My next challenge in my TerraForm journey is to assign some RBAC roles (some custom) to users on specific resources.

Custom roles

Roles need to be assigned to a scope and have a list of scopes to which they can be assigned. For these we may need the subscription id, something that up until now I have not needed in my TerraForm files. Fortunately, there are several Azure data providers with the TerraForm integration including azurerm_subscription which will give the current Azure Resource Manager provider’s subscription id if no other arguments are provided:

data "azurerm_subscription" "current" {

After this, a custom role definition is fairly straight forward to create:

resource "azurerm_role_definition" "vmuser" {
  name        = "Virtual Machine User"
  scope       =
  description = "Can deallocate and start virtual machines"

  permissions {
    actions     = [
    data_actions = ["Microsoft.Compute/virtualMachines/login/action"]
    not_actions = []
    not_data_actions = []

  assignable_scopes = [, # /subscriptions/00000000-0000-0000-0000-000000000000

Users and groups

In order to access user and group information, we need to use the azuread provider.

Firstly we need to add the azuread provider to TerraForm:

terraform {
  required_providers {
    azuread = {
      source ="hashicorp/azuread"
      version = ">=2.12.0"

Once added to the configuration, we need to re-run terraform init.

Then, groups and users can be looked up like this:

data "azuread_group" "rdpusers" {
  display_name     = "RDPUsers-Production-G"
  security_enabled = true

data "azuread_user" "someuser" {
  user_principal_name = "some.user@domain.tld"

What I found useful is that the traditional login for the user is available via the onpremises_sam_account_name property (e.g. data.azuread_user.someuser.onpremises_sam_account_name). This can be useful if that login was used to generate other things, like file-share names.

Assigning the role

resource "azurerm_role_assignment" "role-assignment" {
  scope              =
  role_definition_id =
  principal_id       =

In-built roles can be assigned by putting role_definition_name = "Reader" (for example) instead of using role_definition_id or looking up the role definition with the azurerm_role_definition data source and using the returned id property:

data "azurerm_role_definition" "reader" {
  name = "Reader"

I prefer the latter as using the id consistently works better when you start modularising and doing for_each loops with a mix of custom and built-in roles (using the ids in the loop variables).

Adding to VM module

Expanding my previous work modularising the creation of VDIs to assign a role to a list of principals is relatively straight-forward (with a little reworking, this could probably be generalised to allow combinations of roles but I only need to assign one at the VM level).

Firstly, add 2 new variables - one for the role id to assign and one for the list of principals to assign to (this could be turned into a map of role to principals to generalise it):

variable "vm_user_role_id" {
    type = string
    description = "Scoped resource ID of the role to assign to principals for the VM"

variable "vm_user_principal_ids" {
    type = set(string)
    description = "IDs of principals to assign the vm_user_role_id to for this VM"

Then adding the assignment is very easy:

resource "azurerm_role_assignment" "vm_role" {
    scope =
    role_definition_id = var.vm_user_role_id
    principal_id = each.value
    for_each = var.vm_user_principal_ids

Importing these roles is a bit finicky. There is no easy way I have found to see the assignment’s full id in the portal so the best route seems to be to use the Azure CLI to look it up:

$sub_id="$(az account show --query id -o tsv)"
$vdi_users = @{
  VDI01 = "some.other.user@domain.tld"
  VDI27 = "some.user@domain.tld"
  VDI99 = "someone.else@domain.tld"
$vdi_groups = @{
    VDI24 = "RDPUsers-Production-G"

foreach ( $entry in $vdi_users.GetEnumerator()) {
    $user_id="$(az ad user show --id $($entry.Value) --query objectId -o tsv)"
    terraform import "module.vdis[\""$($entry.Name)\""].azurerm_role_assignment.vm_role[\""$user_id\""]" "$(az role assignment list --scope /subscriptions/$sub_id/resourceGroups/RG-VDI-001/providers/Microsoft.Compute/virtualMachines/$($entry.Name) --assignee $user_id --query [].id -o tsv)"
foreach ( $entry in $vdi_groups.GetEnumerator()) {
    $group_id="$(az ad group show --group $($entry.Value) --query objectId -o tsv)"
    terraform import "module.vdis[\""$($entry.Name)\""].azurerm_role_assignment.vm_role[\""$group_id\""]" "$(az role assignment list --scope /subscriptions/$sub_id/resourceGroups/RG-VDI-001/providers/Microsoft.Compute/virtualMachines/$($entry.Name) --assignee $group_id --query [].id -o tsv)"