How do I make the scope of a custom role be Resourcegroup in azure?

0
votes

I have written terraform for creating the user, resource group, and roledefinition.

I need to have the scope of resource definition be the resource group that I created.

I don't know how to do that. It would be great if someone could help on this.

########### for creating user ####

# Configure the Azure Provider
provider "azurerm" {
  version = "~> 1.30"
  subscription_id="723604be-b74b-4473-9d11-1802dbfdb787"
}

provider "azuread" {
  version = "~> 0.4"
  subscription_id="723604be-b74b-4473-9d11-1802dbfdb787"
}

resource "azuread_user" "test" {
  user_principal_name = "[email protected]"
  display_name        = "User1"
  mail_nickname       = "User1"
  password            = "Muneeshpandi@17"
  force_password_change = "false"
}

##### creating resource group #####

resource "azurerm_resource_group" "terraform_rg" {
  name = "user1_rgp"
  location = "East US"
    }

########## creating role definition ##########

data "azurerm_subscription" "primary" {}

resource "azurerm_role_definition" "sql_role" {
  name        = "sql_role"
  scope       = "data.azurerm_subscription.primary.id"
  description = "This is a custom role to create sql database"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes =  [
   "/subscriptions/723604be-b74b-4473-9d11-1802dbfdb787/resourceGroups/user1_rgp"
  ]
}

Getting following error while executing above code:

Error: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."

How do I make the scope of a custom role be Resourcegroup in azure?

1
azureterraformazure-resource-manager

1 Answers

0
votes

To create a custom role for the resource group, you need to have the permission Microsoft.Authorization/roleDefinitions/write, and to assign the custom role to a user, you need to have the permission Microsoft.Authorization/roleAssignments/write. The simplest way is that you have the Onwer role of the subscription.

And to create an Azure AD user:

To add or delete users you must be a User administrator or Global administrator.

When you have all the needed permission. Let's focus on your code. You also need to assign the custom role to the user you created with the scope of the resource group. Then you can change the code like this:

resource "azurerm_role_definition" "sql_role" {
  name        = "sql_role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role to create sql database"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes =  [
   data.azurerm_subscription.primary.id
  ]
}

resource "azurerm_role_assignment" "example" {
  scope              = azurerm_resource_group.terraform_rg.id
  role_definition_id = azurerm_role_definition.sql_role.id
  principal_id       = azuread_user.test.id
}

If you only want the custom available for the resource group, you can change the assignable_scopes with the resource group Id as azurerm_resource_group.terraform_rg.id.