1. Packages
  2. Azure Classic
  3. API Docs
  4. authorization
  5. RoleDefinition

We recommend using Azure Native.

Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi

azure.authorization.RoleDefinition

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi

    Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const primary = azure.core.getSubscription({});
    const example = new azure.authorization.RoleDefinition("example", {
        name: "my-custom-role",
        scope: primary.then(primary => primary.id),
        description: "This is a custom role created",
        permissions: [{
            actions: ["*"],
            notActions: [],
        }],
        assignableScopes: [primary.then(primary => primary.id)],
    });
    
    import pulumi
    import pulumi_azure as azure
    
    primary = azure.core.get_subscription()
    example = azure.authorization.RoleDefinition("example",
        name="my-custom-role",
        scope=primary.id,
        description="This is a custom role created",
        permissions=[{
            "actions": ["*"],
            "not_actions": [],
        }],
        assignable_scopes=[primary.id])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
    			Name:        pulumi.String("my-custom-role"),
    			Scope:       pulumi.String(primary.Id),
    			Description: pulumi.String("This is a custom role created"),
    			Permissions: authorization.RoleDefinitionPermissionArray{
    				&authorization.RoleDefinitionPermissionArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("*"),
    					},
    					NotActions: pulumi.StringArray{},
    				},
    			},
    			AssignableScopes: pulumi.StringArray{
    				pulumi.String(primary.Id),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = Azure.Core.GetSubscription.Invoke();
    
        var example = new Azure.Authorization.RoleDefinition("example", new()
        {
            Name = "my-custom-role",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            Description = "This is a custom role created",
            Permissions = new[]
            {
                new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
                {
                    Actions = new[]
                    {
                        "*",
                    },
                    NotActions = new() { },
                },
            },
            AssignableScopes = new[]
            {
                primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.authorization.RoleDefinition;
    import com.pulumi.azure.authorization.RoleDefinitionArgs;
    import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var primary = CoreFunctions.getSubscription();
    
            var example = new RoleDefinition("example", RoleDefinitionArgs.builder()
                .name("my-custom-role")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .description("This is a custom role created")
                .permissions(RoleDefinitionPermissionArgs.builder()
                    .actions("*")
                    .notActions()
                    .build())
                .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:authorization:RoleDefinition
        properties:
          name: my-custom-role
          scope: ${primary.id}
          description: This is a custom role created
          permissions:
            - actions:
                - '*'
              notActions: []
          assignableScopes:
            - ${primary.id}
    variables:
      primary:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
    

    With Management Group

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const current = azure.core.getSubscription({});
    const example = new azure.management.Group("example", {
        displayName: "ParentGroup",
        subscriptionIds: [current.then(current => current.subscriptionId)],
    });
    const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
        name: "example-mg-role",
        scope: example.id,
        description: "Example custom role scoped to a management group.",
        permissions: [{
            actions: ["Microsoft.Insights/alertRules/*"],
            notActions: [],
        }],
        assignableScopes: [example.id],
    });
    
    import pulumi
    import pulumi_azure as azure
    
    current = azure.core.get_subscription()
    example = azure.management.Group("example",
        display_name="ParentGroup",
        subscription_ids=[current.subscription_id])
    example_role_definition = azure.authorization.RoleDefinition("example",
        name="example-mg-role",
        scope=example.id,
        description="Example custom role scoped to a management group.",
        permissions=[{
            "actions": ["Microsoft.Insights/alertRules/*"],
            "not_actions": [],
        }],
        assignable_scopes=[example.id])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
    		if err != nil {
    			return err
    		}
    		example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
    			DisplayName: pulumi.String("ParentGroup"),
    			SubscriptionIds: pulumi.StringArray{
    				pulumi.String(current.SubscriptionId),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
    			Name:        pulumi.String("example-mg-role"),
    			Scope:       example.ID(),
    			Description: pulumi.String("Example custom role scoped to a management group."),
    			Permissions: authorization.RoleDefinitionPermissionArray{
    				&authorization.RoleDefinitionPermissionArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("Microsoft.Insights/alertRules/*"),
    					},
    					NotActions: pulumi.StringArray{},
    				},
    			},
    			AssignableScopes: pulumi.StringArray{
    				example.ID(),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Azure.Core.GetSubscription.Invoke();
    
        var example = new Azure.Management.Group("example", new()
        {
            DisplayName = "ParentGroup",
            SubscriptionIds = new[]
            {
                current.Apply(getSubscriptionResult => getSubscriptionResult.SubscriptionId),
            },
        });
    
        var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
        {
            Name = "example-mg-role",
            Scope = example.Id,
            Description = "Example custom role scoped to a management group.",
            Permissions = new[]
            {
                new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
                {
                    Actions = new[]
                    {
                        "Microsoft.Insights/alertRules/*",
                    },
                    NotActions = new() { },
                },
            },
            AssignableScopes = new[]
            {
                example.Id,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.management.Group;
    import com.pulumi.azure.management.GroupArgs;
    import com.pulumi.azure.authorization.RoleDefinition;
    import com.pulumi.azure.authorization.RoleDefinitionArgs;
    import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = CoreFunctions.getSubscription();
    
            var example = new Group("example", GroupArgs.builder()
                .displayName("ParentGroup")
                .subscriptionIds(current.applyValue(getSubscriptionResult -> getSubscriptionResult.subscriptionId()))
                .build());
    
            var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
                .name("example-mg-role")
                .scope(example.id())
                .description("Example custom role scoped to a management group.")
                .permissions(RoleDefinitionPermissionArgs.builder()
                    .actions("Microsoft.Insights/alertRules/*")
                    .notActions()
                    .build())
                .assignableScopes(example.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:management:Group
        properties:
          displayName: ParentGroup
          subscriptionIds:
            - ${current.subscriptionId}
      exampleRoleDefinition:
        type: azure:authorization:RoleDefinition
        name: example
        properties:
          name: example-mg-role
          scope: ${example.id}
          description: Example custom role scoped to a management group.
          permissions:
            - actions:
                - Microsoft.Insights/alertRules/*
              notActions: []
          assignableScopes:
            - ${example.id}
    variables:
      current:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
    

    Create RoleDefinition Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RoleDefinition(name: string, args: RoleDefinitionArgs, opts?: CustomResourceOptions);
    @overload
    def RoleDefinition(resource_name: str,
                       args: RoleDefinitionArgs,
                       opts: Optional[ResourceOptions] = None)
    
    @overload
    def RoleDefinition(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       scope: Optional[str] = None,
                       assignable_scopes: Optional[Sequence[str]] = None,
                       description: Optional[str] = None,
                       name: Optional[str] = None,
                       permissions: Optional[Sequence[RoleDefinitionPermissionArgs]] = None,
                       role_definition_id: Optional[str] = None)
    func NewRoleDefinition(ctx *Context, name string, args RoleDefinitionArgs, opts ...ResourceOption) (*RoleDefinition, error)
    public RoleDefinition(string name, RoleDefinitionArgs args, CustomResourceOptions? opts = null)
    public RoleDefinition(String name, RoleDefinitionArgs args)
    public RoleDefinition(String name, RoleDefinitionArgs args, CustomResourceOptions options)
    
    type: azure:authorization:RoleDefinition
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RoleDefinitionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RoleDefinitionArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RoleDefinitionArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RoleDefinitionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RoleDefinitionArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var roleDefinitionResource = new Azure.Authorization.RoleDefinition("roleDefinitionResource", new()
    {
        Scope = "string",
        AssignableScopes = new[]
        {
            "string",
        },
        Description = "string",
        Name = "string",
        Permissions = new[]
        {
            new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
            {
                Actions = new[]
                {
                    "string",
                },
                DataActions = new[]
                {
                    "string",
                },
                NotActions = new[]
                {
                    "string",
                },
                NotDataActions = new[]
                {
                    "string",
                },
            },
        },
        RoleDefinitionId = "string",
    });
    
    example, err := authorization.NewRoleDefinition(ctx, "roleDefinitionResource", &authorization.RoleDefinitionArgs{
    	Scope: pulumi.String("string"),
    	AssignableScopes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Description: pulumi.String("string"),
    	Name:        pulumi.String("string"),
    	Permissions: authorization.RoleDefinitionPermissionArray{
    		&authorization.RoleDefinitionPermissionArgs{
    			Actions: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			DataActions: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			NotActions: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			NotDataActions: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	RoleDefinitionId: pulumi.String("string"),
    })
    
    var roleDefinitionResource = new RoleDefinition("roleDefinitionResource", RoleDefinitionArgs.builder()
        .scope("string")
        .assignableScopes("string")
        .description("string")
        .name("string")
        .permissions(RoleDefinitionPermissionArgs.builder()
            .actions("string")
            .dataActions("string")
            .notActions("string")
            .notDataActions("string")
            .build())
        .roleDefinitionId("string")
        .build());
    
    role_definition_resource = azure.authorization.RoleDefinition("roleDefinitionResource",
        scope="string",
        assignable_scopes=["string"],
        description="string",
        name="string",
        permissions=[{
            "actions": ["string"],
            "data_actions": ["string"],
            "not_actions": ["string"],
            "not_data_actions": ["string"],
        }],
        role_definition_id="string")
    
    const roleDefinitionResource = new azure.authorization.RoleDefinition("roleDefinitionResource", {
        scope: "string",
        assignableScopes: ["string"],
        description: "string",
        name: "string",
        permissions: [{
            actions: ["string"],
            dataActions: ["string"],
            notActions: ["string"],
            notDataActions: ["string"],
        }],
        roleDefinitionId: "string",
    });
    
    type: azure:authorization:RoleDefinition
    properties:
        assignableScopes:
            - string
        description: string
        name: string
        permissions:
            - actions:
                - string
              dataActions:
                - string
              notActions:
                - string
              notDataActions:
                - string
        roleDefinitionId: string
        scope: string
    

    RoleDefinition Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The RoleDefinition resource accepts the following input properties:

    Scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    AssignableScopes List<string>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    Description string
    A description of the Role Definition.
    Name string
    The name of the Role Definition.
    Permissions List<RoleDefinitionPermission>
    A permissions block as defined below.
    RoleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    Scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    AssignableScopes []string

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    Description string
    A description of the Role Definition.
    Name string
    The name of the Role Definition.
    Permissions []RoleDefinitionPermissionArgs
    A permissions block as defined below.
    RoleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    scope String
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes List<String>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description String
    A description of the Role Definition.
    name String
    The name of the Role Definition.
    permissions List<RoleDefinitionPermission>
    A permissions block as defined below.
    roleDefinitionId String
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes string[]

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description string
    A description of the Role Definition.
    name string
    The name of the Role Definition.
    permissions RoleDefinitionPermission[]
    A permissions block as defined below.
    roleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    scope str
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignable_scopes Sequence[str]

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description str
    A description of the Role Definition.
    name str
    The name of the Role Definition.
    permissions Sequence[RoleDefinitionPermissionArgs]
    A permissions block as defined below.
    role_definition_id str
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    scope String
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes List<String>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description String
    A description of the Role Definition.
    name String
    The name of the Role Definition.
    permissions List<Property Map>
    A permissions block as defined below.
    roleDefinitionId String
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RoleDefinition resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    RoleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    RoleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    id String
    The provider-assigned unique ID for this managed resource.
    roleDefinitionResourceId String
    The Azure Resource Manager ID for the resource.
    id string
    The provider-assigned unique ID for this managed resource.
    roleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    id str
    The provider-assigned unique ID for this managed resource.
    role_definition_resource_id str
    The Azure Resource Manager ID for the resource.
    id String
    The provider-assigned unique ID for this managed resource.
    roleDefinitionResourceId String
    The Azure Resource Manager ID for the resource.

    Look up Existing RoleDefinition Resource

    Get an existing RoleDefinition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RoleDefinitionState, opts?: CustomResourceOptions): RoleDefinition
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            assignable_scopes: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            name: Optional[str] = None,
            permissions: Optional[Sequence[RoleDefinitionPermissionArgs]] = None,
            role_definition_id: Optional[str] = None,
            role_definition_resource_id: Optional[str] = None,
            scope: Optional[str] = None) -> RoleDefinition
    func GetRoleDefinition(ctx *Context, name string, id IDInput, state *RoleDefinitionState, opts ...ResourceOption) (*RoleDefinition, error)
    public static RoleDefinition Get(string name, Input<string> id, RoleDefinitionState? state, CustomResourceOptions? opts = null)
    public static RoleDefinition get(String name, Output<String> id, RoleDefinitionState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AssignableScopes List<string>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    Description string
    A description of the Role Definition.
    Name string
    The name of the Role Definition.
    Permissions List<RoleDefinitionPermission>
    A permissions block as defined below.
    RoleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    RoleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    Scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    AssignableScopes []string

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    Description string
    A description of the Role Definition.
    Name string
    The name of the Role Definition.
    Permissions []RoleDefinitionPermissionArgs
    A permissions block as defined below.
    RoleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    RoleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    Scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes List<String>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description String
    A description of the Role Definition.
    name String
    The name of the Role Definition.
    permissions List<RoleDefinitionPermission>
    A permissions block as defined below.
    roleDefinitionId String
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    roleDefinitionResourceId String
    The Azure Resource Manager ID for the resource.
    scope String
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes string[]

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description string
    A description of the Role Definition.
    name string
    The name of the Role Definition.
    permissions RoleDefinitionPermission[]
    A permissions block as defined below.
    roleDefinitionId string
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    roleDefinitionResourceId string
    The Azure Resource Manager ID for the resource.
    scope string
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignable_scopes Sequence[str]

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description str
    A description of the Role Definition.
    name str
    The name of the Role Definition.
    permissions Sequence[RoleDefinitionPermissionArgs]
    A permissions block as defined below.
    role_definition_id str
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    role_definition_resource_id str
    The Azure Resource Manager ID for the resource.
    scope str
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
    assignableScopes List<String>

    One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333 , or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

    NOTE: The value for scope is automatically included in this list if no other values supplied.

    description String
    A description of the Role Definition.
    name String
    The name of the Role Definition.
    permissions List<Property Map>
    A permissions block as defined below.
    roleDefinitionId String
    A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
    roleDefinitionResourceId String
    The Azure Resource Manager ID for the resource.
    scope String
    The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

    Supporting Types

    RoleDefinitionPermission, RoleDefinitionPermissionArgs

    Actions List<string>
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    DataActions List<string>
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    NotActions List<string>
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    NotDataActions List<string>
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    Actions []string
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    DataActions []string
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    NotActions []string
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    NotDataActions []string
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    actions List<String>
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    dataActions List<String>
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    notActions List<String>
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    notDataActions List<String>
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    actions string[]
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    dataActions string[]
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    notActions string[]
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    notDataActions string[]
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    actions Sequence[str]
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    data_actions Sequence[str]
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    not_actions Sequence[str]
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    not_data_actions Sequence[str]
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    actions List<String>
    One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    dataActions List<String>
    One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See 'Azure Resource Manager resource provider operations' for details.
    notActions List<String>
    One or more Disallowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.
    notDataActions List<String>
    One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See 'Azure Resource Manager resource provider operations' for details.

    Import

    Role Definitions can be imported using the resource id, e.g.

    $ pulumi import azure:authorization/roleDefinition:RoleDefinition example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|/subscriptions/00000000-0000-0000-0000-000000000000"
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure v6.13.0 published on Monday, Dec 9, 2024 by Pulumi