Forum Discussion
bhushangawale
Dec 05, 2023Brass Contributor
Mult-subscription Terraform deployment and Azure DevOps Service Connections
While it is understood that Terraform templates can facilitate multi-subscription deployment through the 'alias' concept, as outlined in the documentation https://registry.terraform.io/providers/hash...
tapandewanjee19
Jun 30, 2026Tin Contributor
Use a single Service Principal / Workload Identity that has the required RBAC roles in all target subscriptions, then use Terraform provider aliases to explicitly target each subscription. You don't need one service connection per subscription unless security boundaries require separate identities. The most common and recommended pattern is:
- One Azure DevOps Service Connection.
- One Service Principal/Workload Identity.
- RBAC permissions on all target subscriptions.
- Terraform provider aliases with explicit subscription_id values.
This allows a single terraform plan/apply to deploy resources across multiple Azure subscriptions successfully.