Azure Terraform Role Definition

For security purpose, we tend to create service principal that can performs Terraform operations only within a specific resource group without able modify resource outside the resource group within the same subscription.

Reality is we still need to allow the service principal to run few actions within the scope of the subscription.

Therefore here is the role definition with actions required that Terraform operations need to execute successfully.

{
    "Name": "Terraform",
    "Description": "Role definition has actions required that Terraform operations need",
    "Actions": [
        "*/read",
        "Microsoft.Sql/register/action",
        "Microsoft.CognitiveServices/register/action",
        "microsoft.insights/register/action"
    ],
    "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]
}

With this as json content, we may run the following command to create the role and assign it to the subscription.

az role definition create --role-definition terraform-role-definition.json

Reference

1. az role definition create
2. Using Azure Cloud Shell