Terraform: Assign Azure Role

less than 1 minute read

Description

It is very common to have to assign IAM roles at the resource level in Terraform. To do this, it is only a few lines of code:

To Resolve:

  1. Ensure the azuread provider is present in any of your *.tf files since terraform doesn’t care (usually backend.tf, providers.tf, or versions.tf) :

    1
    2
    3
    4
    5
    
    provider "azuread" {
    tenant_id     = var.tenant_id
    client_id     = var.client_id
    client_secret = var.client_secret
    }
    
  2. In main.tf just do a data lookup for the group and assign its object_id to the principle_id to whatever scope you want. For example, at the Resource Group level you would do something like:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    
    data "azuread_group" "my_group" {
    display_name = "aa_group_name"
    }
    
    module "azure_learning_rg" {
    source              = "git::https://github.com/gerryw1389/terraform-modules.git//resource-group?ref=v1.0.0"
    resource_group_name = "aa-${var.env_stage_abbr}-${var.region_abbr}-test-remote"
    location            = var.region
    tags                = local.sbx_tags
    }
    
    resource "azurerm_role_assignment" "owner" {
    scope                = module.azure_learning_rg.id
    role_definition_name = "Owner"
    principal_id         = data.azuread_group.my_group.object_id
    }