Role Definition Allows Custom Role Creation

• Query id: 3fa5900f-9aac-4982-96b2-a6143d9c99fb
• Query name: Role Definition Allows Custom Role Creation
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• URL: Github

Description

Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_role_definition" "example2" {
  role_definition_id = "00000000-0000-0000-0000-000000000000"
  name               = "my-custom-role-definition"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Authorization/roleDefinitions/write"]
    not_actions = []
  }
}

Positive test num. 2 - tf file

resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_role_definition" "example3" {
  role_definition_id = "00000000-0000-0000-0000-000000000000"
  name               = "my-custom-role-definition"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Authorization/roleDefinitions/read"]
    not_actions = []
  }
}