DEV Community

Smallsun2025
Smallsun2025

Posted on

Create and Assign a Custom Role in Azure Using Terraform

🧭 Introduction
In today's post, we’ll explore how to create a custom role in Azure using Terraform and assign it to a specific resource group. This is a critical step toward managing fine-grained permissions in enterprise-grade Azure deployments.

Whether you're building production systems or just learning Infrastructure as Code (IaC), this project gives you a practical look at customizing access control with Terraform.
🗂 Project Structure
Here’s a quick look at the project files:
azure-custom-role-assignment/
├── main.tf # Define custom role + assignment
├── variables.tf # Input variables
├── terraform.tfvars # Variable values
├── outputs.tf # Outputs (like Role Definition ID)
🔧 What the Terraform Code Does
Creates a Custom Role using azurerm_role_definition
The role is defined in JSON format and includes permissions like Microsoft.Resources/subscriptions/resourceGroups/*.

Assigns the Role to a user, group, or service principal using azurerm_role_assignment.

Scopes the Role Assignment to a specific resource group for tight access control.
🚀 How to Deploy
Make sure you have:

✅ Azure CLI (az login)

✅ Terraform installed

Then follow these steps:

terraform init
terraform plan
terraform apply

When prompted, type yes.

After deployment, your custom role will be created and assigned — scoped to the resource group you specified.

🔍 Example Use Case
Let’s say you want to grant read-only access to a service principal but only within a specific resource group, not across the whole subscription. This setup enables that — all in one Terraform script!

✅ Conclusion
Custom roles are a powerful way to enforce principle of least privilege in Azure. With just a few lines of Terraform, you can define exactly what actions are permitted, where, and by whom.

This example helps solidify your understanding of:

Role Definition JSON structure

Role Assignment best practices

Scoped access control via Terraform

🔜 Coming Next...
Managing Key Vault secrets via Terraform

Building reusable modules for RBAC policies

Advanced Role Assignments using Azure AD groups

If you found this useful, feel free to ⭐ the repo and share your thoughts in the comments!

📝 Ready to post on Dev.to
📦 Repo name suggestion: azure-custom-role-assignment

Top comments (0)