Why are the Azure permissions needed for deployment and CI so high and what can we do about it?

[Farmerobot]

For manual deployment to azure using azd up, Owner permissions set statically on the resource group by the tenat admin seem entirely reasonable. azd down is more problematic, as it deletes the whole rg which then needs to be manually recreated again with the original permissions, but it's fine if it's not ran too often. Another solution would be using azd login with an admin account with tenat-wide permissions, but that is extremely unsafe.

However, the CI github pipeline uses both up and down on new groups. It thus requires full permissions to create and destroy any arbitrary resource groups on the tenat and that is a huge and unacceptable security vulnerability.

What is the expected way of handling these permissions? Is the RAG supposed to be on an entirely separate tenat from the rest of our critical infrustructure? Are we supposed to create custom roles with very specific permissions only for certain resource groups?

I have read through the docs/ folder of the repo and I still seem very confused about this. Any help would be appreciated :)