Assign a managed identity access to an application role using Terraform

0
votes

I want to assign a managed identity access to an application role using Terraform.

I found a similar procedure, but it uses PowerShell. I want to do that with Terraform.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell

resource "azuread_application_app_role" "AppRole1" {
  application_object_id = azuread_application.ResourceController.id
  allowed_member_types  = ["Application"]
  description           = "All access"
  display_name          = "All access"
  is_enabled            = true
  value                 = "All"
}

resource "azurerm_role_assignment" "assignment1" {
  principal_id = data.azuread_service_principal.website.id # This is a managed identity.
  role_definition_id = azuread_application_app_role.AppRole1.id
  scope= azuread_application_app_role.ResourceController.id # ???
}

What should I specify in the scope field or this isn't possible with Terraform?

2
azureterraform-provider-azureazure-managed-identity

2 Answers

1
votes

The scope is the resource Id that you want to assign the managed identity with the role. For example, you want to assign the managed identity to the VM with the role you create. Then the scope is the VM resource ID like this:

"/subscriptions/subscription_id/resourceGroups/group_name/providers/Microsoft.Compute/virtualMachines/vm_name"
0
votes

It might be impossible with the current Terraform Azure provider.

I found this comment on a GitHub issue.

azurerm_role_assignment can be used only to assign role to Subscription Resources.

https://github.com/terraform-providers/terraform-provider-azurerm/issues/6557#issuecomment-658154929