This is not a technical question but more of a which tool suits the best type of question. Azure blueprints and Terraform both have the ability to centrally create and manage Azure Role-Based Access Control(RBAC) and Policies.
I wanted to understand that if I plan to use terraform to deploy all azure resources - vnet, subnets, network security groups, storage account, app service, etc, does it make sense to use Azure blueprints separately for RBAC and Policy management, or should I stick to terraform to control the creation and updating of policies and RBAC.
On one hand, there is a line thinking that Azure Governance should be a separate layer form resource deployment.
However, If I use a combination of Azure blueprints for above-mentioned purpose, and terraform for resource deployment, I am concerned that Terraform may not be able to execute properly because it does not have knowledge about the policies and RBAC created out of it and may execute something which it is not supposed to (governed by policies and RBAC) and may lead to errors.
It feels like I should either Azure blueprints OR use terraform for consistency, but then if I use terraform for RBAC and Policies, I feel that I am missing out on the ease of setup and governance that Azure blueprints provides me.
Also, speaking form system design perspective, does Governance need state like resources do, or do they not need to. I understand maintaining a state can help us keep track of history and current state. this helps in reverting to previous known working state in case of abnormalites in current state. But does this logic apply to Goverrnance?