Description

The permissions granted to a role should be kept to the minimum required to be able to do the task. Wildcard permissions must not be used.

Resolution: Use targeted permissions for roles.

Examples

Example of incorrect code:

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [
    "/"
  ]
}

Example of correct code:

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
  ]
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

azure-authorization-limit-role-actions.md

azure-authorization-limit-role-actions.md

Description

Examples

Files

azure-authorization-limit-role-actions.md

Latest commit

History

azure-authorization-limit-role-actions.md

File metadata and controls

Description

Examples