1. Enforcing read-only permissions on resource groups in Azure

    TypeScript

    To enforce read-only permissions on Resource Groups in Azure using Pulumi, you would typically use a combination of Azure Resource Groups and Role-Based Access Control (RBAC). Azure's RBAC system enables you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

    In this example, you'll see how to create a Resource Group and then assign the built-in Reader role to a principal (a user, group, service principal, or managed identity) to enforce read-only permissions. The Reader role allows a principal to view everything, but not make any changes.

    First, make sure you have installed the @pulumi/azure-native package, as it provides classes and functions to interact with Azure resources.

    npm install @pulumi/azure-native

    Now, let's dive into the Pulumi program that creates a Resource Group and assigns the Reader role.

    import * as azure from "@pulumi/azure-native"; // Create a new resource group const resourceGroup = new azure.resources.ResourceGroup("myResourceGroup"); // Assign 'Reader' role to a principal for the resource group const readRoleAssignment = new azure.authorization.RoleAssignment("readRoleAssignment", { principalId: "principal-id", // Replace with the actual principal ID roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", scope: resourceGroup.id, }); export const resourceGroupName = resourceGroup.name;

    Before you run the program, replace "principal-id" with the actual principal ID to which you wish to assign the Reader role.

    This program does two main things:

    • It creates a new Resource Group called myResourceGroup.
    • It assigns the Reader role to a given principal ID using Azure's built-in Reader role definition ID (acdd72a7-3385-48ef-bd42-f606fba81ae7). The scope of this role is limited to the created Resource Group, thus granting read-only access to this specific Resource Group.

    The scope parameter is the Resource ID of the Resource Group to which this role assignment applies. The roleDefinitionId is a fixed Azure-defined ID for the Reader role.

    After running this Pulumi program, the principal specified will have read-only access to the myResourceGroup Resource Group.

    Keep in mind that the principalId should be the object ID of the user, group, service principal, or managed identity to which you want to assign the role.

    To run the Pulumi program, simply execute:

    pulumi up

    This command will provision the resources as described in your TypeScript code.

    The export command at the end of the program will output the name of the created Resource Group after the deployment is completed. This can be useful for referencing the Resource Group in other parts of your Pulumi code or in other applications.

    Be aware that you need the necessary permissions to assign roles in Azure. If you encounter permissions errors, ensure that your account has sufficient privileges to create role assignments in Azure RBAC.