Alibaba Cloud v3.87.0, Oct 18 25

Alibaba Cloud v3.87.0 published on Saturday, Oct 18, 2025 by Pulumi

alicloud.resourcemanager.ControlPolicy

Alibaba Cloud v3.87.0 published on Saturday, Oct 18, 2025 by Pulumi

pulumi/pulumi-alicloud

Example Usage

Basic Usage

import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";

const config = new pulumi.Config();
const name = config.get("name") || "tf-example";
const example = new alicloud.resourcemanager.ControlPolicy("example", {
    controlPolicyName: name,
    description: name,
    effectScope: "RAM",
    policyDocument: `  {
    \\"Version\\": \\"1\\",
    \\"Statement\\": [
      {
        \\"Effect\\": \\"Deny\\",
        \\"Action\\": [
          \\"ram:UpdateRole\\",
          \\"ram:DeleteRole\\",
          \\"ram:AttachPolicyToRole\\",
          \\"ram:DetachPolicyFromRole\\"
        ],
        \\"Resource\\": \\"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\\"
      }
    ]
  }
`,
});

import pulumi
import pulumi_alicloud as alicloud

config = pulumi.Config()
name = config.get("name")
if name is None:
    name = "tf-example"
example = alicloud.resourcemanager.ControlPolicy("example",
    control_policy_name=name,
    description=name,
    effect_scope="RAM",
    policy_document="""  {
    \"Version\": \"1\",
    \"Statement\": [
      {
        \"Effect\": \"Deny\",
        \"Action\": [
          \"ram:UpdateRole\",
          \"ram:DeleteRole\",
          \"ram:AttachPolicyToRole\",
          \"ram:DetachPolicyFromRole\"
        ],
        \"Resource\": \"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\"
      }
    ]
  }
""")

package main

import (
	"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/resourcemanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		name := "tf-example"
		if param := cfg.Get("name"); param != "" {
			name = param
		}
		_, err := resourcemanager.NewControlPolicy(ctx, "example", &resourcemanager.ControlPolicyArgs{
			ControlPolicyName: pulumi.String(name),
			Description:       pulumi.String(name),
			EffectScope:       pulumi.String("RAM"),
			PolicyDocument: pulumi.String(`  {
    \"Version\": \"1\",
    \"Statement\": [
      {
        \"Effect\": \"Deny\",
        \"Action\": [
          \"ram:UpdateRole\",
          \"ram:DeleteRole\",
          \"ram:AttachPolicyToRole\",
          \"ram:DetachPolicyFromRole\"
        ],
        \"Resource\": \"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\"
      }
    ]
  }
`),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    var name = config.Get("name") ?? "tf-example";
    var example = new AliCloud.ResourceManager.ControlPolicy("example", new()
    {
        ControlPolicyName = name,
        Description = name,
        EffectScope = "RAM",
        PolicyDocument = @"  {
    \""Version\"": \""1\"",
    \""Statement\"": [
      {
        \""Effect\"": \""Deny\"",
        \""Action\"": [
          \""ram:UpdateRole\"",
          \""ram:DeleteRole\"",
          \""ram:AttachPolicyToRole\"",
          \""ram:DetachPolicyFromRole\""
        ],
        \""Resource\"": \""acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\""
      }
    ]
  }
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.resourcemanager.ControlPolicy;
import com.pulumi.alicloud.resourcemanager.ControlPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var name = config.get("name").orElse("tf-example");
        var example = new ControlPolicy("example", ControlPolicyArgs.builder()
            .controlPolicyName(name)
            .description(name)
            .effectScope("RAM")
            .policyDocument("""
  {
    \"Version\": \"1\",
    \"Statement\": [
      {
        \"Effect\": \"Deny\",
        \"Action\": [
          \"ram:UpdateRole\",
          \"ram:DeleteRole\",
          \"ram:AttachPolicyToRole\",
          \"ram:DetachPolicyFromRole\"
        ],
        \"Resource\": \"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\"
      }
    ]
  }
            """)
            .build());

    }
}

configuration:
  name:
    type: string
    default: tf-example
resources:
  example:
    type: alicloud:resourcemanager:ControlPolicy
    properties:
      controlPolicyName: ${name}
      description: ${name}
      effectScope: RAM
      policyDocument: |2
          {
            \"Version\": \"1\",
            \"Statement\": [
              {
                \"Effect\": \"Deny\",
                \"Action\": [
                  \"ram:UpdateRole\",
                  \"ram:DeleteRole\",
                  \"ram:AttachPolicyToRole\",
                  \"ram:DetachPolicyFromRole\"
                ],
                \"Resource\": \"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole\"
              }
            ]
          }

Create ControlPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ControlPolicy(name: string, args: ControlPolicyArgs, opts?: CustomResourceOptions);

@overload
def ControlPolicy(resource_name: str,
                  args: ControlPolicyArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def ControlPolicy(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  control_policy_name: Optional[str] = None,
                  effect_scope: Optional[str] = None,
                  policy_document: Optional[str] = None,
                  description: Optional[str] = None,
                  tags: Optional[Mapping[str, str]] = None)

func NewControlPolicy(ctx *Context, name string, args ControlPolicyArgs, opts ...ResourceOption) (*ControlPolicy, error)

public ControlPolicy(string name, ControlPolicyArgs args, CustomResourceOptions? opts = null)

public ControlPolicy(String name, ControlPolicyArgs args)
public ControlPolicy(String name, ControlPolicyArgs args, CustomResourceOptions options)

type: alicloud:resourcemanager:ControlPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ControlPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ControlPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ControlPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ControlPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ControlPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var alicloudControlPolicyResource = new AliCloud.ResourceManager.ControlPolicy("alicloudControlPolicyResource", new()
{
    ControlPolicyName = "string",
    EffectScope = "string",
    PolicyDocument = "string",
    Description = "string",
    Tags = 
    {
        { "string", "string" },
    },
});

example, err := resourcemanager.NewControlPolicy(ctx, "alicloudControlPolicyResource", &resourcemanager.ControlPolicyArgs{
	ControlPolicyName: pulumi.String("string"),
	EffectScope:       pulumi.String("string"),
	PolicyDocument:    pulumi.String("string"),
	Description:       pulumi.String("string"),
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
})

var alicloudControlPolicyResource = new com.pulumi.alicloud.resourcemanager.ControlPolicy("alicloudControlPolicyResource", com.pulumi.alicloud.resourcemanager.ControlPolicyArgs.builder()
    .controlPolicyName("string")
    .effectScope("string")
    .policyDocument("string")
    .description("string")
    .tags(Map.of("string", "string"))
    .build());

alicloud_control_policy_resource = alicloud.resourcemanager.ControlPolicy("alicloudControlPolicyResource",
    control_policy_name="string",
    effect_scope="string",
    policy_document="string",
    description="string",
    tags={
        "string": "string",
    })

const alicloudControlPolicyResource = new alicloud.resourcemanager.ControlPolicy("alicloudControlPolicyResource", {
    controlPolicyName: "string",
    effectScope: "string",
    policyDocument: "string",
    description: "string",
    tags: {
        string: "string",
    },
});

type: alicloud:resourcemanager:ControlPolicy
properties:
    controlPolicyName: string
    description: string
    effectScope: string
    policyDocument: string
    tags:
        string: string

ControlPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ControlPolicy resource accepts the following input properties:

ControlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

EffectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

PolicyDocument string

The new document of the access control policy. The document can be a maximum of 4,096 characters in length. For more information about the languages of access control policies, see Languages of access control policies. For more information about the examples of access control policies, see Examples of custom access control policies.

Description string

The new description of the access control policy. The description must be 1 to 1,024 characters in length. The description can contain letters, digits, underscores (_), and hyphens (-) and must start with a letter.

Tags Dictionary<string, string>

The tags. You can specify a maximum of 20 tags.

ControlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

EffectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

PolicyDocument string

Description string

Tags map[string]string

The tags. You can specify a maximum of 20 tags.

controlPolicyName String

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

effectScope String

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument String

description String

tags Map<String,String>

The tags. You can specify a maximum of 20 tags.

controlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

effectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument string

description string

tags {[key: string]: string}

The tags. You can specify a maximum of 20 tags.

control_policy_name str

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

effect_scope str

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policy_document str

description str

tags Mapping[str, str]

The tags. You can specify a maximum of 20 tags.

controlPolicyName String

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

effectScope String

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument String

description String

tags Map<String>

The tags. You can specify a maximum of 20 tags.

Outputs

All input properties are implicitly available as output properties. Additionally, the ControlPolicy resource produces the following output properties:

CreateTime string: The time when the access control policy was created.
Id string: The provider-assigned unique ID for this managed resource.

CreateTime string: The time when the access control policy was created.
Id string: The provider-assigned unique ID for this managed resource.

createTime String: The time when the access control policy was created.
id String: The provider-assigned unique ID for this managed resource.

createTime string: The time when the access control policy was created.
id string: The provider-assigned unique ID for this managed resource.

create_time str: The time when the access control policy was created.
id str: The provider-assigned unique ID for this managed resource.

createTime String: The time when the access control policy was created.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing ControlPolicy Resource

Get an existing ControlPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ControlPolicyState, opts?: CustomResourceOptions): ControlPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        control_policy_name: Optional[str] = None,
        create_time: Optional[str] = None,
        description: Optional[str] = None,
        effect_scope: Optional[str] = None,
        policy_document: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None) -> ControlPolicy

func GetControlPolicy(ctx *Context, name string, id IDInput, state *ControlPolicyState, opts ...ResourceOption) (*ControlPolicy, error)

public static ControlPolicy Get(string name, Input<string> id, ControlPolicyState? state, CustomResourceOptions? opts = null)

public static ControlPolicy get(String name, Output<String> id, ControlPolicyState state, CustomResourceOptions options)

resources:  _:    type: alicloud:resourcemanager:ControlPolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ControlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

CreateTime string

The time when the access control policy was created.

Description string

EffectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

PolicyDocument string

Tags Dictionary<string, string>

The tags. You can specify a maximum of 20 tags.

ControlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

CreateTime string

The time when the access control policy was created.

Description string

EffectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

PolicyDocument string

Tags map[string]string

The tags. You can specify a maximum of 20 tags.

controlPolicyName String

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

createTime String

The time when the access control policy was created.

description String

effectScope String

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument String

tags Map<String,String>

The tags. You can specify a maximum of 20 tags.

controlPolicyName string

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

createTime string

The time when the access control policy was created.

description string

effectScope string

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument string

tags {[key: string]: string}

The tags. You can specify a maximum of 20 tags.

control_policy_name str

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

create_time str

The time when the access control policy was created.

description str

effect_scope str

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policy_document str

tags Mapping[str, str]

The tags. You can specify a maximum of 20 tags.

controlPolicyName String

The new name of the access control policy. The name must be 1 to 128 characters in length. The name can contain letters, digits, and hyphens (-) and must start with a letter.

createTime String

The time when the access control policy was created.

description String

effectScope String

The effective scope of the access control policy. Valid values:

All: The access control policy is in effect for Alibaba Cloud accounts, RAM users, and RAM roles.
RAM: The access control policy is in effect only for RAM users and RAM roles.

policyDocument String

tags Map<String>

The tags. You can specify a maximum of 20 tags.

Import

Resource Manager Control Policy can be imported using the id, e.g.

$ pulumi import alicloud:resourcemanager/controlPolicy:ControlPolicy example <id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Alibaba Cloud pulumi/pulumi-alicloud
License: Apache-2.0
Notes: This Pulumi package is based on the alicloud Terraform Provider.

Alibaba Cloud v3.87.0 published on Saturday, Oct 18, 2025 by Pulumi

pulumi/pulumi-alicloud

alicloud.resourcemanager.ControlPolicy

On this page

On this page

Example Usage

Create ControlPolicy Resource

Constructor syntax

Parameters

Constructor example

ControlPolicy Resource Properties

Inputs

Outputs

Look up Existing ControlPolicy Resource

Import

Package Details

On this page

On this page