Azure Authorization Definition
This page shows how to write Terraform and Azure Resource Manager for Authorization Definition and write them securely.
azurerm_role_definition (Terraform)
The Definition in Authorization can be configured in Terraform with the resource name azurerm_role_definition
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "network_admin" {
role_definition_id = "00000000-0000-0000-0000-000000000001"
name = "network-admin-role"
scope = var.network_resource_group_id
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my_custom_role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.current_subscription.id
description = "This is a custom role created via Terraform"
permissions {
Security Best Practices for azurerm_role_definition
There is 1 setting in azurerm_role_definition that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to grant targeted permissions for roles
It is better to avoid giving too many permissions to a role. By following the principle of least privilege, you can reduce the risk of credential leakage.
Parameters
-
assignable_scopes
optional computed - list of string -
description
optional - string -
id
optional computed - string -
name
required - string -
role_definition_id
optional computed - string -
role_definition_resource_id
optional computed - string -
scope
required - string -
permissions
list block-
actions
optional - list of string -
data_actions
optional - set of string -
not_actions
optional - list of string -
not_data_actions
optional - set of string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a custom Role Definition, used to assign Roles to Users/Principals. See 'Understand role definitions' in the Azure documentation for more details.
Microsoft.Authorization/roleDefinitions (Azure Resource Manager)
The roleDefinitions in Microsoft.Authorization can be configured in Azure Resource Manager with the resource name Microsoft.Authorization/roleDefinitions
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Authorization/roleDefinitions"
},
{
"assignableScopes": [
"/"
],
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2021-02-01",
"name": "invalidTopLevel",
"properties": {
"permissions": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "a7b1b19a-0e83-4fe5-935c-faaefbfd18c3"
},
{
"properties": {
"roleName": "Avere Cluster Runtime Operator",
"type": "Microsoft.Authorization/roleDefinitions"
},
{
"assignableScopes": [
"/"
],
Parameters
name
required - stringtype
required - stringapiVersion
required - stringproperties
requiredroleName
optional - stringThe role name.
description
optional - stringThe role definition description.
type
optional - stringThe role type.
permissions
optional arrayactions
optional - arrayAllowed actions.
notActions
optional - arrayDenied actions.
assignableScopes
optional - arrayRole definition assignable scopes.
Frequently asked questions
What is Azure Authorization Definition?
Azure Authorization Definition is a resource for Authorization of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Authorization Definition?
For Terraform, the dasalebr/azurepipeline_shiftleft, olmorigolo/terraform and prancer-io/prancer-terramerra source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the juggernauthk108/pastebin, harsh4870/cloud-custodian and fugue/regula source code examples are useful. See the Azure Resource Manager Example section for further details.