Skip to content

azurermRoleDefinition

Manages a custom Role Definition, used to assign Roles to Users/Principals. See 'Understand role definitions' in the Azure documentation for more details.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const dataAzurermSubscriptionPrimary =
  new azurerm.dataAzurermSubscription.DataAzurermSubscription(
    this,
    "primary",
    {}
  );
new azurerm.roleDefinition.RoleDefinition(this, "example", {
  assignable_scopes: [dataAzurermSubscriptionPrimary.id],
  description: "This is a custom role created via Terraform",
  name: "my-custom-role",
  permissions: [
    {
      actions: ["*"],
      not_actions: [],
    },
  ],
  scope: dataAzurermSubscriptionPrimary.id,
});

Argument Reference

The following arguments are supported:

  • roleDefinitionId - (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • name - (Required) The name of the Role Definition.

  • scope - (Required) The scope at which the Role Definition applies to, such as /subscriptions/0B1F64711Bf04DdaAec3111122223333, /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup, or /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup/providers/microsoftCompute/virtualMachines/myVm. It is recommended to use the first entry of the assignableScopes. Changing this forces a new resource to be created.

  • description - (Optional) A description of the Role Definition.

  • permissions - (Optional) A permissions block as defined below.

  • assignableScopes - (Optional) One or more assignable scopes for this Role Definition, such as /subscriptions/0B1F64711Bf04DdaAec3111122223333, /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup, or /subscriptions/0B1F64711Bf04DdaAec3111122223333/resourceGroups/myGroup/providers/microsoftCompute/virtualMachines/myVm.

\~> NOTE: The value for scope is automatically included in this list if no other values supplied.

A permissions block as the following properties:

Attributes Reference

The following attributes are exported:

  • id - This ID is specific to Terraform - and is of the format {roleDefinitionId}|{scope}.

  • roleDefinitionId - (Optional) The Role Definition ID. Changing this forces a new resource to be created.

  • roleDefinitionResourceId - The Azure Resource Manager ID for the resource.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Role Definition.
  • update - (Defaults to 60 minutes) Used when updating the Role Definition.
  • read - (Defaults to 5 minutes) Used when retrieving the Role Definition.
  • delete - (Defaults to 30 minutes) Used when deleting the Role Definition.

Import

Role Definitions can be imported using the resourceId, e.g.

terraform import azurerm_role_definition.example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|/subscriptions/00000000-0000-0000-0000-000000000000"

-> NOTE: This ID is specific to Terraform - and is of the format {roleDefinitionId}|{scope}.