Skip to main content

azurerm_role_definitions resource

[edit on GitHub]

Use the azurerm_role_definitions InSpec audit resource to test properties of some or all Azure Role Definitions.

Azure REST API version

This resource interacts with version 2015-07-01 of the Azure Graph API. For more information see the official Azure documentation.

At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.



This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

  - name: inspec-azure

You’ll also need to setup your Azure credentials; see the resource pack README.


This resource first became available in 1.3.7 of the inspec-azure resource pack.


An azurerm_role_definitions resource block returns all Role definitions within a subscription and allows testing of them.

describe azurerm_role_definitions do


The following examples show how to use this InSpec audit resource.

Check a role has the correct permissions are present

describe azurerm_role_definitions.where{name.eql?(‘Custom-Admin’)} do its (‘properties.first.permissions.first’) { should have_attributes(actions: ['*']) } end

Check a role does not have certain permissions

describe azurerm_role_definitions do
  its ('properties.first.permissions.first')  { should have_attributes(notActions: [
  ]) }

Filter Criteria


Filters the results to include only those resource groups that match the given name. This is a string value.

describe azurerm_role_definitions.where{name.eql?('Custom-Admin') } do
  it { should exist }


  • ids
  • names
  • properties


The Object IDs of the Roles.


The names of the Roles. For a built-in role this will be an Azure generated UUID. For a CustomRole this will be the name you specified on creation.


Additional properties available for the Roles. May be accessed with dot notation in controls.


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.


The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

describe azurerm_role_definitions do
  it { should exist }

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test.

Was this page helpful?


Search Results