APIM permission

 APIM

Resource Group Level Permissions

    Resource Group: rg-esp-qa
        Role: Custom role combining API Management Service Contributor
        Permissions:
            Microsoft.Resources/subscriptions/resourceGroups/read
            Microsoft.Resources/subscriptions/resourceGroups/write
            Microsoft.ApiManagement/service/write
            Microsoft.ApiManagement/service/read

    Resource Group: NET-EUS2-QA-RG
        Role: Custom role combining Network Contributor
        Permissions:
            Microsoft.Network/virtualNetworks/read
            Microsoft.Network/virtualNetworks/subnets/read
            Microsoft.Network/virtualNetworks/subnets/join/action

    Resource Group: NET-EUS2-PROD-RG
        Role: Custom role combining Private DNS Zone Contributor
        Permissions:
            Microsoft.Network/privateDnsZones/read
            Microsoft.Network/privateDnsZones/write
            Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
            Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
            Microsoft.Network/privateDnsZones/A/write
            Microsoft.Network/privateDnsZones/A/read

Individual Resource Permissions

    Azure API Management Service (azurerm_api_management)
        Role: API Management Service Contributor
        Permissions:
            Microsoft.ApiManagement/service/write
            Microsoft.ApiManagement/service/read

    Private Endpoint (azurerm_private_endpoint)
        Role: Network Contributor
        Permissions:
            Microsoft.Network/privateEndpoints/write
            Microsoft.Network/privateEndpoints/read

    Private DNS Zone (azurerm_private_dns_zone)
        Role: Private DNS Zone Contributor
        Permissions:
            Microsoft.Network/privateDnsZones/write
            Microsoft.Network/privateDnsZones/read

    Private DNS A Record (azurerm_private_dns_a_record)
        Role: Private DNS Zone Contributor
        Permissions:
            Microsoft.Network/privateDnsZones/A/write
            Microsoft.Network/privateDnsZones/A/read

Data Sources Permissions

    Resource Group Data Source (data "azurerm_resource_group")
        Role: Reader
        Permissions:
            Microsoft.Resources/subscriptions/resourceGroups/read

    Virtual Network Data Source (data "azurerm_virtual_network")
        Role: Network Reader
        Permissions:
            Microsoft.Network/virtualNetworks/read

    Subnet Data Source (data "azurerm_subnet")
        Role: Network Reader
        Permissions:
            Microsoft.Network/virtualNetworks/subnets/read

Comments