Enforcing read-only permissions on resource groups in Azure
TypeScriptTo enforce read-only permissions on Resource Groups in Azure using Pulumi, you would typically use a combination of Azure Resource Groups and Role-Based Access Control (RBAC). Azure's RBAC system enables you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
In this example, you'll see how to create a Resource Group and then assign the built-in
Reader
role to a principal (a user, group, service principal, or managed identity) to enforce read-only permissions. TheReader
role allows a principal to view everything, but not make any changes.First, make sure you have installed the
@pulumi/azure-native
package, as it provides classes and functions to interact with Azure resources.npm install @pulumi/azure-native
Now, let's dive into the Pulumi program that creates a Resource Group and assigns the
Reader
role.import * as azure from "@pulumi/azure-native"; // Create a new resource group const resourceGroup = new azure.resources.ResourceGroup("myResourceGroup"); // Assign 'Reader' role to a principal for the resource group const readRoleAssignment = new azure.authorization.RoleAssignment("readRoleAssignment", { principalId: "principal-id", // Replace with the actual principal ID roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", scope: resourceGroup.id, }); export const resourceGroupName = resourceGroup.name;
Before you run the program, replace
"principal-id"
with the actual principal ID to which you wish to assign theReader
role.This program does two main things:
- It creates a new Resource Group called
myResourceGroup
. - It assigns the
Reader
role to a given principal ID using Azure's built-inReader
role definition ID (acdd72a7-3385-48ef-bd42-f606fba81ae7
). The scope of this role is limited to the created Resource Group, thus granting read-only access to this specific Resource Group.
The
scope
parameter is the Resource ID of the Resource Group to which this role assignment applies. TheroleDefinitionId
is a fixed Azure-defined ID for theReader
role.After running this Pulumi program, the principal specified will have read-only access to the
myResourceGroup
Resource Group.Keep in mind that the
principalId
should be the object ID of the user, group, service principal, or managed identity to which you want to assign the role.To run the Pulumi program, simply execute:
pulumi up
This command will provision the resources as described in your TypeScript code.
The
export
command at the end of the program will output the name of the created Resource Group after the deployment is completed. This can be useful for referencing the Resource Group in other parts of your Pulumi code or in other applications.Be aware that you need the necessary permissions to assign roles in Azure. If you encounter permissions errors, ensure that your account has sufficient privileges to create role assignments in Azure RBAC.
- It creates a new Resource Group called