Recommended SPN permissions for this terraform-azurerm-policy-exemptions module

[tpidor]

Hello again, and thanks for adding the minimum Terraform CLI version required from my other ticket #3
I'm progressing with the implementation of this module and was just using Contributor access to my MSDN tenant to test and allow this module to write policy exemptions.
However when moving to a controlled and restricted tenant, so far these are the SPN permissions the module requires based on my validations:

"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/delete"

These "Microsoft.Resources/deployments" permissions look like are due to the use of "azurerm_resource_group_template_deployment" module. The challenge we have now is by providing the SPN to create policy exemptions with these permissions, the SPN also has higher privileges to create/modify other resources.
What is the recommended SPN roles and permissions for this module just enough to create policy exemptions without any other access?

[jesseloudon]

Hi @tpidor

There's currently no Azure RBAC built-in role which only provides access to manage only ARM template deployments and policy exemptions

If constraining the SPN to the least permissions possible to use this module is a requirement I recommend creating a custom role with at least these 2x actions only, then assign your SPN to the new custom role:

Microsoft.Resources/deployments/* -- Create and manage a deployment
Microsoft.Authorization/policyexemptions/* -- Create and manage policy exemptions

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Hope this helps