include::../common/summary.adoc[]

== Why is this an issue?

include::../common/description.adoc[]

=== What is the potential impact?

include::../common/impact/description.adoc[]

== How to fix it

include::../common/fix/rationale.adoc[]

=== Code examples

==== Noncompliant code example

[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "azurerm_role_definition" "example" { # Sensitive
  name        = "example"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [ 
    data.azurerm_subscription.primary.id 
  ]
}
----

==== Compliant solution

[source,terraform,diff-id=1,diff-type=compliant]
----
resource "azurerm_role_definition" "example" {
  name        = "example"
  scope       = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.Compute/*"]
    not_actions = []
  }

  assignable_scopes = [ 
    data.azurerm_subscription.primary.id 
  ]
}
----

include::../common/fix/extra-mile.adoc[]

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]