NHSDigital · mrlockstar · Mar 19, 2026 · Oct 1, 2025
diff --git a/infrastructure/modules/virtual-desktop/main.tf b/infrastructure/modules/virtual-desktop/main.tf
@@ -58,6 +58,14 @@ resource "azurerm_virtual_desktop_workspace_application_group_association" "this
   workspace_id         = azurerm_virtual_desktop_workspace.this.id
 }
 
+resource "azurerm_role_assignment" "avd_autoscale_hostpool" {
+  count = var.principal_id == null ? 0 : 1
+
+  scope                = azurerm_virtual_desktop_host_pool.this.id
+  role_definition_name = "Desktop Virtualization Power On Off Contributor"
+  principal_id         = var.principal_id
+}
+
 resource "azurerm_role_assignment" "rg_users" {
   scope                = var.resource_group_id
   role_definition_name = "Virtual Machine User Login"

diff --git a/infrastructure/modules/virtual-desktop/variables.tf b/infrastructure/modules/virtual-desktop/variables.tf
@@ -187,3 +187,9 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "principal_id" {
+  description = "The principal (object) ID to assign the 'Desktop Virtualization Power On Off Contributor' role to the host pool. If null, the role assignment will not be created. This maintains backward compatibility for existing deployments. The role is required for autoscaling but can be omitted if autoscaling is not used or the role is assigned manually."
+  type        = string
+  default     = null
+}