Docs Home
athenz 1.0.45 published on Tuesday, Apr 15, 2025 by athenz
athenz.Role
Explore with Pulumi AI
athenz.Role provides an Athenz role resource.
Example Usage
IMPORTANT NOTE: please do NOT use json syntax but only hcl syntax
Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.athenz.Role;
import com.pulumi.athenz.RoleArgs;
import com.pulumi.athenz.inputs.RoleSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fooRole = new Role("fooRole", RoleArgs.builder()
.auditRef("create role")
.domain("some_domain")
.members(
Map.ofEntries(
Map.entry("expiration", "2022-12-29 23:59:59"),
Map.entry("name", "domain1.user1"),
Map.entry("review", "2023-12-29 23:59:59")
),
Map.ofEntries(
Map.entry("expiration", "2022-12-29 23:59:59"),
Map.entry("name", "domain2.user2"),
Map.entry("review", "2023-12-29 23:59:59")
),
Map.ofEntries(
Map.entry("expiration", "2022-12-29 23:59:59"),
Map.entry("name", "domain3.user3"),
Map.entry("review", "2023-12-29 23:59:59")
))
.settings(RoleSettingsArgs.builder()
.certExpiryMins(60)
.groupExpiryDays(14)
.groupReviewDays(14)
.serviceExpiryDays(21)
.serviceReviewDays(21)
.tokenExpiryMins(60)
.userExpiryDays(7)
.userReviewDays(7)
.build())
.tags(Map.ofEntries(
Map.entry("key1", "val1,val2"),
Map.entry("key2", "val3,val4")
))
.build());
}
}
resources:
fooRole:
type: athenz:Role
properties:
auditRef: create role
domain: some_domain
members:
- expiration: 2022-12-29 23:59:59
name: domain1.user1
review: 2023-12-29 23:59:59
- expiration: 2022-12-29 23:59:59
name: domain2.user2
review: 2023-12-29 23:59:59
- expiration: 2022-12-29 23:59:59
name: domain3.user3
review: 2023-12-29 23:59:59
settings:
certExpiryMins: 60
groupExpiryDays: 14
groupReviewDays: 14
serviceExpiryDays: 21
serviceReviewDays: 21
tokenExpiryMins: 60
userExpiryDays: 7
userReviewDays: 7
tags:
key1: val1,val2
key2: val3,val4
Deprecated** (Please Use As Explained In The Second Example)
import * as pulumi from "@pulumi/pulumi";
import * as athenz from "@pulumi/athenz";
const fooRole = new athenz.Role("fooRole", {
auditRef: "create role",
domain: "some_domain",
members: [
"domain1.user1",
"domain2.user2",
],
tags: {
key1: "val1,val2",
key2: "val3,val4",
},
});
import pulumi
import pulumi_athenz as athenz
foo_role = athenz.Role("fooRole",
audit_ref="create role",
domain="some_domain",
members=[
"domain1.user1",
"domain2.user2",
],
tags={
"key1": "val1,val2",
"key2": "val3,val4",
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/athenz/athenz"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := athenz.NewRole(ctx, "fooRole", &athenz.RoleArgs{
AuditRef: pulumi.String("create role"),
Domain: pulumi.String("some_domain"),
Members: pulumi.StringArray{
pulumi.String("domain1.user1"),
pulumi.String("domain2.user2"),
},
Tags: pulumi.StringMap{
"key1": pulumi.String("val1,val2"),
"key2": pulumi.String("val3,val4"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Athenz = Pulumi.Athenz;
return await Deployment.RunAsync(() =>
{
var fooRole = new Athenz.Role("fooRole", new()
{
AuditRef = "create role",
Domain = "some_domain",
Members = new[]
{
"domain1.user1",
"domain2.user2",
},
Tags =
{
{ "key1", "val1,val2" },
{ "key2", "val3,val4" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.athenz.Role;
import com.pulumi.athenz.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fooRole = new Role("fooRole", RoleArgs.builder()
.auditRef("create role")
.domain("some_domain")
.members(
"domain1.user1",
"domain2.user2")
.tags(Map.ofEntries(
Map.entry("key1", "val1,val2"),
Map.entry("key2", "val3,val4")
))
.build());
}
}
resources:
fooRole:
type: athenz:Role
properties:
auditRef: create role
domain: some_domain
members:
- domain1.user1
- domain2.user2
tags:
key1: val1,val2
key2: val3,val4
Example Delegated Role Usage
import * as pulumi from "@pulumi/pulumi";
import * as athenz from "@pulumi/athenz";
const fooRole = new athenz.Role("fooRole", {
auditRef: "create delegated role",
domain: "some_domain",
trust: "some_delegated_domain",
});
import pulumi
import pulumi_athenz as athenz
foo_role = athenz.Role("fooRole",
audit_ref="create delegated role",
domain="some_domain",
trust="some_delegated_domain")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/athenz/athenz"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := athenz.NewRole(ctx, "fooRole", &athenz.RoleArgs{
AuditRef: pulumi.String("create delegated role"),
Domain: pulumi.String("some_domain"),
Trust: pulumi.String("some_delegated_domain"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Athenz = Pulumi.Athenz;
return await Deployment.RunAsync(() =>
{
var fooRole = new Athenz.Role("fooRole", new()
{
AuditRef = "create delegated role",
Domain = "some_domain",
Trust = "some_delegated_domain",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.athenz.Role;
import com.pulumi.athenz.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fooRole = new Role("fooRole", RoleArgs.builder()
.auditRef("create delegated role")
.domain("some_domain")
.trust("some_delegated_domain")
.build());
}
}
resources:
fooRole:
type: athenz:Role
properties:
auditRef: create delegated role
domain: some_domain
trust: some_delegated_domain
Create Role Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);@overload
def Role(resource_name: str,
args: RoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Role(resource_name: str,
opts: Optional[ResourceOptions] = None,
domain: Optional[str] = None,
notify_roles: Optional[str] = None,
review_enabled: Optional[bool] = None,
description: Optional[str] = None,
audit_ref: Optional[str] = None,
last_reviewed_date: Optional[str] = None,
member: Optional[Sequence[RoleMemberArgs]] = None,
members: Optional[Sequence[str]] = None,
name: Optional[str] = None,
notify_details: Optional[str] = None,
role_id: Optional[str] = None,
delete_protection: Optional[bool] = None,
principal_domain_filter: Optional[str] = None,
audit_enabled: Optional[bool] = None,
self_renew: Optional[bool] = None,
self_renew_mins: Optional[float] = None,
self_serve: Optional[bool] = None,
settings: Optional[RoleSettingsArgs] = None,
sign_algorithm: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
trust: Optional[str] = None,
user_authority_expiration: Optional[str] = None,
user_authority_filter: Optional[str] = None)func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)type: athenz:Role
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleResource = new Athenz.Role("roleResource", new()
{
Domain = "string",
NotifyRoles = "string",
ReviewEnabled = false,
Description = "string",
AuditRef = "string",
LastReviewedDate = "string",
Member = new[]
{
new Athenz.Inputs.RoleMemberArgs
{
Name = "string",
Expiration = "string",
Review = "string",
},
},
Name = "string",
NotifyDetails = "string",
RoleId = "string",
DeleteProtection = false,
PrincipalDomainFilter = "string",
AuditEnabled = false,
SelfRenew = false,
SelfRenewMins = 0,
SelfServe = false,
Settings = new Athenz.Inputs.RoleSettingsArgs
{
CertExpiryMins = 0,
GroupExpiryDays = 0,
GroupReviewDays = 0,
MaxMembers = 0,
ServiceExpiryDays = 0,
ServiceReviewDays = 0,
TokenExpiryMins = 0,
UserExpiryDays = 0,
UserReviewDays = 0,
},
SignAlgorithm = "string",
Tags =
{
{ "string", "string" },
},
Trust = "string",
UserAuthorityExpiration = "string",
UserAuthorityFilter = "string",
});
example, err := athenz.NewRole(ctx, "roleResource", &athenz.RoleArgs{
Domain: pulumi.String("string"),
NotifyRoles: pulumi.String("string"),
ReviewEnabled: pulumi.Bool(false),
Description: pulumi.String("string"),
AuditRef: pulumi.String("string"),
LastReviewedDate: pulumi.String("string"),
Member: athenz.RoleMemberArray{
&athenz.RoleMemberArgs{
Name: pulumi.String("string"),
Expiration: pulumi.String("string"),
Review: pulumi.String("string"),
},
},
Name: pulumi.String("string"),
NotifyDetails: pulumi.String("string"),
RoleId: pulumi.String("string"),
DeleteProtection: pulumi.Bool(false),
PrincipalDomainFilter: pulumi.String("string"),
AuditEnabled: pulumi.Bool(false),
SelfRenew: pulumi.Bool(false),
SelfRenewMins: pulumi.Float64(0),
SelfServe: pulumi.Bool(false),
Settings: &athenz.RoleSettingsArgs{
CertExpiryMins: pulumi.Float64(0),
GroupExpiryDays: pulumi.Float64(0),
GroupReviewDays: pulumi.Float64(0),
MaxMembers: pulumi.Float64(0),
ServiceExpiryDays: pulumi.Float64(0),
ServiceReviewDays: pulumi.Float64(0),
TokenExpiryMins: pulumi.Float64(0),
UserExpiryDays: pulumi.Float64(0),
UserReviewDays: pulumi.Float64(0),
},
SignAlgorithm: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
Trust: pulumi.String("string"),
UserAuthorityExpiration: pulumi.String("string"),
UserAuthorityFilter: pulumi.String("string"),
})
var roleResource = new Role("roleResource", RoleArgs.builder()
.domain("string")
.notifyRoles("string")
.reviewEnabled(false)
.description("string")
.auditRef("string")
.lastReviewedDate("string")
.member(RoleMemberArgs.builder()
.name("string")
.expiration("string")
.review("string")
.build())
.name("string")
.notifyDetails("string")
.roleId("string")
.deleteProtection(false)
.principalDomainFilter("string")
.auditEnabled(false)
.selfRenew(false)
.selfRenewMins(0)
.selfServe(false)
.settings(RoleSettingsArgs.builder()
.certExpiryMins(0)
.groupExpiryDays(0)
.groupReviewDays(0)
.maxMembers(0)
.serviceExpiryDays(0)
.serviceReviewDays(0)
.tokenExpiryMins(0)
.userExpiryDays(0)
.userReviewDays(0)
.build())
.signAlgorithm("string")
.tags(Map.of("string", "string"))
.trust("string")
.userAuthorityExpiration("string")
.userAuthorityFilter("string")
.build());
role_resource = athenz.Role("roleResource",
domain="string",
notify_roles="string",
review_enabled=False,
description="string",
audit_ref="string",
last_reviewed_date="string",
member=[{
"name": "string",
"expiration": "string",
"review": "string",
}],
name="string",
notify_details="string",
role_id="string",
delete_protection=False,
principal_domain_filter="string",
audit_enabled=False,
self_renew=False,
self_renew_mins=0,
self_serve=False,
settings={
"cert_expiry_mins": 0,
"group_expiry_days": 0,
"group_review_days": 0,
"max_members": 0,
"service_expiry_days": 0,
"service_review_days": 0,
"token_expiry_mins": 0,
"user_expiry_days": 0,
"user_review_days": 0,
},
sign_algorithm="string",
tags={
"string": "string",
},
trust="string",
user_authority_expiration="string",
user_authority_filter="string")
const roleResource = new athenz.Role("roleResource", {
domain: "string",
notifyRoles: "string",
reviewEnabled: false,
description: "string",
auditRef: "string",
lastReviewedDate: "string",
member: [{
name: "string",
expiration: "string",
review: "string",
}],
name: "string",
notifyDetails: "string",
roleId: "string",
deleteProtection: false,
principalDomainFilter: "string",
auditEnabled: false,
selfRenew: false,
selfRenewMins: 0,
selfServe: false,
settings: {
certExpiryMins: 0,
groupExpiryDays: 0,
groupReviewDays: 0,
maxMembers: 0,
serviceExpiryDays: 0,
serviceReviewDays: 0,
tokenExpiryMins: 0,
userExpiryDays: 0,
userReviewDays: 0,
},
signAlgorithm: "string",
tags: {
string: "string",
},
trust: "string",
userAuthorityExpiration: "string",
userAuthorityFilter: "string",
});
type: athenz:Role
properties:
auditEnabled: false
auditRef: string
deleteProtection: false
description: string
domain: string
lastReviewedDate: string
member:
- expiration: string
name: string
review: string
name: string
notifyDetails: string
notifyRoles: string
principalDomainFilter: string
reviewEnabled: false
roleId: string
selfRenew: false
selfRenewMins: 0
selfServe: false
settings:
certExpiryMins: 0
groupExpiryDays: 0
groupReviewDays: 0
maxMembers: 0
serviceExpiryDays: 0
serviceReviewDays: 0
tokenExpiryMins: 0
userExpiryDays: 0
userReviewDays: 0
signAlgorithm: string
tags:
string: string
trust: string
userAuthorityExpiration: string
userAuthorityFilter: string
Role Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Role resource accepts the following input properties:
- Domain string
- Name of the domain that role belongs to
- Audit
Enabled bool - audit enabled flag for the role
- Audit
Ref string - string containing audit specification or ticket number.
- Delete
Protection bool - If true, ask for delete confirmation in audit and review enabled roles
- Description string
- description for the role
- Last
Reviewed stringDate - The last reviewed timestamp for the role
- Member
List<Role
Member> - A set of Athenz principal members
- Members List<string>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - Name string
- Name of the role
- Notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- Notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- Principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- Review
Enabled bool - Flag indicates whether role updates require another review and approval
- Role
Id string - The ID of this resource.
- Self
Renew bool - Flag indicates whether to allow expired members to renew their membership
- Self
Renew doubleMins - Number of minutes members can renew their membership if self review option is enabled
- Self
Serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- Settings
Role
Settings - A map of advanced settings with the following options
- Sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- Dictionary<string, string>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- Trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- Domain string
- Name of the domain that role belongs to
- Audit
Enabled bool - audit enabled flag for the role
- Audit
Ref string - string containing audit specification or ticket number.
- Delete
Protection bool - If true, ask for delete confirmation in audit and review enabled roles
- Description string
- description for the role
- Last
Reviewed stringDate - The last reviewed timestamp for the role
- Member
[]Role
Member Args - A set of Athenz principal members
- Members []string
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - Name string
- Name of the role
- Notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- Notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- Principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- Review
Enabled bool - Flag indicates whether role updates require another review and approval
- Role
Id string - The ID of this resource.
- Self
Renew bool - Flag indicates whether to allow expired members to renew their membership
- Self
Renew float64Mins - Number of minutes members can renew their membership if self review option is enabled
- Self
Serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- Settings
Role
Settings Args - A map of advanced settings with the following options
- Sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- map[string]string
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- Trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- domain String
- Name of the domain that role belongs to
- audit
Enabled Boolean - audit enabled flag for the role
- audit
Ref String - string containing audit specification or ticket number.
- delete
Protection Boolean - If true, ask for delete confirmation in audit and review enabled roles
- description String
- description for the role
- last
Reviewed StringDate - The last reviewed timestamp for the role
- member
List<Role
Member> - A set of Athenz principal members
- members List<String>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name String
- Name of the role
- notify
Details String - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles String - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain StringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled Boolean - Flag indicates whether role updates require another review and approval
- role
Id String - The ID of this resource.
- self
Renew Boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew DoubleMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve Boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings - A map of advanced settings with the following options
- sign
Algorithm String - sign algorithm to be used for tokens issued for this role: rsa or ec
- Map<String,String>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust String
- The domain, which this role is trusted to.
- String
- expiration enforced by a user authority configured attribute
- String
- membership filtered based on user authority configured attributes
- domain string
- Name of the domain that role belongs to
- audit
Enabled boolean - audit enabled flag for the role
- audit
Ref string - string containing audit specification or ticket number.
- delete
Protection boolean - If true, ask for delete confirmation in audit and review enabled roles
- description string
- description for the role
- last
Reviewed stringDate - The last reviewed timestamp for the role
- member
Role
Member[] - A set of Athenz principal members
- members string[]
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name string
- Name of the role
- notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled boolean - Flag indicates whether role updates require another review and approval
- role
Id string - The ID of this resource.
- self
Renew boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew numberMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings - A map of advanced settings with the following options
- sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- {[key: string]: string}
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- domain str
- Name of the domain that role belongs to
- audit_
enabled bool - audit enabled flag for the role
- audit_
ref str - string containing audit specification or ticket number.
- delete_
protection bool - If true, ask for delete confirmation in audit and review enabled roles
- description str
- description for the role
- last_
reviewed_ strdate - The last reviewed timestamp for the role
- member
Sequence[Role
Member Args] - A set of Athenz principal members
- members Sequence[str]
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name str
- Name of the role
- notify_
details str - Set of instructions included in notifications for review and audit enabled roles
- notify_
roles str - comma seperated list of roles whose members should be notified for member review/approval
- principal_
domain_ strfilter - comma seperated list of domains to enforce principal membership
- review_
enabled bool - Flag indicates whether role updates require another review and approval
- role_
id str - The ID of this resource.
- self_
renew bool - Flag indicates whether to allow expired members to renew their membership
- self_
renew_ floatmins - Number of minutes members can renew their membership if self review option is enabled
- self_
serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings Args - A map of advanced settings with the following options
- sign_
algorithm str - sign algorithm to be used for tokens issued for this role: rsa or ec
- Mapping[str, str]
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust str
- The domain, which this role is trusted to.
- str
- expiration enforced by a user authority configured attribute
- str
- membership filtered based on user authority configured attributes
- domain String
- Name of the domain that role belongs to
- audit
Enabled Boolean - audit enabled flag for the role
- audit
Ref String - string containing audit specification or ticket number.
- delete
Protection Boolean - If true, ask for delete confirmation in audit and review enabled roles
- description String
- description for the role
- last
Reviewed StringDate - The last reviewed timestamp for the role
- member List<Property Map>
- A set of Athenz principal members
- members List<String>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name String
- Name of the role
- notify
Details String - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles String - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain StringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled Boolean - Flag indicates whether role updates require another review and approval
- role
Id String - The ID of this resource.
- self
Renew Boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew NumberMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve Boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings Property Map
- A map of advanced settings with the following options
- sign
Algorithm String - sign algorithm to be used for tokens issued for this role: rsa or ec
- Map<String>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust String
- The domain, which this role is trusted to.
- String
- expiration enforced by a user authority configured attribute
- String
- membership filtered based on user authority configured attributes
Outputs
All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Role Resource
Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
audit_enabled: Optional[bool] = None,
audit_ref: Optional[str] = None,
delete_protection: Optional[bool] = None,
description: Optional[str] = None,
domain: Optional[str] = None,
last_reviewed_date: Optional[str] = None,
member: Optional[Sequence[RoleMemberArgs]] = None,
members: Optional[Sequence[str]] = None,
name: Optional[str] = None,
notify_details: Optional[str] = None,
notify_roles: Optional[str] = None,
principal_domain_filter: Optional[str] = None,
review_enabled: Optional[bool] = None,
role_id: Optional[str] = None,
self_renew: Optional[bool] = None,
self_renew_mins: Optional[float] = None,
self_serve: Optional[bool] = None,
settings: Optional[RoleSettingsArgs] = None,
sign_algorithm: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
trust: Optional[str] = None,
user_authority_expiration: Optional[str] = None,
user_authority_filter: Optional[str] = None) -> Rolefunc GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)resources: _: type: athenz:Role get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Audit
Enabled bool - audit enabled flag for the role
- Audit
Ref string - string containing audit specification or ticket number.
- Delete
Protection bool - If true, ask for delete confirmation in audit and review enabled roles
- Description string
- description for the role
- Domain string
- Name of the domain that role belongs to
- Last
Reviewed stringDate - The last reviewed timestamp for the role
- Member
List<Role
Member> - A set of Athenz principal members
- Members List<string>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - Name string
- Name of the role
- Notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- Notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- Principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- Review
Enabled bool - Flag indicates whether role updates require another review and approval
- Role
Id string - The ID of this resource.
- Self
Renew bool - Flag indicates whether to allow expired members to renew their membership
- Self
Renew doubleMins - Number of minutes members can renew their membership if self review option is enabled
- Self
Serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- Settings
Role
Settings - A map of advanced settings with the following options
- Sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- Dictionary<string, string>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- Trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- Audit
Enabled bool - audit enabled flag for the role
- Audit
Ref string - string containing audit specification or ticket number.
- Delete
Protection bool - If true, ask for delete confirmation in audit and review enabled roles
- Description string
- description for the role
- Domain string
- Name of the domain that role belongs to
- Last
Reviewed stringDate - The last reviewed timestamp for the role
- Member
[]Role
Member Args - A set of Athenz principal members
- Members []string
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - Name string
- Name of the role
- Notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- Notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- Principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- Review
Enabled bool - Flag indicates whether role updates require another review and approval
- Role
Id string - The ID of this resource.
- Self
Renew bool - Flag indicates whether to allow expired members to renew their membership
- Self
Renew float64Mins - Number of minutes members can renew their membership if self review option is enabled
- Self
Serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- Settings
Role
Settings Args - A map of advanced settings with the following options
- Sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- map[string]string
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- Trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- audit
Enabled Boolean - audit enabled flag for the role
- audit
Ref String - string containing audit specification or ticket number.
- delete
Protection Boolean - If true, ask for delete confirmation in audit and review enabled roles
- description String
- description for the role
- domain String
- Name of the domain that role belongs to
- last
Reviewed StringDate - The last reviewed timestamp for the role
- member
List<Role
Member> - A set of Athenz principal members
- members List<String>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name String
- Name of the role
- notify
Details String - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles String - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain StringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled Boolean - Flag indicates whether role updates require another review and approval
- role
Id String - The ID of this resource.
- self
Renew Boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew DoubleMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve Boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings - A map of advanced settings with the following options
- sign
Algorithm String - sign algorithm to be used for tokens issued for this role: rsa or ec
- Map<String,String>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust String
- The domain, which this role is trusted to.
- String
- expiration enforced by a user authority configured attribute
- String
- membership filtered based on user authority configured attributes
- audit
Enabled boolean - audit enabled flag for the role
- audit
Ref string - string containing audit specification or ticket number.
- delete
Protection boolean - If true, ask for delete confirmation in audit and review enabled roles
- description string
- description for the role
- domain string
- Name of the domain that role belongs to
- last
Reviewed stringDate - The last reviewed timestamp for the role
- member
Role
Member[] - A set of Athenz principal members
- members string[]
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name string
- Name of the role
- notify
Details string - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles string - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain stringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled boolean - Flag indicates whether role updates require another review and approval
- role
Id string - The ID of this resource.
- self
Renew boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew numberMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings - A map of advanced settings with the following options
- sign
Algorithm string - sign algorithm to be used for tokens issued for this role: rsa or ec
- {[key: string]: string}
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust string
- The domain, which this role is trusted to.
- string
- expiration enforced by a user authority configured attribute
- string
- membership filtered based on user authority configured attributes
- audit_
enabled bool - audit enabled flag for the role
- audit_
ref str - string containing audit specification or ticket number.
- delete_
protection bool - If true, ask for delete confirmation in audit and review enabled roles
- description str
- description for the role
- domain str
- Name of the domain that role belongs to
- last_
reviewed_ strdate - The last reviewed timestamp for the role
- member
Sequence[Role
Member Args] - A set of Athenz principal members
- members Sequence[str]
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name str
- Name of the role
- notify_
details str - Set of instructions included in notifications for review and audit enabled roles
- notify_
roles str - comma seperated list of roles whose members should be notified for member review/approval
- principal_
domain_ strfilter - comma seperated list of domains to enforce principal membership
- review_
enabled bool - Flag indicates whether role updates require another review and approval
- role_
id str - The ID of this resource.
- self_
renew bool - Flag indicates whether to allow expired members to renew their membership
- self_
renew_ floatmins - Number of minutes members can renew their membership if self review option is enabled
- self_
serve bool - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings
Role
Settings Args - A map of advanced settings with the following options
- sign_
algorithm str - sign algorithm to be used for tokens issued for this role: rsa or ec
- Mapping[str, str]
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust str
- The domain, which this role is trusted to.
- str
- expiration enforced by a user authority configured attribute
- str
- membership filtered based on user authority configured attributes
- audit
Enabled Boolean - audit enabled flag for the role
- audit
Ref String - string containing audit specification or ticket number.
- delete
Protection Boolean - If true, ask for delete confirmation in audit and review enabled roles
- description String
- description for the role
- domain String
- Name of the domain that role belongs to
- last
Reviewed StringDate - The last reviewed timestamp for the role
- member List<Property Map>
- A set of Athenz principal members
- members List<String>
- Deprecated use member attribute instead (Optional) List of Athenz principal members. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>. - name String
- Name of the role
- notify
Details String - Set of instructions included in notifications for review and audit enabled roles
- notify
Roles String - comma seperated list of roles whose members should be notified for member review/approval
- principal
Domain StringFilter - comma seperated list of domains to enforce principal membership
- review
Enabled Boolean - Flag indicates whether role updates require another review and approval
- role
Id String - The ID of this resource.
- self
Renew Boolean - Flag indicates whether to allow expired members to renew their membership
- self
Renew NumberMins - Number of minutes members can renew their membership if self review option is enabled
- self
Serve Boolean - Flag indicates whether role allows self-service. Users can add themselves in the role, but it has to be approved by domain admins to be effective.
- settings Property Map
- A map of advanced settings with the following options
- sign
Algorithm String - sign algorithm to be used for tokens issued for this role: rsa or ec
- Map<String>
- Map of tags. The key is the tag-name and value is the tag-values are represented as a string with a comma separator. e.g. key1 = "val1,val2", this will be converted to: key1 = ["val1", "val2"]
- trust String
- The domain, which this role is trusted to.
- String
- expiration enforced by a user authority configured attribute
- String
- membership filtered based on user authority configured attributes
Supporting Types
RoleMember, RoleMemberArgs
- Name string
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- Expiration string
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- Review string
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
- Name string
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- Expiration string
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- Review string
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
- name String
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- expiration String
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- review String
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
- name string
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- expiration string
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- review string
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
- name str
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- expiration str
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- review str
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
- name String
- The name of the Athenz principal member. must be in this format:
user.<userid> or <domain>.<service> or <domain>:group.<group>.
- The name of the Athenz principal member. must be in this format:
- expiration String
- The expiration time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The expiration time in UTC of the Athenz principal member. must be in this format:
- review String
- The review time in UTC of the Athenz principal member. must be in this format:
<yyyy>-<mm>-<dd> <hh>:<MM>:<ss>
- The review time in UTC of the Athenz principal member. must be in this format:
RoleSettings, RoleSettingsArgs
- Cert
Expiry doubleMins - Certs issued for this role will have specified max timeout in mins
- Group
Expiry doubleDays - all group members in the role will have specified max expiry days
- Group
Review doubleDays - all group members in the role will have specified max review reminder days
- Max
Members double - Max number of principals in the role
- Service
Expiry doubleDays - all services in the role will have specified max expiry days
- Service
Review doubleDays - all service members in the role will have specified max review reminder days
- Token
Expiry doubleMins - tokens issued for this role will have specified max timeout in mins
- User
Expiry doubleDays - all user members in the role will have specified max expiry days
- User
Review doubleDays - all user members in the role will have specified max review reminder days
- Cert
Expiry float64Mins - Certs issued for this role will have specified max timeout in mins
- Group
Expiry float64Days - all group members in the role will have specified max expiry days
- Group
Review float64Days - all group members in the role will have specified max review reminder days
- Max
Members float64 - Max number of principals in the role
- Service
Expiry float64Days - all services in the role will have specified max expiry days
- Service
Review float64Days - all service members in the role will have specified max review reminder days
- Token
Expiry float64Mins - tokens issued for this role will have specified max timeout in mins
- User
Expiry float64Days - all user members in the role will have specified max expiry days
- User
Review float64Days - all user members in the role will have specified max review reminder days
- cert
Expiry DoubleMins - Certs issued for this role will have specified max timeout in mins
- group
Expiry DoubleDays - all group members in the role will have specified max expiry days
- group
Review DoubleDays - all group members in the role will have specified max review reminder days
- max
Members Double - Max number of principals in the role
- service
Expiry DoubleDays - all services in the role will have specified max expiry days
- service
Review DoubleDays - all service members in the role will have specified max review reminder days
- token
Expiry DoubleMins - tokens issued for this role will have specified max timeout in mins
- user
Expiry DoubleDays - all user members in the role will have specified max expiry days
- user
Review DoubleDays - all user members in the role will have specified max review reminder days
- cert
Expiry numberMins - Certs issued for this role will have specified max timeout in mins
- group
Expiry numberDays - all group members in the role will have specified max expiry days
- group
Review numberDays - all group members in the role will have specified max review reminder days
- max
Members number - Max number of principals in the role
- service
Expiry numberDays - all services in the role will have specified max expiry days
- service
Review numberDays - all service members in the role will have specified max review reminder days
- token
Expiry numberMins - tokens issued for this role will have specified max timeout in mins
- user
Expiry numberDays - all user members in the role will have specified max expiry days
- user
Review numberDays - all user members in the role will have specified max review reminder days
- cert_
expiry_ floatmins - Certs issued for this role will have specified max timeout in mins
- group_
expiry_ floatdays - all group members in the role will have specified max expiry days
- group_
review_ floatdays - all group members in the role will have specified max review reminder days
- max_
members float - Max number of principals in the role
- service_
expiry_ floatdays - all services in the role will have specified max expiry days
- service_
review_ floatdays - all service members in the role will have specified max review reminder days
- token_
expiry_ floatmins - tokens issued for this role will have specified max timeout in mins
- user_
expiry_ floatdays - all user members in the role will have specified max expiry days
- user_
review_ floatdays - all user members in the role will have specified max review reminder days
- cert
Expiry NumberMins - Certs issued for this role will have specified max timeout in mins
- group
Expiry NumberDays - all group members in the role will have specified max expiry days
- group
Review NumberDays - all group members in the role will have specified max review reminder days
- max
Members Number - Max number of principals in the role
- service
Expiry NumberDays - all services in the role will have specified max expiry days
- service
Review NumberDays - all service members in the role will have specified max review reminder days
- token
Expiry NumberMins - tokens issued for this role will have specified max timeout in mins
- user
Expiry NumberDays - all user members in the role will have specified max expiry days
- user
Review NumberDays - all user members in the role will have specified max review reminder days
Package Details
- Repository
- athenz athenz/terraform-provider-athenz
- License
- Notes
- This Pulumi package is based on the
athenzTerraform Provider.