import * as pulumi from "@pulumi/pulumi"; /** * Assigns a given Principal (User or Group) to a given Role in a Private Azure Marketplace. * * ## Example Usage * * ### Using A Role Definition Name) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = azure.core.getClientConfig({}); * const exampleRoleAssignment = new azure.marketplace.RoleAssignment("example", { * roleDefinitionName: "Marketplace Admin", * principalId: example.then(example => example.objectId), * }); * ``` * * ### Using A Role Definition ID) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = azure.core.getClientConfig({}); * const exampleGetRoleDefinition = azure.authorization.getRoleDefinition({ * name: "Log Analytics Reader", * }); * const exampleRoleAssignment = new azure.marketplace.RoleAssignment("example", { * roleDefinitionId: exampleGetRoleDefinition.then(exampleGetRoleDefinition => exampleGetRoleDefinition.id), * principalId: example.then(example => example.objectId), * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Authorization` - 2022-05-01-preview, 2022-04-01 * * ## Import * * Role Assignments can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:marketplace/roleAssignment:RoleAssignment example /providers/Microsoft.Marketplace/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000 * ``` * * > **Note:** For cross tenant scenarios, the format of the `resource id` consists of the Azure resource ID and the tenant ID, for example: */ export declare class RoleAssignment extends pulumi.CustomResource { /** * Get an existing RoleAssignment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: RoleAssignmentState, opts?: pulumi.CustomResourceOptions): RoleAssignment; /** * Returns true if the given object is an instance of RoleAssignment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is RoleAssignment; /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ readonly condition: pulumi.Output; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. */ readonly conditionVersion: pulumi.Output; /** * The delegated Azure Resource ID which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ readonly delegatedManagedIdentityResourceId: pulumi.Output; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ readonly description: pulumi.Output; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). To assign Azure roles, the Principal must have `Microsoft.Authorization/roleAssignments/write` permissions. See [documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) for more information. */ readonly principalId: pulumi.Output; /** * The type of the `principalId`, e.g. User, Group, Service Principal, Application, etc. */ readonly principalType: pulumi.Output; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `roleDefinitionName`. */ readonly roleDefinitionId: pulumi.Output; /** * The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `roleDefinitionId`. * * > **Note:** To assign `Marketplace Admin` role, the calling Principal must first be assigned Privileged Role Administrator (like `Owner` role) or Global Administrator. See [documentation](https://learn.microsoft.com/en-us/marketplace/create-manage-private-azure-marketplace-new#prerequisites) for more information. */ readonly roleDefinitionName: pulumi.Output; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. Changing this forces a new resource to be created. * * > **Note:** This field takes effect only when `principalId` is a `Service Principal` identity. */ readonly skipServicePrincipalAadCheck: pulumi.Output; /** * Create a RoleAssignment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: RoleAssignmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering RoleAssignment resources. */ export interface RoleAssignmentState { /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ condition?: pulumi.Input; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. */ conditionVersion?: pulumi.Input; /** * The delegated Azure Resource ID which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ delegatedManagedIdentityResourceId?: pulumi.Input; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ description?: pulumi.Input; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). To assign Azure roles, the Principal must have `Microsoft.Authorization/roleAssignments/write` permissions. See [documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) for more information. */ principalId?: pulumi.Input; /** * The type of the `principalId`, e.g. User, Group, Service Principal, Application, etc. */ principalType?: pulumi.Input; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `roleDefinitionName`. */ roleDefinitionId?: pulumi.Input; /** * The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `roleDefinitionId`. * * > **Note:** To assign `Marketplace Admin` role, the calling Principal must first be assigned Privileged Role Administrator (like `Owner` role) or Global Administrator. See [documentation](https://learn.microsoft.com/en-us/marketplace/create-manage-private-azure-marketplace-new#prerequisites) for more information. */ roleDefinitionName?: pulumi.Input; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. Changing this forces a new resource to be created. * * > **Note:** This field takes effect only when `principalId` is a `Service Principal` identity. */ skipServicePrincipalAadCheck?: pulumi.Input; } /** * The set of arguments for constructing a RoleAssignment resource. */ export interface RoleAssignmentArgs { /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ condition?: pulumi.Input; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. */ conditionVersion?: pulumi.Input; /** * The delegated Azure Resource ID which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ delegatedManagedIdentityResourceId?: pulumi.Input; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ description?: pulumi.Input; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). To assign Azure roles, the Principal must have `Microsoft.Authorization/roleAssignments/write` permissions. See [documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) for more information. */ principalId: pulumi.Input; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `roleDefinitionName`. */ roleDefinitionId?: pulumi.Input; /** * The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `roleDefinitionId`. * * > **Note:** To assign `Marketplace Admin` role, the calling Principal must first be assigned Privileged Role Administrator (like `Owner` role) or Global Administrator. See [documentation](https://learn.microsoft.com/en-us/marketplace/create-manage-private-azure-marketplace-new#prerequisites) for more information. */ roleDefinitionName?: pulumi.Input; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. Changing this forces a new resource to be created. * * > **Note:** This field takes effect only when `principalId` is a `Service Principal` identity. */ skipServicePrincipalAadCheck?: pulumi.Input; }