It is possible to assign app role access for an app registration in terraform using required_resource_access for azuread_application. This will give access to a custom role to my API to another application/service principal.
I would like to do the same for a managed identity, but cannot figure a way to do that with terraform. It can be done with powershell like that e.g.:
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
This call to graph api would achieve the same I think:
POST /servicePrincipals/{objectId}/appRoleAssignments
But I'd really love to do that with terraform if possible.
There is no such built-in resource in Terraform to achieve this, the only related thing here - azuread_application_app_role, if you want to do that, the workaround is to run the powershell command in Terraform manually via local-exec Provisioner.