Use archetype_config_overrides to set role assignments in Azure landing zones Terraform module

February 19, 2023
terraform
azure

Using terraform-azurerm-caf-enterprise-scale and custom landing zone archetypes makes it easy to modify role assignments by using the access_control block under parameters. To set role assignments for the built-in management groups is a bit different, and not very clearly documented in the repository wiki.

To override the role assignments for the built-in management groups you need to use the archetype_config_overrides block. The block requires you to set the archetype_id, parameters and acess_control:

1map(
2  object({
3    archetype_id   = string
4    parameters     = map(any)
5    access_control = map(list(string))
6  })
7)

A list of built-in archetype definitions can be found by in terraform-azurerm-caf-enterprise-scale/modules/archetypes/lib/archetype_definitions/. By selecting the definition relevant archetype definition we can add our own acess_control configuration like this:

 1resource "azuread_group" "platform_owner" {
 2  display_name     = "Azure-Platform-Owner"
 3  description      = "Grant Owner role on Platform Management Group"
 4  security_enabled = true
 5}
 6
 7resource "azuread_group" "platform_contributor" {
 8  display_name     = "Azure-Platform-Contributor"
 9  description      = "Grant Contributor role on Abyss IT Management Group"
10  security_enabled = true
11}
12
13resource "azuread_group" "platform_reader" {
14  display_name     = "Azure-Platform-Reader"
15  description      = "Grant Reader role on Platform Management Group"
16  security_enabled = true
17}
18
19module "azure_landing_zones" {
20    source           = "Azure/caf-enterprise-scale/azurerm"
21    [...]
22    archetype_config_overrides = {
23        platform = {
24            archetype_id = "es_platform"
25            parameters   = {}
26            access_control = {
27                Owner = [
28                    azuread_group.platform_owner.object_id
29                ]
30                Contributor = [
31                    azuread_group.platform_contributor.object_id
32                ]
33                Reader = [
34                    azuread_group.platform_reader.object_id
35                ]
36            }
37        }
38    }
39}

The above example will add three separate groups with the Owner, Contributor and Reader role to the Platform management group (which contains the Connectivity, Identity and Management groups/subscriptions). I prefer to always assign permissions to groups to make administration easier. And then I can expand this example with access reviews for group memberships as well as combining it with Privileged Identity management for just-in-time membership/ownership (although it should be mentioned that the azuread-provider has no support for access reviews and privileged identity management)