Permissions

Permissions required

This module uses two providers, azapi and azurerm. We recommend that you use the same identity for both providers.

Subscription sub-module

This sub-module manages the following resources:

• azurerm_subscription
• azurerm_management_group_subscription_association

The identity used must have permission to:

• Create subscriptions using the Microsoft.Subscription/aliases resource. See the documentation for details.

Note: The following process explains how to assign EA roles to SPNs.

• Manage the subscription's management group using the Microsoft.Management/managementGroups resource. For a detailed explanation of the permissions required, see the documentation.

Note: the identity that creates the subscription will have Owner permissions assigned by default. If you instead supply an existing subscription id, you must ensure that the identity of the provider has the Owner permissions assigned.

Virtual network sub-module

This sub-module manages the following resources using the AzAPI provider:

• Microsoft.Network/virtualHubs/hubVirtualNetworkConnections
• Microsoft.Network/virtualNetworks/virtualNetworkPeerings
• Microsoft.Network/virtualNetworks
• Microsoft.Resources/resourceGroups

These resources are deployed into the new or the supplied subscription. The identity of the AzAPI provider must have permission to create these resources.

Role assignments sub-module

This sub-module manages the following resources using the AzureRM provider:

• azurerm_role_assignment

The role assignments are deployed into either the new or the supplied subscription, at subscription or child scopes. The identity of the AzureRM provider must have permission to create these resources, typically this means having the Owner or User Access Administrator roles.