My Digital Garden

Setting up Azure IAM role assignments with Terraform

Setting up Azure IAM role assignments with Terraform

The modern security model for Azure uses RBAC assignments to control access to resources.

When deploying an infrastructure using Terraform it is therefore necessary to create RBAC role assignments to allow different services within the infrastructure to talk to each other - for example to give a Function App access to an Azure Service Bus Queue

This is potentially a challenge to combine with Continuous Deployment and Principle of least privilege, as it requires the Service Principal under which Terraform is running to have Owner privileges at the relevant scope.

A possible approach - mixed manual and automated deployment

If the Terraform Service Principal is not going to be given Owner rights at subscription level (a sensible precaution) then deployment needs to be done in two stages:

  • deploy a Resource Group for the infrastructure
  • manually grant Owner at Resource Group level to the Terraform Service Principal
  • build out and deploy the rest of the model

Another possible approach - different methods for development and production

This response suggests not using a Service Principal in development, rather allowing individual developers to deploy their own versions of the test infrastructure using their own credentials, then using a carefully-controlled Service Principal within a CI-CD Pipeline to make fully automated deployments to production in response to Github changes on a master branch.

Potential disadvantages of this approach would be lack of shared state in Test/Dev(and by implication) multiple Test/Dev environments


It's impossible to lay down a hard and fast solution to this problem, as it has to be designed within the security context of the organisation.