wip

Author: mrlockstar

infrastructure/bootstrap/hub.bicep

@@ -173,6 +173,19 @@ resource networkContributorAssignment 'Microsoft.Authorization/roleAssignments@2
   }
 }
 
+@description('Let the managed identity assign RBAC roles (required for Azure Virtual Desktop)')
+resource userAccessAdministratorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, hubType, 'UserAccessAdministrator')
+  properties: {
+    roleDefinitionId: subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions',
+      roleID.rbacAdmin
+    )
+    principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
+    description: '${miADOtoAZname} User Access Administrator access to subscription'
+  }
+}
+
 @description('Let the managed identity configure Front door and its resources')
 resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'CDNContributor')

infrastructure/terraform/hub/virtual_desktop.tf

@@ -155,6 +155,47 @@ resource "azurerm_resource_group" "avd_green" {
 #   principal_id         = local.principal_id
 # }
 
+
+data "azuread_service_principal" "avd_ms_sp" {
+  application_id = local.principal_id   # this is your "9cdead84-..." appId
+}
+
+
+resource "azurerm_role_definition" "avd_autoscale_operator" {
+  name        = "AVD Autoscale Operator"
+  scope       = data.azurerm_subscription.current.id
+  description = "Allows Azure Virtual Desktop Autoscale to manage session host power state"
+
+  permissions {
+    actions = [
+      "Microsoft.DesktopVirtualization/hostPools/read",
+      "Microsoft.DesktopVirtualization/hostPools/sessionHosts/read",
+      "Microsoft.DesktopVirtualization/hostPools/sessionHosts/write",
+      "Microsoft.Compute/virtualMachines/start/action",
+      "Microsoft.Compute/virtualMachines/deallocate/action",
+      "Microsoft.Compute/virtualMachines/read",
+      "Microsoft.Insights/autoscalesettings/*"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    data.azurerm_subscription.current.id
+  ]
+}
+
+resource "azurerm_role_assignment" "avd_autoscale_blue_sp" {
+  for_each = local.deploy_blue_avd ? var.regions : {}
+
+  scope              = azurerm_resource_group.avd_blue[each.key].id
+  role_definition_id = azurerm_role_definition.avd_autoscale_operator.id
+  principal_id       = data.azuread_service_principal.avd_ms_sp.object_id
+  principal_type     = "ServicePrincipal"
+
+  # ensure role definition exists first
+  depends_on = [azurerm_role_definition.avd_autoscale_operator]
+}
+
 # Green AVD deployment
 module "virtual-desktop-green" {
   for_each = (local.deploy_green_avd ? var.regions : {})