Terraform with Azure. Access rights best practices

Question

What are the best practices when using Terraform to provision infrastructure on Azure? We are struggling to decide between two variants:

Create one Service principal for Terraform and give it Owner rights to the whole subscription so it can create resource groups for each environment and assign roles to service principals in resources.
Create Resource Groups and service principals for each environment manually and assign terraform's service principal Owner rights to only the Resource Group.

The first option is more convenient, but I'm worried about security concerns when giving Terraform Owner rights on the subscription level.

What would be the best solution?

Charles Xu Charles Xu · Accepted Answer · 2019-12-26T03:14:38

When you worry about security, there should be a limit to your requirements. If you want to create resources only in one resource group or serial resource groups, and then control them for all things. I'd suggest you create a service principal and assign it the Owner role of the resource group or groups, not the whole subscription. And it's the best way for security and you also have all the rights to control the resources in that group or groups, only limit the scope to that group or groups.

Assign the Owner role to the whole subscription, it's not secure, you know, there would be some mistakes on somebody sometimes.

Terraform with Azure. Access rights best practices

1 Answers