Best-practice for Terraform access to Azure subscription

I’m looking for best-practice guidance for granting App Registration (Service Principal) access to an Azure Subscription for use with Terraform.

As I understand Azure RBAC, you require Owner privilege at the Subscription scope to create/delete Resource Groups and to manage RBAC of a Resource Group. This implies that the App Registration used by Terraform requires Owner at the Subscription scope, if you wish to use Terraform to provision Resource Groups.

I anticipate having many teams deploying products/ services to the same Azure Subscription. If they’re all using the same App Registration (or even multiple App Registrations) with Owner privilege at the Subscription scope, they can inadvertently damage each others’ work. A member of Team A can accidentally delete a resource belonging to Team B, for example.

Is there a best-practice model for this scenario? I want to limit the access of each App Registration in a more compartmentalized way, where each App Registration is restricted to a subset of Resource Groups, without needing to use dozens of Subscriptions to do so.

How are other large organizations solving for this?

Thanks!

1 Like