Using terraform-azurerm-caf-enterprise-scale and custom landing zone archetypes makes it easy to modify role assignments by using the access_control block under parameters. To set role assignments for the built-in management groups is a bit different, and not very clearly documented in the repository wiki.
To override the role assignments for the built-in management groups you need to use the archetype_config_overrides block. The block requires you to set the archetype_id, parameters and acess_control:
map(
object({
archetype_id = string
parameters = map(any)
access_control = map(list(string))
})
)A list of built-in archetype definitions can be found by in terraform-azurerm-caf-enterprise-scale/modules/archetypes/lib/archetype_definitions/. By selecting the definition relevant archetype definition we can add our own acess_control configuration like this:
data "azuread_group" "platform_owner" {
display_name = "Azure-Platform-Owner"
description = "Grant Owner role on Platform Management Group"
security_enabled = true
}
data "azuread_group" "platform_contributor" {
display_name = "Azure-Platform-Contributor"
description = "Grant Contributor role on Abyss IT Management Group"
security_enabled = true
}
data "azuread_group" "platform_reader" {
display_name = "Azure-Platform-Reader"
description = "Grant Reader role on Platform Management Group"
security_enabled = true
}
module "azure_landing_zones" {
source = "Azure/caf-enterprise-scale/azurerm"
[...]
archetype_config_overrides = {
platform = {
archetype_id = "es_platform"
parameters = {}
access_control = {
Owner = [ data.azuread_group.platform_owner.object_id ]
Contributor = [ data.azuread_group.platform_contributor.object_id ]
Reader = [ data.azuread_group.platform_reader.object_id ]
}
}
}
}The above example will add three separate groups with the Owner, Contributor and Reader role to the Platform management group (which contains the Connectivity, Identity and Management groups/subscriptions). I prefer to always assign permissions to groups to make administration easier. And then I can expand this example with access reviews for group memberships as well as combining it with Privileged Identity management for just-in-time membership/ownership (although it should be mentioned that the azuread-provider has no support for access reviews and privileged identity management)
Use module outputs to assign permissions
If role assignments are added before the landing zones architecture is deployed the first time running terraform plan or terraform apply will error with the following message: local.azurerm_role_assignment_enterprise_scale will be known only after apply. The cause of this error is described in #651.
A workaround is to instead combine the module outputs to get the Management Group id's with azurerm_role_assignment
resource "azuread_group" "platform_owner" {
display_name = "Azure-Platform-Owner"
description = "Grant Owner role on Platform Management Group"
security_enabled = true
}
resource "azurerm_role_assignment" "platform_owner" {
scope = module.azure_landing_zones.azurerm_management_group.level_2["/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"].id
role_definition_name = "Owner"
principal_id = azuread_group.owner.id
}