azureArchived
1 messages
Archive: https://archive.sweetops.com/azure/
Jan Fiedlerover 3 years ago
Hello Azure Gang 👋
I am coming from AWS and quite new to the azure world and would love to exchange about best practises on terraform managed azure.
I am currently trying to figure out the best way to run a right & role system on multiple subscriptions in azure. I have the following requirements in mind:
• a role that can be assumed (by users) to have Contribute Access in each of the subscriptions
• a role that can be assumed (by users) to have Owner Access in each of the subscriptions
• a role than can be a assumed (by terraform in cicd like devops) in each of the subscriptions
I saw Hashicorp recommending using a Service Principal or Managed Idendity when running in f.e. azure devops and using authenticating via azure cli for running terraform locally. So i guess, having a Service Principal for my third requirement is the way to go.
Still i have azure resources in mind that need like a initial first local apply. But if i do so while being authenticated via the cli my personal user in azure Active Directory is the Owner of these resources, which i see more like a anti pattern. Does this means i should also use a Service Principal to apply azure ressources locally?
Would be lovely if someone can answer my questions or point me the right direction 🙂 Thank you!
I am coming from AWS and quite new to the azure world and would love to exchange about best practises on terraform managed azure.
I am currently trying to figure out the best way to run a right & role system on multiple subscriptions in azure. I have the following requirements in mind:
• a role that can be assumed (by users) to have Contribute Access in each of the subscriptions
• a role that can be assumed (by users) to have Owner Access in each of the subscriptions
• a role than can be a assumed (by terraform in cicd like devops) in each of the subscriptions
I saw Hashicorp recommending using a Service Principal or Managed Idendity when running in f.e. azure devops and using authenticating via azure cli for running terraform locally. So i guess, having a Service Principal for my third requirement is the way to go.
Still i have azure resources in mind that need like a initial first local apply. But if i do so while being authenticated via the cli my personal user in azure Active Directory is the Owner of these resources, which i see more like a anti pattern. Does this means i should also use a Service Principal to apply azure ressources locally?
Would be lovely if someone can answer my questions or point me the right direction 🙂 Thank you!