Top / Microsoft Azure / Azure Authorization / Definition

Azure Authorization Definition

This page shows how to write Terraform and Azure Resource Manager for Authorization Definition and write them securely.

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_role_definition (Terraform)

The Definition in Authorization can be configured in Terraform with the resource name azurerm_role_definition. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

dasalebr/azurepipeline_shiftleft

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

olmorigolo/terraform

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

prancer-io/prancer-terramerra

main.tf#L9

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

rogeriopeixotocx/test-kics-circle

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

amit894/tf-aks-modules

rbac.tf#L21

resource "azurerm_role_definition" "network_admin" {
  role_definition_id = "00000000-0000-0000-0000-000000000001"
  name               = "network-admin-role"
  scope              = var.network_resource_group_id

  permissions {

Find out how to use this setting securely with Shisho Cloud

asafsh-cp/teraform

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

mikeh-hmh/Bridgecrew

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

StEustache/TP-Cloud

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my_custom_role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

masanchezp/terragoat

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

shunsuke-shiota/IaC_test

roles.tf#L3

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.current_subscription.id
  description = "This is a custom role created via Terraform"

  permissions {

Find out how to use this setting securely with Shisho Cloud

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_role_definition

There is 1 setting in azurerm_role_definition that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure to grant targeted permissions for roles

It is better to avoid giving too many permissions to a role. By following the principle of least privilege, you can reduce the risk of credential leakage.

Review your Azure Authorization settings

You can check if the azurerm_role_definition setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

assignable_scopes optional computed - list of string
description optional - string
id optional computed - string
name required - string
role_definition_id optional computed - string
role_definition_resource_id optional computed - string
scope required - string
permissions list block
- actions optional - list of string
- data_actions optional - set of string
- not_actions optional - list of string
- not_data_actions optional - set of string
timeouts single block
- create optional - string
- delete optional - string
- read optional - string
- update optional - string

>> from Terraform Registry

Explanation in Terraform Registry

Manages a custom Role Definition, used to assign Roles to Users/Principals. See 'Understand role definitions' in the Azure documentation for more details.

>> from Terraform Registry

Microsoft.Authorization/roleDefinitions (Azure Resource Manager)

The roleDefinitions in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/roleDefinitions. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

juggernauthk108/pastebin

def.json#L22

    "type": "Microsoft.Authorization/roleDefinitions"
  },
  {
    "assignableScopes": [
      "/"
    ],

harsh4870/cloud-custodian