1. How to set Azure resource group access policy?


    To manage access policies for an Azure Resource Group, you can use two resources: azure.core.ResourceGroup to create the resource group, and azure-native.authorization.roledefinitions to create the roles, and azure-native.authorization.roleassignments to assign roles.

    Let's see how you would create a resource group and assign a Contributor role for a user to this Resource Group:

    First, import the necessary packages:

    using Pulumi; using Pulumi.Azure.Core; using Pulumi.AzureNative.Resources; using Pulumi.AzureNative.Authorization; using Pulumi.AzureNative.Authorization.Inputs;

    Next, within your main function, define your resource group and role assignment:

    class Program { static Task<int> Main() => Deployment.RunAsync<MyStack>(); } class MyStack : Stack { public MyStack() { var resourceGroup = new ResourceGroup("resourceGroup"); var contributorRoleDefinition = Output.Create(GetRoleDefinition.InvokeAsync( new GetRoleDefinitionArgs { RoleName = "Contributor" })); new RoleAssignment("role-assignment", new RoleAssignmentArgs { Scope = resourceGroup.Id, RoleDefinitionId = contributorRoleDefinition.Apply(x => x.Id), PrincipalId = "<principal-id>" /* Substitute with the user's principal ID */ }); } }

    Remember to replace <principal-id> with the ID (known as objectId) of the user or service principal that you want to assign the "Contributor" role to. You can get the ID of a user or service principal using the Azure AD PowerShell Module or the Azure portal.

    This generates a random Resource Group and grants Contributor access to the specified user on all resources within the Resource Group. The Resource Group is your basic building block and all resources must reside within a Resource Group.

    Here is more information on how to work with Azure AD Roles and role assignments and Pulumi's Azure-Native Authorization resources.