Why are the Azure permissions needed for deployment and CI so high and what can we do about it?

[Farmerobot]

For manual deployment to azure using azd up, Owner permissions set statically on the resource group by the tenat admin seem entirely reasonable. azd down is more problematic, as it deletes the whole rg which then needs to be manually recreated again with the original permissions, but it's fine if it's not ran too often. Another solution would be using azd login with an admin account with tenat-wide permissions, but that is extremely unsafe.

However, the CI github pipeline uses both up and down on new groups. It thus requires full permissions to create and destroy any arbitrary resource groups on the tenat and that is a huge and unacceptable security vulnerability.

What is the expected way of handling these permissions? Is the RAG supposed to be on an entirely separate tenat from the rest of our critical infrustructure? Are we supposed to create custom roles with very specific permissions only for certain resource groups?

I have read through the docs/ folder of the repo and I still seem very confused about this. Any help would be appreciated :)

[Roopan-Microsoft]

Hey @Farmerobot, Thanks for your feedback.

I want to ensure I’ve understood your query correctly. Below is based on my understanding.

Yes, we are currently using the same tenant for azd up and azd down, but this is strictly for testing the Bicep template. We ensure that the resources are destroyed immediately after the deployment is successfully verified.

Having a separate tenant for the CI pipeline is certainly an option, but we would like to understand the specific reason or concern behind this suggestion. Could you please elaborate?

Additionally, we can create custom roles with permissions tailored specifically to certain resource groups (RGs) to enhance security and limit access.

Could you let us know your expectations or preferences regarding this setup? This will help us brainstorm and identify the best approach to meet your requirements.

Happy to Discuss!

[Farmerobot]

Hello, thank you for your reply.
When I told our Azure administrator that we need to give an app tenat-wide permissions to run azd down --force --purge --no-prompt on arbitrary resource groups, the reaction might have been described as hesitant.

But yes, custom permissions for specific access is what we decided upon in the end. Thanks again!