import * as pulumi from "@pulumi/pulumi"; /** * Assigns a given Principal (User or Group) to a given Role. * * ## Example Usage * * ### Using A Built-In Role) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const primary = azure.core.getSubscription({}); * const example = azure.core.getClientConfig({}); * const exampleAssignment = new azure.authorization.Assignment("example", { * scope: primary.then(primary => primary.id), * roleDefinitionName: "Reader", * principalId: example.then(example => example.objectId), * }); * ``` * * ### Custom Role & Service Principal) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const primary = azure.core.getSubscription({}); * const example = azure.core.getClientConfig({}); * const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", { * roleDefinitionId: "00000000-0000-0000-0000-000000000000", * name: "my-custom-role-definition", * scope: primary.then(primary => primary.id), * permissions: [{ * actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], * notActions: [], * }], * assignableScopes: [primary.then(primary => primary.id)], * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * name: "00000000-0000-0000-0000-000000000000", * scope: primary.then(primary => primary.id), * roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId, * principalId: example.then(example => example.objectId), * }); * ``` * * ### Custom Role & User) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const primary = azure.core.getSubscription({}); * const example = azure.core.getClientConfig({}); * const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", { * roleDefinitionId: "00000000-0000-0000-0000-000000000000", * name: "my-custom-role-definition", * scope: primary.then(primary => primary.id), * permissions: [{ * actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], * notActions: [], * }], * assignableScopes: [primary.then(primary => primary.id)], * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * name: "00000000-0000-0000-0000-000000000000", * scope: primary.then(primary => primary.id), * roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId, * principalId: example.then(example => example.objectId), * }); * ``` * * ### Custom Role & Management Group) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const primary = azure.core.getSubscription({}); * const example = azure.core.getClientConfig({}); * const exampleGetGroup = azure.management.getGroup({ * name: "00000000-0000-0000-0000-000000000000", * }); * const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", { * roleDefinitionId: "00000000-0000-0000-0000-000000000000", * name: "my-custom-role-definition", * scope: primary.then(primary => primary.id), * permissions: [{ * actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], * notActions: [], * }], * assignableScopes: [primary.then(primary => primary.id)], * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * name: "00000000-0000-0000-0000-000000000000", * scope: primaryAzurermManagementGroup.id, * roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId, * principalId: example.then(example => example.objectId), * }); * ``` * * ### ABAC Condition) * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * import * as std from "@pulumi/std"; * * const primary = azure.core.getSubscription({}); * const example = azure.core.getClientConfig({}); * const builtin = azure.authorization.getRoleDefinition({ * name: "Reader", * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * roleDefinitionName: "Role Based Access Control Administrator", * scope: primary.then(primary => primary.id), * principalId: example.then(example => example.objectId), * principalType: "ServicePrincipal", * description: "Role Based Access Control Administrator role assignment with ABAC Condition.", * conditionVersion: "2.0", * condition: Promise.all([builtin.then(builtin => std.basename({ * input: builtin.roleDefinitionId, * })), builtin.then(builtin => std.basename({ * input: builtin.roleDefinitionId, * }))]).then(([invoke, invoke1]) => `( * ( * !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) * ) * OR * ( * @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${invoke.result}} * ) * ) * AND * ( * ( * !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) * ) * OR * ( * @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${invoke1.result}} * ) * ) * `), * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Authorization` - 2022-05-01-preview, 2022-04-01 * * ## Import * * Role Assignments can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:role/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000 * ``` * * > **Note:** The format of `resource id` could be different for different kinds of `scope`: * * * for scope `Subscription`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000` * * for scope `Resource Group`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000` * * for scope `Key Vault`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.KeyVault/vaults/vault1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000` * * for scope `Storage Account`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Storage/storageAccounts/storageAccount1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000` * * > **Note:** for cross tenant scenarios, the format of `resource id` is composed of Azure resource ID and tenantId. for example: * * @deprecated azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment */ export declare class Assignment extends pulumi.CustomResource { /** * Get an existing Assignment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AssignmentState, opts?: pulumi.CustomResourceOptions): Assignment; /** * Returns true if the given object is an instance of Assignment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Assignment; /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ readonly condition: pulumi.Output; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. * * > **Note:** `condition` is required when `conditionVersion` is set. */ readonly conditionVersion: pulumi.Output; /** * The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ readonly delegatedManagedIdentityResourceId: pulumi.Output; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ readonly description: pulumi.Output; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). */ readonly principalId: pulumi.Output; /** * The type of the `principalId`. Possible values are `User`, `Group` and `ServicePrincipal`. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute. */ readonly principalType: pulumi.Output; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. */ readonly roleDefinitionId: pulumi.Output; /** * The name of a built-in Role. Changing this forces a new resource to be created. * * > **Note:** Either `roleDefinitionId` or `roleDefinitionName` must be set. */ readonly roleDefinitionName: pulumi.Output; /** * The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created. */ readonly scope: pulumi.Output; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. * * > **Note:** If it is not a `Service Principal` identity it will cause the role assignment to fail. */ readonly skipServicePrincipalAadCheck: pulumi.Output; /** * Create a Assignment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ /** @deprecated azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment */ constructor(name: string, args: AssignmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Assignment resources. */ export interface AssignmentState { /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ condition?: pulumi.Input; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. * * > **Note:** `condition` is required when `conditionVersion` is set. */ conditionVersion?: pulumi.Input; /** * The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ delegatedManagedIdentityResourceId?: pulumi.Input; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ description?: pulumi.Input; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). */ principalId?: pulumi.Input; /** * The type of the `principalId`. Possible values are `User`, `Group` and `ServicePrincipal`. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute. */ principalType?: pulumi.Input; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. */ roleDefinitionId?: pulumi.Input; /** * The name of a built-in Role. Changing this forces a new resource to be created. * * > **Note:** Either `roleDefinitionId` or `roleDefinitionName` must be set. */ roleDefinitionName?: pulumi.Input; /** * The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created. */ scope?: pulumi.Input; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. * * > **Note:** If it is not a `Service Principal` identity it will cause the role assignment to fail. */ skipServicePrincipalAadCheck?: pulumi.Input; } /** * The set of arguments for constructing a Assignment resource. */ export interface AssignmentArgs { /** * The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created. */ condition?: pulumi.Input; /** * The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created. * * > **Note:** `condition` is required when `conditionVersion` is set. */ conditionVersion?: pulumi.Input; /** * The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. * * > **Note:** This field is only used in cross tenant scenarios. */ delegatedManagedIdentityResourceId?: pulumi.Input; /** * The description for this Role Assignment. Changing this forces a new resource to be created. */ description?: pulumi.Input; /** * A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created. * * > **Note:** The Principal ID is also known as the Object ID (i.e. not the "Application ID" for applications). */ principalId: pulumi.Input; /** * The type of the `principalId`. Possible values are `User`, `Group` and `ServicePrincipal`. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute. */ principalType?: pulumi.Input; /** * The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. */ roleDefinitionId?: pulumi.Input; /** * The name of a built-in Role. Changing this forces a new resource to be created. * * > **Note:** Either `roleDefinitionId` or `roleDefinitionName` must be set. */ roleDefinitionName?: pulumi.Input; /** * The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created. */ scope: pulumi.Input; /** * If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. Defaults to `false`. * * > **Note:** If it is not a `Service Principal` identity it will cause the role assignment to fail. */ skipServicePrincipalAadCheck?: pulumi.Input; }