Role Definition

Azure Role Definitions are a set of permissions that define the actions that a user, group, or application can perform on Azure resources. Role definitions are used to grant access to Azure resources and manage permissions for users and groups. Each role definition consists of a set of permissions that define what actions are allowed or denied on specific Azure resources. The permissions are defined using Azure Resource Manager templates and are stored as JSON files in Azure. The role definitions can be customized to suit the specific needs of an organization. Azure provides a set of built-in role definitions that can be used to grant access to resources, such as Owner, Contributor, Reader, and User Access Administrator. These built-in roles have pre-defined permissions that can be assigned to users and groups. In addition to the built-in roles, users can create custom role definitions with specific permissions tailored to their needs. Custom role definitions can be created using Azure Resource Manager templates or the Azure portal. Users can define the permissions for each role, specify the scope of the role, and assign the role to users and groups.‍

Terraform Name

azurerm_role_definition

Role Definition

attributes:

The following arguments are supported:

role_definition_id - (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
name - (Required) The name of the Role Definition.
scope - (Required) The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
description - (Optional) A description of the Role Definition.
permissions - (Optional) A permissions block as defined below.
assignable_scopes - (Optional) One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

NOTE:

The value for scope is automatically included in this list if no other values supplied.

A permissions block as the following properties:

actions - (Optional) One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
data_actions - (Optional) One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
not_actions - (Optional) One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
not_data_actions - (Optional) One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.

‍

Associating resources with a

Role Definition

Resources do not "belong" to a

Role Definition

Rather, one or more Security Groups are associated to a resource.

Create

Role Definition

via Terraform:

The following HCL manages a custom Role Definition, used to assign Roles to Users/Principals

Syntax:

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"

permissions {
actions = ["*"]
not_actions = []
}

assignable_scopes = [
data.azurerm_subscription.primary.id, # /subscriptions/00000000-0000-0000-0000-000000000000
]
}

Create

Role Definition

via CLI:

Parametres:

az role definition create --role-definition

‍

Example:

az role definition create --role-definition '{
"Name": "Contoso On-call",
"Description": "Perform VM actions and read storage and network information.",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Network/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"NotDataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]
}'

Role Definition

Terraform Name

Costs

Indirect Cost