Question posted in 
I have created a Service Principal to perform CI/CD using Terraform and GitHub Workflows. I am initially provisioning the infrastructure with Terraform, and I’m also using Terraform to make changes to my deployment.
My challenge is that I want to grant this Service Principal Contributor access only to resources (such as Container Apps and Container Registries) with names starting with "TEST." I do not want it to have access to other resources. How can I achieve that?
2
Answers
Although Azure Policy can be applied to enforce naming conventions, there aren’t any mechanisms to enforce policy for specific users. Your best bet is to limit permissions (specifically Container and website permissions) to the resources as this is what role-based security is intended for.
It sounds like by limiting your scope to resources that start with "Test", you want to grant some flexibility for team members to manage their own experimental resources.
If so, here are a few possible options:
You added the
azure-devopstag to your post, but based on your description, you didn’t seem to use Azure Pipelines in your Azure DevOps organization for CI/CD.If we create an Azure Resource Manager service connection in an Azure DevOps organization in an automatic way as those steps in the image below, it will automatically create an app registration in the Microsoft Entra Id (formerly Azure Active Directory) as the underlying service principal to authenticate access to a resource group/Azure Subscription/management group.
As of now, the automatic naming pattern for the service principal is
<AzureDevOpsOrgName>-<ProjectName>-<SubId>. We can change its name after the service connection creation.