,main.tf 中的所有资源都配置得很好,但 vnet-peering.tf 中没有。
这是怎么回事?
编辑3
将 Microsoft DevLabs 的 Terraform 任务替换为 Charles Zipp 的任务,因为 Pluralsight 类(class)作者使用了它们。结果相同。
最佳答案
发生这种情况是因为您正在尝试修改权限,这需要 owner 角色或自定义 rbac 角色。
Microsoft.Authorization/roleDefinitions/write
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
关于Azure DevOps Server 无法使用作为订阅贡献者的服务主体创建 Azure 资源,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59807108/
34
4
0
我在网上搜索但没有找到任何合适的文章解释如何使用 javascript 使用 WCF 服务,尤其是 WebScriptEndpoint。 任何人都可以对此给出任何指导吗? 谢谢 最佳答案 这是一篇关于
我正在编写一个将运行 Linux 命令的 C 程序,例如: cat/etc/passwd | grep 列表 |剪切-c 1-5 我没有任何结果 *这里 parent 等待第一个 child (chi
所以我正在尝试处理文件上传,然后将该文件作为二进制文件存储到数据库中。在我存储它之后,我尝试在给定的 URL 上提供文件。我似乎找不到适合这里的方法。我需要使用数据库,因为我使用 Google 应用引
我正在尝试制作一个宏,将下面的公式添加到单元格中,然后将其拖到整个列中并在 H 列中复制相同的公式 我想在 F 和 H 列中输入公式的数据 Range("F1").formula = "=IF(ISE
问题类似于this one ,但我想使用 OperatorPrecedenceParser 解析带有函数应用程序的表达式在 FParsec . 这是我的 AST: type Expression =
我想通过使用 sequelize 和 node.js 将这个查询更改为代码取决于在哪里 select COUNT(gender) as genderCount from customers where
我正在使用GNU bash,版本5.0.3(1)-发行版(x86_64-pc-linux-gnu),我想知道为什么简单的赋值语句会出现语法错误: #/bin/bash var1=/tmp
这里,为什么我的代码在 IE 中不起作用。我的代码适用于所有浏览器。没有问题。但是当我在 IE 上运行我的项目时,它发现错误。 而且我的 jquery 类和 insertadjacentHTMl 也不
我正在尝试更改标签的innerHTML。我无权访问该表单,因此无法编辑 HTML。标签具有的唯一标识符是“for”属性。 这是输入和标签的结构:
我有一个页面,我可以在其中返回用户帖子,可以使用一些 jquery 代码对这些帖子进行即时评论,在发布新评论后,我在帖子下插入新评论以及删除 按钮。问题是 Delete 按钮在新插入的元素上不起作用,
我有一个大约有 20 列的“管道分隔”文件。我只想使用 sha1sum 散列第一列,它是一个数字,如帐号,并按原样返回其余列。 使用 awk 或 sed 执行此操作的最佳方法是什么? Accounti
我需要将以下内容插入到我的表中...我的用户表有五列 id、用户名、密码、名称、条目。 (我还没有提交任何东西到条目中,我稍后会使用 php 来做)但由于某种原因我不断收到这个错误:#1054 - U
所以我试图有一个输入字段,我可以在其中输入任何字符,但然后将输入的值小写,删除任何非字母数字字符,留下“。”而不是空格。 例如,如果我输入: 地球的 70% 是水,-!*#$^^ & 30% 土地 输
我正在尝试做一些我认为非常简单的事情,但出于某种原因我没有得到想要的结果?我是 javascript 的新手,但对 java 有经验,所以我相信我没有使用某种正确的规则。 这是一个获取输入值、检查选择
我想使用 angularjs 从 mysql 数据库加载数据。 这就是应用程序的工作原理;用户登录,他们的用户名存储在 cookie 中。该用户名显示在主页上 我想获取这个值并通过 angularjs
我正在使用 autoLayout,我想在 UITableViewCell 上放置一个 UIlabel,它应该始终位于单元格的右侧和右侧的中心。 这就是我想要实现的目标 所以在这里你可以看到我正在谈论的
我需要与 MySql 等效的 elasticsearch 查询。我的 sql 查询: SELECT DISTINCT t.product_id AS id FROM tbl_sup_price t
我正在实现代码以使用 JSON。 func setup() { if let flickrURL = NSURL(string: "https://api.flickr.com/
我尝试使用for循环声明变量,然后测试cols和rols是否相同。如果是,它将运行递归函数。但是,我在 javascript 中执行 do 时遇到问题。有人可以帮忙吗? 现在,在比较 col.1 和
我举了一个我正在处理的问题的简短示例。 HTML代码: 1 2 3 CSS 代码: .BB a:hover{ color: #000; } .BB > li:after {
我是一名优秀的程序员,十分优秀!