Module role

@pulumi/azure > role

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class Assignment

extends CustomResource

Assigns a given Principal (User or Application) to a given Role.

Example Usage (using a built-in Role)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const testClientConfig = pulumi.output(azure.core.getClientConfig({}));
const primary = pulumi.output(azure.core.getSubscription({}));
const testAssignment = new azure.role.Assignment("test", {
    principalId: testClientConfig.servicePrincipalObjectId,
    roleDefinitionName: "Reader",
    scope: primary.id,
});

Example Usage (Custom Role & Service Principal)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const testClientConfig = pulumi.output(azure.core.getClientConfig({}));
const primary = pulumi.output(azure.core.getSubscription({}));
const testDefinition = new azure.role.Definition("test", {
    assignableScopes: [primary.id],
    name: "my-custom-role-definition",
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.id,
});
const testAssignment = new azure.role.Assignment("test", {
    name: "00000000-0000-0000-0000-000000000000",
    principalId: testClientConfig.servicePrincipalObjectId,
    roleDefinitionId: testDefinition.id,
    scope: primary.id,
});

Example Usage (Custom Role & User)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const testClientConfig = pulumi.output(azure.core.getClientConfig({}));
const primary = pulumi.output(azure.core.getSubscription({}));
const testDefinition = new azure.role.Definition("test", {
    assignableScopes: [primary.id],
    name: "my-custom-role-definition",
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.id,
});
const testAssignment = new azure.role.Assignment("test", {
    name: "00000000-0000-0000-0000-000000000000",
    principalId: testClientConfig.clientId,
    roleDefinitionId: testDefinition.id,
    scope: primary.id,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/website/docs/r/role_assignment.html.markdown.

constructor

new Assignment(name: string, args: AssignmentArgs, opts?: pulumi.CustomResourceOptions)

Create a Assignment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AssignmentState, opts?: pulumi.CustomResourceOptions): Assignment

Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Assignment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

public principalId: pulumi.Output<string>;

The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

public roleDefinitionName: pulumi.Output<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Definition

extends CustomResource

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = pulumi.output(azure.core.getSubscription({}));
const test = new azure.role.Definition("test", {
    assignableScopes: [primary.id],
    description: "This is a custom role",
    name: "my-custom-role",
    permissions: [{
        actions: ["*"],
        notActions: [],
    }],
    scope: primary.id,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/website/docs/r/role_definition.html.markdown.

constructor

new Definition(name: string, args: DefinitionArgs, opts?: pulumi.CustomResourceOptions)

Create a Definition resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefinitionState, opts?: pulumi.CustomResourceOptions): Definition

Get an existing Definition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Definition. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property assignableScopes

public assignableScopes: pulumi.Output<string[]>;

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

public description: pulumi.Output<string | undefined>;

A description of the Role Definition.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

public permissions: pulumi.Output<{
    actions: string[];
    dataActions: string[];
    notActions: string[];
    notDataActions: string[];
}[]>;

A permissions block as defined below.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

function getBuiltinRoleDefinition

getBuiltinRoleDefinition(args: GetBuiltinRoleDefinitionArgs, opts?: pulumi.InvokeOptions): Promise<GetBuiltinRoleDefinitionResult> & GetBuiltinRoleDefinitionResult

Use this data source to access information about a built-in Role Definition. To access information about a custom Role Definition, please see the azure.role.Definition data source instead.

NOTE: The this datasource has been deprecated in favour of azure.role.Definition that now can look up role definitions by name. As such this data source will be removed in version 2.0 of the AzureRM Provider.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const contributor = pulumi.output(azure.role.getBuiltinRoleDefinition({
    name: "Contributor",
}));

export const contributorRoleDefinitionId = contributor.id;

This content is derived from https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/website/docs/d/builtin_role_definition.html.markdown.

function getRoleDefinition

getRoleDefinition(args?: GetRoleDefinitionArgs, opts?: pulumi.InvokeOptions): Promise<GetRoleDefinitionResult> & GetRoleDefinitionResult

Use this data source to access information about an existing Role Definition.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const builtin = pulumi.output(azure.role.getBuiltinRoleDefinition({
    name: "Contributor",
}));
const primary = pulumi.output(azure.core.getSubscription({}));
const customDefinition = new azure.role.Definition("custom", {
    name: "CustomRoleDef",
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.id,
});
const customRoleDefinition = pulumi.all([customDefinition.roleDefinitionId, primary]).apply(([roleDefinitionId, primary]) => azure.role.getRoleDefinition({
    roleDefinitionId: roleDefinitionId,
    scope: primary.id,
}));
const customByname = pulumi.all([customDefinition.name, primary]).apply(([name, primary]) => azure.role.getRoleDefinition({
    name: name,
    scope: primary.id,
}));

export const contributorRoleDefinitionId = azurerm_role_definition_builtin.id;
export const customRoleDefinitionId = customRoleDefinition.id;

This content is derived from https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/website/docs/d/role_definition.html.markdown.

interface AssignmentArgs

The set of arguments for constructing a Assignment resource.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId: pulumi.Input<string>;

The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope: pulumi.Input<string>;

The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

interface AssignmentState

Input properties used for looking up and filtering Assignment resources.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId?: pulumi.Input<string>;

The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope?: pulumi.Input<string>;

The scope at which the Role Assignment applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

interface DefinitionArgs

The set of arguments for constructing a Definition resource.

property assignableScopes

assignableScopes: pulumi.Input<pulumi.Input<string>[]>;

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions: pulumi.Input<pulumi.Input<{
    actions: pulumi.Input<pulumi.Input<string>[]>;
    dataActions: pulumi.Input<pulumi.Input<string>[]>;
    notActions: pulumi.Input<pulumi.Input<string>[]>;
    notDataActions: pulumi.Input<pulumi.Input<string>[]>;
}>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope: pulumi.Input<string>;

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

interface DefinitionState

Input properties used for looking up and filtering Definition resources.

property assignableScopes

assignableScopes?: pulumi.Input<pulumi.Input<string>[]>;

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions?: pulumi.Input<pulumi.Input<{
    actions: pulumi.Input<pulumi.Input<string>[]>;
    dataActions: pulumi.Input<pulumi.Input<string>[]>;
    notActions: pulumi.Input<pulumi.Input<string>[]>;
    notDataActions: pulumi.Input<pulumi.Input<string>[]>;
}>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope?: pulumi.Input<string>;

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

interface GetBuiltinRoleDefinitionArgs

A collection of arguments for invoking getBuiltinRoleDefinition.

property name

name: string;

Specifies the name of the built-in Role Definition. Possible values are: Contributor, Owner, Reader and VirtualMachineContributor.

interface GetBuiltinRoleDefinitionResult

A collection of values returned by getBuiltinRoleDefinition.

property assignableScopes

assignableScopes: string[];

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

description: string;

the Description of the built-in Role.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property name

name: string;

property permissions

permissions: {
    actions: string[];
    dataActions: string[];
    notActions: string[];
    notDataActions: string[];
}[];

a permissions block as documented below.

property type

type: string;

the Type of the Role.

interface GetRoleDefinitionArgs

A collection of arguments for invoking getRoleDefinition.

property name

name?: undefined | string;

Specifies the Name of either a built-in or custom Role Definition.

property roleDefinitionId

roleDefinitionId?: undefined | string;

Specifies the ID of the Role Definition as a UUID/GUID.

property scope

scope?: undefined | string;

Specifies the Scope at which the Custom Role Definition exists.

interface GetRoleDefinitionResult

A collection of values returned by getRoleDefinition.

property assignableScopes

assignableScopes: string[];

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

description: string;

the Description of the built-in Role.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property name

name: string;

property permissions

permissions: {
    actions: string[];
    dataActions: string[];
    notActions: string[];
    notDataActions: string[];
}[];

a permissions block as documented below.

property roleDefinitionId

roleDefinitionId: string;

property scope

scope?: undefined | string;

property type

type: string;

the Type of the Role.