https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_runbook
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_schedule
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
- files/runbook/script.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
workflow Run-hoge { inlineScript { Install-Module -Name Az -Force -AllowClobber -Scope CurrentUser Import-Module Az -Force -AllowClobber Install-PackageProvider -Name NuGet -Force Connect-AzAccount -Identity $rgName = "hoge" $vmName = "hoge" Start-AzVM -ResourceGroupName $rgName -Name $vmName } } |
- automation.tf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
resource "azurerm_automation_account" "hoge" { name = "hoge-automation" location = azurerm_resource_group.hoge.location resource_group_name = azurerm_resource_group.hoge.name sku_name = "Basic" identity { type = "SystemAssigned" } } resource "azurerm_role_assignment" "hoge" { principal_id = azurerm_automation_account.hoge.identity[0].principal_id role_definition_name = "Contributor" scope = azurerm_resource_group.hoge.id } resource "azurerm_automation_runbook" "hoge" { name = "Run-hoge" location = azurerm_resource_group.hoge.location resource_group_name = azurerm_resource_group.hoge.name automation_account_name = azurerm_automation_account.hoge.name log_verbose = "true" log_progress = "true" description = "runbook hoge" runbook_type = "PowerShellWorkflow" content = file("files/runbook/script.ps1") } resource "azurerm_automation_schedule" "hoge" { name = "runbook-schedule" resource_group_name = azurerm_resource_group.hoge.name automation_account_name = azurerm_automation_account.hoge.name frequency = "Week" interval = 1 timezone = "Asia/Tokyo" start_time = "2023-12-27T14:00:00+09:00" week_days = ["Wednesday"] } |
Automation側のスケジュールは設定されているが、Runbookのスケジュールは手動で紐付けること。
グループユーザーを作成してVMの起動と停止のみコンソールで操作させる
もしくは利用するメンバーのアカウントとユーザーグループを作成して、対象のVMを起動と停止できるようにロールをユーザーに紐付けるのも良さそう。
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/user
- user.tf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
locals { users = [ { name = "adachindayo", display_name = "adachin", groups = [azuread_group.hoge] }, ] } locals { users_by_group = flatten([ for user in local.users : [ for group in user.groups : { user_name = user.name group_name = lower(group.display_name) group_id = group.id } ] ]) } resource "azuread_user" "user" { for_each = { for user in local.users : user.name => user } user_principal_name = "${each.value.name}@hoge.com" display_name = each.value.display_name usage_location = "JP" password = can(each.value.password) ? each.value.password : "hoge" force_password_change = can(each.value.password) ? true : false lifecycle { ignore_changes = [ password, force_password_change, other_mails, preferred_language, show_in_address_list, given_name, surname, mobile_phone, ] } } resource "azuread_group_member" "member" { for_each = { for ug in local.users_by_group : "${ug.group_name}.${ug.user_name}" => ug } group_object_id = each.value.group_id member_object_id = azuread_user.user[each.value.user_name].id } |
- group.tf
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
resource "azuread_group" "hoge" { display_name = "hoge" security_enabled = true } resource "azurerm_role_definition" "hoge" { name = "hoge" scope = "/subscriptions/xxxxxxxxxx/resourceGroups/hoge" permissions { actions = [ "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/deallocate/action" ] data_actions = [ "Microsoft.Compute/virtualMachines/login/action" ] not_actions = [] } assignable_scopes = [ "/subscriptions/xxxxxxxxxx/resourceGroups/hoge" ] } resource "azurerm_role_assignment" "hoge" { scope = "/subscriptions/xxxxxxxxxx/resourceGroups/hoge" role_definition_name = azurerm_role_definition.hoge.name principal_id = azuread_group.hoge.id } |
Was this helpful?
0 / 0
1989年生まれのFindy/SRE。ホスティングから大規模なアドテクなどのインフラエンジニアとして携わる。現在はサービスの信頼性向上、DevOps、可用性、レイテンシ、パフォーマンス、モニタリング、オブザーバビリティ、緊急対応、AWSでのインフラ構築、Docker開発環境の提供、IaC、新技術の検証、リファクタリング、セキュリティ強化などを担当している。個人事業主では数社サーバー保守とベンチャー企業のSREインフラコンサルティングやMENTAで未経験者にインフラのコーチング/コミュニティの運用を実施している。また、「脆弱性スキャナVuls」のOSS活動もしており、自称エバンジェリスト/技術広報/テクニカルサポート/コントリビュータでもある。