[AVM Module Issue]: Add support for implementing minimal permissions for deployments (least privilege model)

[JanneMattila]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

(Optional) Module Version

0.2.0 / main branch

(Optional) Correlation Id

No response

Description

Current implementation requires too broad permissions and it should narrowed down to as small as possible to implement least privilege model.

To support this, module should:

• Support using BYO Virtual Network with BYO subnets
• Support deployments without permissions in subscription level (Related: [AVM Module Issue]: resource_group_name parameter documentation does not match implementation #63 )
• Allow companies to use minimal permissions (example below)

Minimal permission examples

If you don't want to use built-in roles e.g., Network Contributor and Private DNS Zone Contributor for granting access, then here are examples of custom role permissions:

For Virtual Network:

Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action

For Private DNS Zones:

Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/join/action
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/A/write

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the Terraform Issue Triage documentation.

[microsoft-github-policy-service]

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

[microsoft-github-policy-service]

Caution

This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

Tip

• To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.