User Assigned identity for Policy

[shaneholder]

Has https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/304 been addressed? I ran into this issue today and I've not seen an update that appears to address it. I did note that the version of azurerm being used 3.18.0 does now support user assigned identity.

Thanks, Shane

[krowlandson]

Not yet, but we are currently prioritizing our backlog so I will attach this to the related user story as customer evidence to help prioritize this 👍🏻

[shaneholder]

Coming back to this hoping for an update, but re-thinking my position on this. I perceive a need for this change because it seems that each policy that I apply that has remediation is being assigned to the contributor RBAC role and it just seems to pollute the RBAC assignment page. My goal for this request is to have as few identities as possible and that most remediations would use a single principal. Is that unreasonable?

[matt-FFFFFF]

Linking to AB#25191

However this is not our recommendation due least priv

[shaneholder]

Understood on the least privileged comment, however when you have several policies that are doing the same thing it potentially makes sense. For example policies for tag inheritance like as illustrated: https://github.com/Azure/azure-policy/blob/master/samples/Tags/inherit-resourcegroup-tag-if-missing/azurepolicy.json

If there was a way to have a single policy that trickled all necessary tags from a subscription->RG->Resource then I would have less need of using a user defined identity. But I've yet to find a way to do that.

[matt-FFFFFF]

This is something we will put in the backlog for the next release.