\u6709\u5173\u5de5\u4f5c\u8d1f\u8f7dID\u7684\u7279\u70b9\uff0c\u8bf7\u53c2\u8003\u4ee5\u4e0b\u7684GA\u65f6\u7684\u6587\u7ae0\u3002<\/p>\n
- \u4e00\u822c\u63d0\u4f9b\u958b\u59cb: AKS \u3067\u306e Azure Active Directory \u30ef\u30fc\u30af\u30ed\u30fc\u30c9 ID | Azure \u306e\u66f4\u65b0\u60c5\u5831 | Microsoft Azure<\/ul>\n
\u5efa\u7acb\u73af\u5883<\/h2>\n
\u8fd9\u6b21\u6211\u4eec\u5c06\u4f7f\u7528terraform\u6765\u6784\u5efa\u4e00\u4e2a\u7b80\u5355\u7684\u73af\u5883\u3002\u8bf7\u4fee\u6539terraform\u7684\u672c\u5730\u53d8\u91cf\u4ee5\u66f4\u6539\u90e8\u7f72\u8d44\u6e90\u7684\u540d\u79f0\u3002\u6709\u5173\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u8003”\u5173\u4e8e\u8ba4\u8bc1\u6d41\u7a0b”\u3002<\/p>\n
![\"\u30c7\u30d7\u30ed\u30a4\u30ea\u30bd\u30fc\u30b9\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d238537434c4406c2b0e1\/8-0.png\" "\\"\\"")
<\/div>\n\u642d\u5efa\u73af\u5883\u7684\u6b65\u9aa4<\/h2>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5c06\u4f7f\u7528Azure CloudShell\uff08bash\uff09\u3002CloudShell\u9ed8\u8ba4\u5b89\u88c5\u4e86terraform\u548ckubectl\u3002<\/p>\n
\u8bf7\u5728CloudShell\u4e2d\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff0c\u5e76\u5c06terraform\u4ee3\u7801\u590d\u5236\u5230\u4ee5\u4e0b\u5185\u5bb9\u4e2d\u3002
\n\u8bf7\u6ce8\u610f\uff0c\u6839\u636e\u547d\u4ee4\u4e2d\u7684\u6ce8\u91ca\uff0c\u7b2c\u4e00\u6b21\u6267\u884cterraform apply\u5c06\u4f1a\u5931\u8d25\uff0c\u6240\u4ee5\u8bf7\u518d\u6b21\u6267\u884c\u4ee5\u5c06\u6e05\u5355\u5e94\u7528\u5230AKS\u3002<\/p>\n
# terraform\u30d5\u30a9\u30eb\u30c0\u3092\u4f5c\u6210\u3057\u79fb\u52d5<\/span>\r\nmkdir <\/span>terraform &&<\/span> cd <\/span>terraform\r\n\r\n# terraform\u306e\u5185\u5bb9\u3092\u8cbc\u308a\u4ed8\u3051\u3066\u4fdd\u5b58<\/span>\r\nvi aks-workload-id.tf\r\n\r\n# terraform\u3092\u521d\u671f\u5316\u3057\u3001\u30c7\u30d7\u30ed\u30a4\u5b9f\u884c<\/span>\r\nterraform init &&<\/span> terraform apply\r\n\r\n# 1\u56de\u76ee\u3067\u306fKubernetes Config\u304c\u5b58\u5728\u305b\u305a\u5931\u6557\u3059\u308b\u306e\u3067\u518d\u5b9f\u884c<\/span>\r\nterraform apply\r\n<\/code><\/pre>\n\u8bf7\u770b\u4e0b\u65b9\u6240\u793a\u7684Terraform\u4ee3\u7801\u62f7\u8d1d\u3002<\/p>\n
# \u5fc5\u8981\u306a\u5916\u90e8\u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306e\u5b9a\u7fa9 \u203b\u4eca\u56de\u306fAzApi\u3092\u5229\u7528\u3057\u307e\u3059\u3002<\/span>\r\nterraform<\/span> {<\/span>\r\n required_providers<\/span> {<\/span>\r\n azapi<\/span> =<\/span> {<\/span>\r\n source<\/span> =<\/span> \"azure\/azapi\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\n# \u5404\u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306e\u8a2d\u5b9a<\/span>\r\nprovider<\/span> \"azurerm\"<\/span> {<\/span>\r\n features<\/span> {}<\/span>\r\n}<\/span>\r\nprovider<\/span> \"kubernetes\"<\/span> {<\/span>\r\n config_path<\/span> =<\/span> \"~\/.kube\/config\"<\/span>\r\n}<\/span>\r\nprovider<\/span> \"azapi\"<\/span> {<\/span>\r\n}<\/span>\r\n\r\n# \u30ef\u30fc\u30af\u30ed\u30fc\u30c9ID\u95a2\u9023\u3067\u5229\u7528\u3059\u308b\u30ed\u30fc\u30ab\u30eb\u5909\u6570\u3092\u5b9a\u7fa9<\/span>\r\nlocals<\/span> {<\/span>\r\n resource_group_name<\/span> =<\/span> \"example\"<\/span>\r\n resource_group_locaiton<\/span> =<\/span> \"Japan East\"<\/span>\r\n\r\n aks_name<\/span> =<\/span> \"example-aks\"<\/span>\r\n aks_dns_prefix<\/span> =<\/span> \"exampleaks\"<\/span>\r\n\r\n service_account_name<\/span> =<\/span> \"workload-identity-sa\"<\/span>\r\n service_account_namespace<\/span> =<\/span> \"default\"<\/span>\r\n user_assigned_identity_name<\/span> =<\/span> \"myIdentity\"<\/span>\r\n federated_identity_credential_name<\/span> =<\/span> \"myFedIdentity\"<\/span>\r\n\r\n kubernetes_pod_name<\/span> =<\/span> \"test-pod\"<\/span>\r\n kubernetes_container_name<\/span> =<\/span> \"test\"<\/span>\r\n \r\n openai_account_name<\/span> =<\/span> \"example-openai\"<\/span>\r\n gpt_35_turbo_deploy_name<\/span> =<\/span> \"chatgpt\"<\/span>\r\n gpt_35_turbo_model_version<\/span> =<\/span> \"0613\"<\/span>\r\n}<\/span>\r\n\r\n# \u30ea\u30bd\u30fc\u30b9\u30b0\u30eb\u30fc\u30d7\u3092\u4f5c\u6210<\/span>\r\nresource<\/span> \"azurerm_resource_group\"<\/span> \"example\"<\/span> {<\/span>\r\n name<\/span> =<\/span> local<\/span>.<\/span>resource_group_name<\/span>\r\n location<\/span> =<\/span> local<\/span>.<\/span>resource_group_locaiton<\/span>\r\n}<\/span>\r\n\r\n# AKS\u306e\u4f5c\u6210<\/span>\r\nresource<\/span> \"azurerm_kubernetes_cluster\"<\/span> \"example\"<\/span> {<\/span>\r\n name<\/span> =<\/span> local<\/span>.<\/span>aks_name<\/span>\r\n location<\/span> =<\/span> azurerm_resource_group<\/span>.<\/span>example<\/span>.<\/span>location<\/span>\r\n resource_group_name<\/span> =<\/span> azurerm_resource_group<\/span>.<\/span>example<\/span>.<\/span>name<\/span>\r\n dns_prefix<\/span> =<\/span> local<\/span>.<\/span>aks_dns_prefix<\/span>\r\n oidc_issuer_enabled<\/span> =<\/span> true<\/span> # OIDC issuer\u3092\u6709\u52b9\u5316 <\/span>\r\n workload_identity_enabled<\/span> =<\/span> true<\/span> # \u30ef\u30fc\u30af\u30ed\u30fc\u30c9ID\u3092\u6709\u52b9\u5316<\/span>\r\n\r\n default_node_pool<\/span> {<\/span>\r\n name<\/span> =<\/span> \"default\"<\/span>\r\n node_count<\/span> =<\/span> 1<\/span>\r\n vm_size<\/span> =<\/span> \"Standard_D2_v2\"<\/span>\r\n }<\/span>\r\n\r\n identity<\/span> {<\/span>\r\n type<\/span> =<\/span> \"SystemAssigned\"<\/span>\r\n }<\/span>\r\n\r\n # \u30c7\u30d7\u30ed\u30a4\u5f8c\u3001Kubernetes Config\u3092\u4f5c\u6210<\/span>\r\n provisioner<\/span> \"local-exec\"<\/span> {<\/span>\r\n command<\/span> =<\/span> \"az aks get-credentials -n <\/span>${<\/span>self<\/span>.<\/span>name<\/span>}<\/span> -g <\/span>${<\/span>azurerm_resource_group<\/span>.<\/span>example<\/span>.<\/span>name<\/span>}<\/span>\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n\r\n# \u30e6\u30fc\u30b6\u5272\u5f53\u30de\u30cd\u30fc\u30b8\u30c9ID\u306e\u4f5c\u6210<\/span>\r\nresource<\/span> \"azurerm_user_assigned_identity\"<\/span> \"example\"<\/span> {<\/span>\r\n name<\/span> =<\/span> local<\/span>.<\/span>user_assigned_identity_name<\/span>\r\n location<\/span> =<\/span> azurerm_resource_group<\/span>.<\/span>example<\/span>.<\/span>location<\/span>\r\n resource_group_name<\/span> =<\/span> azurerm_resource_group<\/span>.<\/span>example<\/span>.<\/span>name<\/span>\r\n}<\/span>\r\n\r\n# Kubernetes\u306e\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u4f5c\u6210<\/span>\r\nresource<\/span> \"kubernetes_service_account\"<\/span> \"example\"<\/span> {<\/span>\r\n depends_on<\/span> =<\/span> [<\/span>azurerm_kubernetes_cluster<\/span>.<\/span>example<\/span>]<\/span>\r\n\r\n metadata<\/span> {<\/span>\r\n name<\/span> =<\/span> local<\/span>.<\/span>service_account_name<\/span>\r\n namespace<\/span> =<\/span> local<\/span>.<\/span>service_account_namespace<\/span>\r\n annotations<\/span> =<\/span> {<\/span>\r\n \"azure.workload.identity\/client-id\"<\/span> =<\/span> azurerm_user_assigned_identity<\/span>.<\/span>example<\/span>.<\/span>client_id<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\n\r\n# \u30d5\u30a7\u30c7\u30ec\u30fc\u30b7\u30e7\u30f3 ID \u8cc7\u683c\u60c5\u5831\u3092\u8a2d\u5b9a<\/span>\r\nresource<\/span> \"azurerm_federated_identity_credential\"<\/span> \"example\"<\/span> {<\/span>\r\n depends_on<\/span> =<\/span> [<\/span>