Skip to content

Data Source: azurermRoleDefinition

Use this data source to access information about an existing Role Definition.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const dataAzurermRoleDefinitionBuiltin =
  new azurerm.dataAzurermRoleDefinition.DataAzurermRoleDefinition(
    this,
    "builtin",
    {
      name: "Contributor",
    }
  );
const dataAzurermSubscriptionPrimary =
  new azurerm.dataAzurermSubscription.DataAzurermSubscription(
    this,
    "primary",
    {}
  );
new cdktf.TerraformOutput(this, "contributor_role_definition_id", {
  value: dataAzurermRoleDefinitionBuiltin.id,
});
const azurermRoleDefinitionCustom = new azurerm.roleDefinition.RoleDefinition(
  this,
  "custom",
  {
    name: "CustomRoleDef",
    role_definition_id: "00000000-0000-0000-0000-000000000000",
    scope: dataAzurermSubscriptionPrimary.id,
  }
);
const dataAzurermRoleDefinitionCustom =
  new azurerm.dataAzurermRoleDefinition.DataAzurermRoleDefinition(
    this,
    "custom_4",
    {
      role_definition_id: azurermRoleDefinitionCustom.roleDefinitionId,
      scope: dataAzurermSubscriptionPrimary.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermRoleDefinitionCustom.overrideLogicalId("custom");
new azurerm.dataAzurermRoleDefinition.DataAzurermRoleDefinition(
  this,
  "custom-byname",
  {
    name: azurermRoleDefinitionCustom.name,
    scope: dataAzurermSubscriptionPrimary.id,
  }
);
new cdktf.TerraformOutput(this, "custom_role_definition_id", {
  value: dataAzurermRoleDefinitionCustom.id,
});

Argument Reference

  • name - (Optional) Specifies the Name of either a built-in or custom Role Definition.

-> You can also use this for built-in roles such as contributor, owner, reader and virtualMachineContributor

  • roleDefinitionId - (Optional) Specifies the ID of the Role Definition as a UUID/GUID.
  • scope - (Optional) Specifies the Scope at which the Custom Role Definition exists.

\~> Note: One of name or roleDefinitionId must be specified.

Attributes Reference

  • id - the ID of the built-in Role Definition.
  • description - the Description of the built-in Role.
  • type - the Type of the Role.
  • permissions - a permissions block as documented below.
  • assignableScopes - One or more assignable scopes for this Role Definition, such as /subscriptions/0B1F64711Bf04DdaAec3111122223333, /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup, or /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup/providers/microsoftCompute/virtualMachines/myVm.

A permissions block contains:

  • actions - a list of actions supported by this role
  • notActions - a list of actions which are denied by this role

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • read - (Defaults to 5 minutes) Used when retrieving the Role Definition.