@Alex Blanchard Thanks for sharing more details.
Based on the above discussion, I understand that when you look at the Azure role assignment blade of user assigned identity in portal UI as shown below. You can see the RBAC role (App Configuration Data Reader) is assigned to an Entra group. which you want to achieve this using terraform.
You are seeing the Entra group name in AssignedTo since that particular managed identity is part of that Entra group and you can identity the scope (to which resource this permission is assigned) using resource column in the above image.
If my above understanding is correct, you can use the below terraform script to create a user assigned identity, add it to Entra group and assign the App Configuration Data Reader
RBAC role to Entra group with scope at resource group level.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
provider "azuread" {}
provider "azurerm" {
features { }
}
data "azurerm_resource_group" "rggrp" {
name = "{{Existing ResourceGroup Name}}"
}
#Create user assigned identity.
resource "azurerm_user_assigned_identity" "userMI" {
name = "{{UserAssigned Identity Name}}"
location = data.azurerm_resource_group.rggrp.location
resource_group_name = data.azurerm_resource_group.rggrp.name
}
#Fetch specific Entra group.
data "azuread_group" "existinggroup" {
display_name = "{{Existing Resource Group}}"
security_enabled = "true"
}
#Resource block to add User assigned MI to Entra group.
resource "azuread_group_member" "adduser_to_group" {
group_object_id = data.azuread_group.existinggroup.object_id
member_object_id = azurerm_user_assigned_identity.userMI.principal_id
}
#Resource block to add App Configuration Data Reader RBAC on Entra group with scope to resource group.
resource "azurerm_role_assignment" "addingroleassignemnt" {
scope = data.azurerm_resource_group.example.id
principal_id = azuread_group_member.adduser_to_group.group_object_id
role_definition_name = "App Configuration Data Reader"
}
Hope this helps, let me know if you have any further questions on this.