Module

This terraform module creates Azure AD groups and role assignments for management groups and subscriptions. It is specifically designed to work in the governance module that is created by the prerequisites oneshot deployment.

The module is designed to create default groups (Owner, Contributor, and Reader) and assignments for the specified subscriptions and management groups. The module automatically generates the name of the group by prefixing it with SUB_ for subscriptions and AMG_ for management groups and adds the role as a suffix.

The Contributor and Owner groups created for subscriptions and management groups are automatically enabled for Privileged Identity Management (PIM)

The custom_assignments input variable allows you to define custom groups and assignments, including the ability to enable Privileged Identity Management (PIM) for the groups.

TODO: there is currently no stage variable so this module will run into errors when you have no AAD premium license.

Important: The management_groups variable reuses the structure of the custom_landing_zone variable from the CAF module

Usage

provider "azurerm" {
  features {

  }
}

data "azurerm_subscription" "current" {
}

locals {
  subscriptions_map = {
    "${data.azurerm_subscription.current.display_name}" = "${data.azurerm_subscription.current.subscription_id}"
  }
  managements_map = {
    "new" = {
      display_name = "New"
    }
  }
}

module "alz_rbac" {
  source = "../../"

  subscriptions     = local.subscriptions_map
  management_groups = local.managements_map

  custom_groups = {
    "AMG_ALZ_OWNER" = {
      azuread_role_assignable = true
      role_assignments = {
        "Owner" = ["mg:alz"]
      }
    }
  }
}

Requirements

Name	Version
azuread	~> 2.39.0
azurerm	>= 3.63.0

Inputs

Name	Description	Type	Default	Required
custom_groups	"<group_name>" = { azuread_role_assignable = optional(string) (if you want to assign Azure AD roles to the group) role_assignments = { "<role_assignment>" = [ (must be a role_definition_name or role_definition_id from azure) "" (every element must be a scope: "mg:<mg_id>", "sub:<subscription_id>", "root" for Tenant Root Group or a full scope ID) ] } }	map(object({ azuread_role_assignable = optional(bool) role_assignments = map(list(string)) }))	{}	no
management_groups	"<management_group_id>" = { (this variable is reusing the structure of the management groups for custom_landing_zones from the caf module ) displayName = "<management_group_name>" }	map(object({ display_name = string }))	{}	no
subscriptions	Mapping of subscription names to subscription IDs.	map(string)	{}	no

Outputs

Name	Description
aad_groups	All AAD Groups that have been created.

Resource types

Type	Used
azuread_group	7
azurerm_role_assignment	7

Used only includes resource blocks. for_each and count meta arguments, as well as resource blocks of modules are not considered.

Modules

No modules.

Resources by Files

main.tf

Name	Type
azuread_group.custom_groups	resource
azuread_group.management_contributors	resource
azuread_group.management_owners	resource
azuread_group.management_readers	resource
azuread_group.subscription_contributors	resource
azuread_group.subscription_owners	resource
azuread_group.subscription_readers	resource
azurerm_role_assignment.custom_groups	resource
azurerm_role_assignment.management_contributors	resource
azurerm_role_assignment.management_owners	resource
azurerm_role_assignment.management_readers	resource
azurerm_role_assignment.subscription_contributors	resource
azurerm_role_assignment.subscription_owners	resource
azurerm_role_assignment.subscription_readers	resource
azurerm_client_config.current	data source

Contribute

Please use Pull requests to contribute.

When a new Feature or Fix is ready to be released, create a new Github release and adhere to Semantic Versioning 2.0.0.