There are different ways to add role-based access control to principals for an Azure subscription. These can be done in the IaC with something such as:

Resource azurerm_role_assignment azure_rbac {

 scope                                 = var.scope

 role_definition_name    = var.role_definition_name

 principal_id                      = var.principal_id

}

The scope can be specific to a resource or a resource group or a subscription and takes the fully qualified identifier for the same.

The role definition name can one of many built-in roles that confers permissions to the principal. For example, this could be Owner, Contributor, Reader, Storage Blob Data Reader and so on.

The principal_id is typically the object id for the user, group or AD entity. If a service principal is used, it must be the corresponding object id of the paired enterprise application otherwise there will be an error message that states “Principals of type Application cannot validly be used in role assignments”.

There are many ways to populate the attributes of the resource definition via different IaC definitions, but the provider recognizes them generically as a role assignment.

The preferences among AD entities for use with deployments is managed identity which can be both system and user defined. The benefit of managed identity is that it can work as a credential as opposed to requiring key-secrets to be issued for an enterprise application.

Some caveats apply to IaC in general for role assignments. For example, the code that requires to assign an rbac based on the managed identity of another resource might not have it during compile time and only find it when it is created during execution time. The rbac IaC will require a principal _id for which the managed identity of the resource created is required. This might require two passes of the execution – one to generate the rbac principal id and another to generate the role assignment with that principal id.  

The above works for newly created resources with two passes but it is still broken for existing resources that might not have an associated managed identity and the rbac IaC tries to apply a principal id when it is empty. In such cases, no matter how many times the role-assignment is applied, it will fail due to the incorrect principal id. In this case, the workaround is to check for the existence of the principal id before it is applied.