Assign Role to Azure Entra ID(AD) User with Terraform
Azure Role-Based Access Control (RBAC) is a powerful feature that allows you to manage access to Azure resources. With Azure RBAC, you can grant specific permissions to users, groups, or applications, ensuring they have the right level of access to Azure resources. Terraform, an Infrastructure as Code (IaC) tool, can help you automate and manage Azure RBAC role assignments efficiently. In this blog post, we’ll explore the importance of Azure RBAC and guide you through how to manage role assignments using Terraform.
Why Use Azure RBAC?
Azure RBAC offers several key benefits:
- Granular Access Control
- Security
- Compliance
- Efficiency
Step 2
In the Azure Portal, navigate to "Azure Active Directory", then click "App Registrations". Click your Service Principal (or create "New Registration").
Step 3
Under "Essentials", copy client_id and tenant_id.
- Application (client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- Directory (tenant) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Step 4
Navigate to your configuration (e.g., main.tf). Pass your client_id, tenant_id, client_certificate_path and client_certificate_password as the AzureRM and AzureAD provider to use them like this:
provider "azurerm" {
client_certificate_path = var.client_certificate_path
client_id = var.client_id
tenant_id = var.tenant_id
client_certificate_password = var.client_cert_password
subscription_id = var.subscription_id
}
provider "azuread" {
client_certificate_path = var.client_certificate_path
client_id = var.client_id
tenant_id = var.tenant_id
client_certificate_password = var.client_cert_password
}
Step 5
Write Terraform code in main.tf as follows:
var "client_certificate_path" {
description = "To pass client_certificate_path with terraform command line arguments"
}
var "client_certificate_password" {
description = "To pass client_certificate_password with terraform command line arguments"
}
var "client_id" {
description = "To pass client_id with terraform command line arguments"
}
var "tenant_id" {
description = "To pass tenant_id with terraform command line arguments"
}
var "subscription_id" {
description = "To pass subscription_id with terraform command line arguments"
}
#data "azurerm_subscription" to fetch the subscription ID
data "azurerm_subscription" "primary" {
}
#data "azuread_user" to fetch the User ID
data "azuread_user" "example" {
user_principal_name = "testuser@atgensoft.com"
}
#Reader role is assigned to User ID in subscription ID
resource "azurerm_role_assignment" "example" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Reader"
principal_id = data.azuread_user.example.object_id
}
Step 6
Run below Terraform commands to create user on Azure AD:
terraform init
terraform apply --var=client_certificate_path="PFX_FILE_PATH" --var=client_certificate_password="CLIENT_CERT_PASS" --var=client_id="CLIENT_ID" --var=tenant_id="TENANT_ID" --var=subscription_id="SUBSCRIPTION_ID"
Summary and Conclusions
You can refer the complete code at Assign Role to Azure AD User
Author
Sagar Mehta is Atgen Software Solutions Founder and a recognised expert in the field of Intelligent Automation, including Robotic Process Automation, Workload Automation, DevOps, SRE and Advanced Analytics. Sagar advocates a pragmatic approach to Automation, encouraging a policy of using ‘the best tool for the job’.
Prior to co-founding Atgen Software Solutions, Sagar worked in Senior Automation roles, architecting and delivering robust, scalable solutions for many of the world’s biggest banks and working with leading Automation vendors. He developed his first automated solution in 2006 and has continued to deliver robust, scalable and sophisticated Automation ever since.
Sagar is a regular guest speaker and panellist at Automation seminars, conferences and user group events.
Contact
Have a similar problem to solve, let's work together.
Our Address
#107, Tower B, Escon Arena, Zirakpur, Punjab, India - 140603
Email Us
info@atgensoft.com
Call Us
+91-8806666141