I’m trying to create a role which I use to create user identity / api permissions mapping. I’d like to add each api as an assignable_scope in the role, but I’m not sure what would go in the scope filed in that case. Do I need to put the lowest scope that encompasses all the assignable scopes? If so, do I need to include that scope as a separate entry in the assignable scopes?
This is what the documentation says:
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id, # /subscriptions/00000000-0000-0000-0000-000000000000
]
}
-
scope
- (Required) The scope at which the Role Definition applies to, such as/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. -
assignable_scopes
- (Optional) One or more assignable scopes for this Role Definition, such as/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.