I am creating a Azure custom role for blob storage access.
I started with Azure cli, and when I convert the json file to Terraform file, there is an extra parameter, scope.
It appears that it is the scope parameter in Azure REST API, controls where the role is defined (subscription, tenant or deeper).
Is it correct?
That's correct. Value for your scope parameter would depend on the level at which the role is defined. It could be one of the following values:
subscriptions/{subscriptionId}: Custom role is scoped at a subscription level.
subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}: Custom role is scoped at a resource group level.
subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}/providers/Microsoft.Web/sites/{site1}: Custom role is scoped at a resource level.
providers/Microsoft.Management/managementGroups/{groupId1}: Custom role is scoped at a management group level.
