Configure Azure Virtual Desktop role-based access control using Terraform

Article tested with the following Terraform and Terraform provider versions:

• Terraform v1.1.4
• AzureRM Provider v.2.94.0

Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.

This article will walk through adding our users and Microsoft Entra group and then assign the group to the "Desktop Virtualization User" role, scoped to our host pool.

In this article, you learn how to:

• Use Terraform to read Microsoft Entra existing users
• Use Terraform to create Microsoft Entra group
• Role assignment for Azure Virtual Desktop

1. Configure your environment

• Azure subscription: If you don't have an Azure subscription, create a free account before you begin.

• Configure Terraform: If you haven't already done so, configure Terraform using one of the following options:

  • Configure Terraform in Azure Cloud Shell with Bash
  • Configure Terraform in Azure Cloud Shell with PowerShell
  • Configure Terraform in Windows with Bash
  • Configure Terraform in Windows with PowerShell

2. Implement the Terraform code

1. Create a directory in which to test the sample Terraform code and make it the current directory.

2. Create a file named providers.tf and insert the following code:

   terraform {
     required_providers {
       azurerm = {
         source  = "hashicorp/azurerm"
         version = "~>2.0"
       }
       azuread = {
         source = "hashicorp/azuread"
       }
     }
   }
   
   provider "azurerm" {
     features {}
   }
   

3. Create a file named main.tf and insert the following code:

   data "azuread_user" "aad_user" {
     for_each            = toset(var.avd_users)
     user_principal_name = format("%s", each.key)
   }
   
   data "azurerm_role_definition" "role" { # access an existing built-in role
     name = "Desktop Virtualization User"
   }
   
   resource "azuread_group" "aad_group" {
     display_name     = var.aad_group_name
     security_enabled = true
   }
   
   resource "azuread_group_member" "aad_group_member" {
     for_each         = data.azuread_user.aad_user
     group_object_id  = azuread_group.aad_group.id
     member_object_id = each.value["id"]
   }
   
   resource "azurerm_role_assignment" "role" {
     scope              = azurerm_virtual_desktop_application_group.dag.id
     role_definition_id = data.azurerm_role_definition.role.id
     principal_id       = azuread_group.aad_group.id
   }
   

4. Create a file named variables.tf and insert the following code:

variable "avd_users" {
  description = "AVD users"
  default = [
    "avduser01@contoso.net",
    "avduser02@contoso.net"
  ]
}

variable "aad_group_name" {
  type        = string
  default     = "AVDUsers"
  description = "Azure Active Directory Group for AVD users"
}

1. Create a file named output.tf and insert the following code:

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = azuread_group.aad_group.display_name
}

6. Initialize Terraform

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.

terraform init -upgrade

Key points:

• The -upgrade parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.

7. Create a Terraform execution plan

Run terraform plan to create an execution plan.

terraform plan -out main.tfplan

Key points:

• The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
• The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.

8. Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply main.tfplan

Key points:

• The example terraform apply command assumes you previously ran terraform plan -out main.tfplan.
• If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
• If you didn't use the -out parameter, call terraform apply without any parameters.

You are now ready to build and deploy your infrastructure with role based access control.

9. Clean up resources

When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

   terraform plan -destroy -out main.destroy.tfplan
   

   Key points:

   • The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
   • The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.

2. Run terraform apply to apply the execution plan.

   terraform apply main.destroy.tfplan
   

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps

Learn more about Configuring Azure Virtual Desktop session hosts using Terraform in Azure