terraform 创建 AD 用户并将其添加到 yml 组中
我们正在尝试使用 terraform 自动化和自助创建特权帐户,用户将使用必要的数据填写 yml 模板,每个新用户一个 yml 文件。 像这样的结构:(此处仅显示相关字段)
user1:
accountname: svc-d-ad-testuser1 # svc-env-app-description
description: testing the creation of accounts in terraform
department: wintel
group_membership:
- Temp-ServerGroup01
- Temp-ServerGroup02
从这些单独的用户 yml 文件中,我们创建一个大的 yml,并且 terraform 会迭代它来创建用户。 效果很好。但随后我们需要将新创建的用户添加到每个用户 group_membership 下列出的 AD 组中。
为此,我们需要新创建用户的 .id
resource ad_group_membership "groups" "group"{
group_id = <groupid>
group_members = <newlycreateduser.id>
}
我们正在尝试制定如何迭代每个用户 group_membership 中的每个组的语法,从 中获取 user.id >resource "ad_user" "u" 在 AD 中创建用户。 我正在查看 output 以某种方式使用 user.id 创建新变量,但变量名需要是动态的,或者我可以创建一个以用户名作为键、以 user.id 作为值的映射?然后与小组一起阅读,不知何故......
任何帮助都非常感谢,即使只是关于使用哪些结构或此类任务的一些示例。 谢谢
更新: local.users 看起来像这样(部分被删除):
{
"user1" = {
"accountname" = "svc-d-ad-testtf1"
"group_membership" = [
"Temp-ServerGroup01-MJW",
]
}
"user2" = {
"accountname" = "svc-d-ad-testtf2"
"group_membership" = [
"Temp-ServerGroup01-MJW",
"Temp-ServerGroup02-MJW",
]
}
}
create ad user:
resource "ad_user" "u" {
for_each = local.users
principal_name = each.value["accountname"]
sam_account_name = each.value["accountname"]
display_name = each.value["accountname"]
initial_password = var.initialpassword # needs to be dynamically generated
container = var.container # OU should be generated based on team/area
description = each.value["description"]
custom_attributes = jsonencode({
"userWorkstations" = each.value["servers"],
"secretary" = [each.value["supportteam"]],
})
}
而 group_membership 是
resource ad_group_membership "group" {
group_id = ad_group.group.id
group_members = [ ad_group.u1.id, ad_user.u2.id ]
}
我需要一种方法来提取组名称并将 user.id 添加到 group_members 列表中,但是用户.id 仅在 ad_user 资源创建用户后才可知。
We are trying to automate and self service privileged account creation with terraform, where the user would fill out a yml template with the necessary data, one yml file per new user.
structure like this: (displaying only relevant fields here)
user1:
accountname: svc-d-ad-testuser1 # svc-env-app-description
description: testing the creation of accounts in terraform
department: wintel
group_membership:
- Temp-ServerGroup01
- Temp-ServerGroup02
From these separate user yml files we are creating one big yml and terraform iterates through that to create the users.
That works fine. But then we would need to add the newly created users to the AD groups listed under each users group_membership.
For this, we need the .id of the newly created user in the
resource ad_group_membership "groups" "group"{
group_id = <groupid>
group_members = <newlycreateduser.id>
}
We are trying to work out the syntax how to iterate through each group in each users group_membership , get the user.id from the resource "ad_user" "u" where the user in AD is created.
I was looking at output to somehow create new variables with the user.id but the variablename needs to be dynamic, or maybe I can create a map with the username as key and user.id as value? And then with the groups read that somehow...
Any help is greatly appreciated, even just on which constructs to use or some example for such a task.
thanks
UPDATE:
local.users look like this (parts stripped out):
{
"user1" = {
"accountname" = "svc-d-ad-testtf1"
"group_membership" = [
"Temp-ServerGroup01-MJW",
]
}
"user2" = {
"accountname" = "svc-d-ad-testtf2"
"group_membership" = [
"Temp-ServerGroup01-MJW",
"Temp-ServerGroup02-MJW",
]
}
}
create ad user:
resource "ad_user" "u" {
for_each = local.users
principal_name = each.value["accountname"]
sam_account_name = each.value["accountname"]
display_name = each.value["accountname"]
initial_password = var.initialpassword # needs to be dynamically generated
container = var.container # OU should be generated based on team/area
description = each.value["description"]
custom_attributes = jsonencode({
"userWorkstations" = each.value["servers"],
"secretary" = [each.value["supportteam"]],
})
}
and group_membership is
resource ad_group_membership "group" {
group_id = ad_group.group.id
group_members = [ ad_group.u1.id, ad_user.u2.id ]
}
I need a way to pull out the group name and add the user.id to the group_members list, but the user.id is only known after the user has been created by the ad_user resource.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论