Azure Authorization Assignment
This page shows how to write Terraform and Azure Resource Manager for Authorization Assignment and write them securely.
azurerm_role_assignment (Terraform)
The Assignment in Authorization can be configured in Terraform with the resource name azurerm_role_assignment
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_noderg_miop" {
for_each = var.aks_clusters
scope = data.azurerm_resource_group.noderg[each.key].id
role_definition_name = "Managed Identity Operator"
principal_id = local.remote.aks_clusters[each.value.lz_key][each.value.key].kubelet_identity[0].object_id
resource "azurerm_role_assignment" "pod-identity-assignment" {
scope = azurerm_resource_group.resourceGroup.id
role_definition_name = "Reader"
principal_id = azurerm_user_assigned_identity.pod-identity.principal_id
}
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
resource "azurerm_role_assignment" "kubelet_ingressmsi_miop" {
for_each = module.caf.aks_clusters
scope = module.caf.managed_identities["ingress"].id
role_definition_name = "Managed Identity Operator"
principal_id = each.value.kubelet_identity[0].object_id
Parameters
-
condition
optional - string -
condition_version
optional - string -
description
optional - string -
id
optional computed - string -
name
optional computed - string -
principal_id
required - string -
principal_type
optional computed - string -
role_definition_id
optional computed - string -
role_definition_name
optional computed - string -
scope
required - string -
skip_service_principal_aad_check
optional computed - bool -
timeouts
single block
Explanation in Terraform Registry
Assigns a given Principal (User or Group) to a given Role.
Tips: Best Practices for The Other Azure Authorization Resources
In addition to the azurerm_role_definition, Azure Authorization has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_role_definition
Ensure to grant targeted permissions for roles
It is better to avoid giving too many permissions to a role. By following the principle of least privilege, you can reduce the risk of credential leakage.
Microsoft.Authorization/roleAssignments (Azure Resource Manager)
The roleAssignments in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/roleAssignments
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments"
},
{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"type": "Microsoft.Authorization/roleAssignments",
"name": "af976bc5-0274-4870-8442-94daae0d29a1"
},
{
"properties": {
"roleDefinitionId": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
Parameters
name
required - stringtype
required - stringapiVersion
required - stringproperties
requiredroleDefinitionId
optional - stringThe role definition ID used in the role assignment.
principalId
optional - stringThe principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.
Frequently asked questions
What is Azure Authorization Assignment?
Azure Authorization Assignment is a resource for Authorization of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Authorization Assignment?
For Terraform, the SamPoddar/caf-terraform-landingzones-starter, Elgeario/Starter and joshfranzen/caf-terraform-landingzones-starter source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the LRuttenCN/cloud-custodian, LRuttenCN/cloud-custodian and juggernauthk108/pastebin source code examples are useful. See the Azure Resource Manager Example section for further details.