Hello Azure Gang
I am coming from AWS and quite new to the azure world and would love to exchange about best practises on terraform managed azure. I am currently trying to figure out the best way to run a right & role system on multiple subscriptions in azure. I have the following requirements in mind:
• a role that can be assumed (by users) to have Contribute Access in each of the subscriptions
• a role that can be assumed (by users) to have Owner Access in each of the subscriptions
• a role than can be a assumed (by terraform in cicd like devops) in each of the subscriptions I saw Hashicorp recommending using a Service Principal or Managed Idendity when running in f.e. azure devops and using authenticating via azure cli for running terraform locally. So i guess, having a Service Principal for my third requirement is the way to go. Still i have azure resources in mind that need like a initial first local apply. But if i do so while being authenticated via the cli my personal user in azure Active Directory is the Owner of these resources, which i see more like a anti pattern. Does this means i should also use a Service Principal to apply azure ressources locally?
Would be lovely if someone can answer my questions or point me the right direction Thank you!
I woud suggest the following:
• Create one or more Management groups which contain your subscriptions and Assign eligibility to Contributor/Owner roles using PIM on the MGT Group scope.
• Use personalized accounts when applying Terraform locally using the
az login command so you don’t need to distribute SP credentials. AFAIK, not many Azure resource have the concept of “Owner” in the sense of the person that created the resource.
• If you apply TF in a centralized way (eg using Atlantis) use either a managed identity if the solution that Atlantis uses it supports it or a SP possibly with Conditional Access for Workload Identities enabled.
Thanks for the quick answer. Regarding your answers:
• Was not aware of PIM in general. Glad to see, that there is role concept. Unfortunately this requires some additional premium azure licenses I guess i will just go with IAM on Management Group Level than
• Totally agree on distributing credentials for a SP is not nice. Will go with that approach now, even though i dont really like it
• Thanks for the hint
It requires a P2 license. I haven’t been on the buying side of this but ostensibly you only need to assign the license to users that actually use the licensed functionality.