1. Enforcing role-based access control (RBAC) in Azure resources

    TypeScript

    Role-Based Access Control (RBAC) in Azure is a method of restricting system access to authorized users. It is an important security feature that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC is implemented in Azure using Azure Role Assignments, which can be applied to resources, resource groups, subscriptions, or the entire management group level.

    When implementing RBAC, you assign roles to users, groups, service principals, or managed identities. Roles like Owner, Contributor, and Reader determine what actions the assignees can perform. Azure also allows you to create custom roles to handle special scenarios.

    Below is a Pulumi TypeScript program that defines a resource group in Azure and assigns an RBAC role of "Reader" to a principal (user, group, service principal, managed identity). You'll need the object ID of the principal to which you want to assign the role.

    import * as azure from "@pulumi/azure"; import * as pulumi from "@pulumi/pulumi"; // Create an Azure Resource Group const resourceGroup = new azure.core.ResourceGroup("myResourceGroup", { location: "West US", }); // Assign the Reader role to a principal for the scope of the entire Resource Group const principalId = "principal-guid-here"; // Replace with the actual principal ID const roleAssignment = new azure.authorization.RoleAssignment("myRoleAssignment", { scope: resourceGroup.id, roleDefinitionName: "Reader", principalId: principalId, }, { dependsOn: [resourceGroup] }); // Export the Resource Group name and the Role Assignment ID export const resourceGroupName = resourceGroup.name; export const roleAssignmentId = roleAssignment.id;

    Let's walk through the code:

    • We import the @pulumi/azure and @pulumi/pulumi packages to interact with Azure resources and the Pulumi SDK, respectively.
    • We create an Azure Resource Group named myResourceGroup in the "West US" region. The ResourceGroup class is used for this from the @pulumi/azure/core module.
    • We assign the Reader role to our principal (the principal's unique identifier needs to be provided in place of "principal-guid-here"). For this, we use the RoleAssignment class from the @pulumi/azure/authorization module.
    • We specify the scope of the role assignment to our previously created resource group by providing resourceGroup.id.
    • The role definition name "Reader" is a built-in role that grants read-only access.
    • We use the dependsOn field to ensure that the role assignment is not created until after the resource group has been fully deployed, which avoids race conditions.
    • Finally, we export the resource group name and the role assignment ID, which can be useful for reference and in CI/CD environments.

    Replace "principal-guid-here" with the actual GUID of the Azure AD principal that you want to assign the role to. This could be a User, a Group, a Service Principal, or a Managed Identity.

    For more advanced scenarios and custom roles, you would similarly use Pulumi's RoleDefinition class to create custom role definitions. This is also where you would specify your own set of permissions if the built-in roles do not meet your requirements.

    Remember that to run this Pulumi program, you must have the Azure CLI installed and configured with credentials that have sufficient permissions to create resources and assign roles in the Azure subscription you're using.