Share via

Terraform module azurerm_network_watcher_flow_log - summary custom permissions needed for this module

Mituś Wojciech 45 Reputation points
2023-09-19T13:31:32.6866667+00:00

Hello, i'm trying to deploy Terraform module azurerm_network_watcher_flow_log without owner, contributor, or network contributor roles at the subscription level (it's related to company limitations).

What would be summary custom permissions for SPN so that it can use this module?

I assume that it hast to:

  • be able to create NSG Flow Log
  • be able to write to provided storage account
  • be able to turn Traffic Analytics on for a particular Flow Log

So, according to MS documents regarding Network Watcher and Traffic Analytics, my guess would be:

(from https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions?source=recommendations)

Microsoft.Network/networkWatchers/configureFlowLog/action Configure a flow Log

Microsoft.Network/networkWatchers/queryFlowLogStatus/action Query status for a flow log

Microsoft.Storage/storageAccounts/listServiceSas/Action,

Microsoft.Storage/storageAccounts/listAccountSas/Action,

Microsoft.Storage/storageAccounts/listKeys/Action

(from https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq)

Microsoft.Network/applicationGateways/read

Microsoft.Network/connections/read

Microsoft.Network/loadBalancers/read

Microsoft.Network/localNetworkGateways/read

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/publicIPAddresses/read

Microsoft.Network/routeTables/read

Microsoft.Network/virtualNetworkGateways/read

Microsoft.Network/virtualNetworks/read

Microsoft.OperationalInsights/workspaces/*

Should above permissions be enough to use this module?

Thanks,

Wojtek

Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
173 questions
Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2023-09-20T17:37:58.66+00:00

    @Mituś Wojciech

    Thank you for your patience here, I got a response back from the team. The permissions mentioned above should suffice your requirement in this scenario.

    Please let us know if you are facing any issue with rules and we gladly continue with our discussion.

    Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.