Docs Home
hsdp 0.65.3 published on Tuesday, Apr 15, 2025 by philips-software
hsdp.IamRoleSharingPolicy
Explore with Pulumi AI
hsdp 0.65.3 published on Tuesday, Apr 15, 2025 by philips-software
Provides a resource for managing HSDP IAM Role Sharing Policies, introduced in the March 2022 release.
A principal (user / identity) with any of the following permissions can create/update the policy:
HSDP_IAM_ROLE_SHARE.WRITEHSDP_IAM_ORGANIZATION.MGMT
!> Changing any permissions assigned to a shared role impacts the application behavior across organizations and sometimes may result in application downtime. Applying a restrictive sharing policy to an organization automatically and recursively removes any existing assignments from all its children - unless the child organization has an overriding policy to retain the assignments. Removal of assignments are permanent and requires re-assignments by the organization administrators
Example Usage
The following example creates a role sharing policy
import * as pulumi from "@pulumi/pulumi";
import * as hsdp from "@pulumi/hsdp";
// Create the role
const shared = new hsdp.IamRole("shared", {
description: "A role we want to share across ORGs",
permissions: [
"PATIENT.READ",
"PRACTITIONER.READ",
],
managingOrganization: hsdp_iam_org.my_org.id,
});
// Share the role
const policy = new hsdp.IamRoleSharingPolicy("policy", {
roleId: shared.iamRoleId,
sharingPolicy: "AllowChildren",
purpose: "Share SOME role with another organization",
targetOrganizationId: hsdp_iam_org.another_org.id,
});
import pulumi
import pulumi_hsdp as hsdp
# Create the role
shared = hsdp.IamRole("shared",
description="A role we want to share across ORGs",
permissions=[
"PATIENT.READ",
"PRACTITIONER.READ",
],
managing_organization=hsdp_iam_org["my_org"]["id"])
# Share the role
policy = hsdp.IamRoleSharingPolicy("policy",
role_id=shared.iam_role_id,
sharing_policy="AllowChildren",
purpose="Share SOME role with another organization",
target_organization_id=hsdp_iam_org["another_org"]["id"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/hsdp/hsdp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Create the role
shared, err := hsdp.NewIamRole(ctx, "shared", &hsdp.IamRoleArgs{
Description: pulumi.String("A role we want to share across ORGs"),
Permissions: pulumi.StringArray{
pulumi.String("PATIENT.READ"),
pulumi.String("PRACTITIONER.READ"),
},
ManagingOrganization: pulumi.Any(hsdp_iam_org.My_org.Id),
})
if err != nil {
return err
}
// Share the role
_, err = hsdp.NewIamRoleSharingPolicy(ctx, "policy", &hsdp.IamRoleSharingPolicyArgs{
RoleId: shared.IamRoleId,
SharingPolicy: pulumi.String("AllowChildren"),
Purpose: pulumi.String("Share SOME role with another organization"),
TargetOrganizationId: pulumi.Any(hsdp_iam_org.Another_org.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Hsdp = Pulumi.Hsdp;
return await Deployment.RunAsync(() =>
{
// Create the role
var shared = new Hsdp.IamRole("shared", new()
{
Description = "A role we want to share across ORGs",
Permissions = new[]
{
"PATIENT.READ",
"PRACTITIONER.READ",
},
ManagingOrganization = hsdp_iam_org.My_org.Id,
});
// Share the role
var policy = new Hsdp.IamRoleSharingPolicy("policy", new()
{
RoleId = shared.IamRoleId,
SharingPolicy = "AllowChildren",
Purpose = "Share SOME role with another organization",
TargetOrganizationId = hsdp_iam_org.Another_org.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.hsdp.IamRole;
import com.pulumi.hsdp.IamRoleArgs;
import com.pulumi.hsdp.IamRoleSharingPolicy;
import com.pulumi.hsdp.IamRoleSharingPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Create the role
var shared = new IamRole("shared", IamRoleArgs.builder()
.description("A role we want to share across ORGs")
.permissions(
"PATIENT.READ",
"PRACTITIONER.READ")
.managingOrganization(hsdp_iam_org.my_org().id())
.build());
// Share the role
var policy = new IamRoleSharingPolicy("policy", IamRoleSharingPolicyArgs.builder()
.roleId(shared.iamRoleId())
.sharingPolicy("AllowChildren")
.purpose("Share SOME role with another organization")
.targetOrganizationId(hsdp_iam_org.another_org().id())
.build());
}
}
resources:
# Create the role
shared:
type: hsdp:IamRole
properties:
description: A role we want to share across ORGs
permissions:
- PATIENT.READ
- PRACTITIONER.READ
managingOrganization: ${hsdp_iam_org.my_org.id}
# Share the role
policy:
type: hsdp:IamRoleSharingPolicy
properties:
roleId: ${shared.iamRoleId}
sharingPolicy: AllowChildren
purpose: Share SOME role with another organization
targetOrganizationId: ${hsdp_iam_org.another_org.id}
Create IamRoleSharingPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IamRoleSharingPolicy(name: string, args: IamRoleSharingPolicyArgs, opts?: CustomResourceOptions);@overload
def IamRoleSharingPolicy(resource_name: str,
args: IamRoleSharingPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IamRoleSharingPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
role_id: Optional[str] = None,
sharing_policy: Optional[str] = None,
target_organization_id: Optional[str] = None,
iam_role_sharing_policy_id: Optional[str] = None,
purpose: Optional[str] = None)func NewIamRoleSharingPolicy(ctx *Context, name string, args IamRoleSharingPolicyArgs, opts ...ResourceOption) (*IamRoleSharingPolicy, error)public IamRoleSharingPolicy(string name, IamRoleSharingPolicyArgs args, CustomResourceOptions? opts = null)
public IamRoleSharingPolicy(String name, IamRoleSharingPolicyArgs args)
public IamRoleSharingPolicy(String name, IamRoleSharingPolicyArgs args, CustomResourceOptions options)
type: hsdp:IamRoleSharingPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IamRoleSharingPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IamRoleSharingPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IamRoleSharingPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IamRoleSharingPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IamRoleSharingPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var iamRoleSharingPolicyResource = new Hsdp.IamRoleSharingPolicy("iamRoleSharingPolicyResource", new()
{
RoleId = "string",
SharingPolicy = "string",
TargetOrganizationId = "string",
IamRoleSharingPolicyId = "string",
Purpose = "string",
});
example, err := hsdp.NewIamRoleSharingPolicy(ctx, "iamRoleSharingPolicyResource", &hsdp.IamRoleSharingPolicyArgs{
RoleId: pulumi.String("string"),
SharingPolicy: pulumi.String("string"),
TargetOrganizationId: pulumi.String("string"),
IamRoleSharingPolicyId: pulumi.String("string"),
Purpose: pulumi.String("string"),
})
var iamRoleSharingPolicyResource = new IamRoleSharingPolicy("iamRoleSharingPolicyResource", IamRoleSharingPolicyArgs.builder()
.roleId("string")
.sharingPolicy("string")
.targetOrganizationId("string")
.iamRoleSharingPolicyId("string")
.purpose("string")
.build());
iam_role_sharing_policy_resource = hsdp.IamRoleSharingPolicy("iamRoleSharingPolicyResource",
role_id="string",
sharing_policy="string",
target_organization_id="string",
iam_role_sharing_policy_id="string",
purpose="string")
const iamRoleSharingPolicyResource = new hsdp.IamRoleSharingPolicy("iamRoleSharingPolicyResource", {
roleId: "string",
sharingPolicy: "string",
targetOrganizationId: "string",
iamRoleSharingPolicyId: "string",
purpose: "string",
});
type: hsdp:IamRoleSharingPolicy
properties:
iamRoleSharingPolicyId: string
purpose: string
roleId: string
sharingPolicy: string
targetOrganizationId: string
IamRoleSharingPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IamRoleSharingPolicy resource accepts the following input properties:
- Role
Id string - The ID of the role to share
- string
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- Target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- Iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - Purpose string
- The purpose of this role sharing policy mapping
- Role
Id string - The ID of the role to share
- string
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- Target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- Iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - Purpose string
- The purpose of this role sharing policy mapping
- role
Id String - The ID of the role to share
- String
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- target
Organization StringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role StringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose String
- The purpose of this role sharing policy mapping
- role
Id string - The ID of the role to share
- string
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose string
- The purpose of this role sharing policy mapping
- role_
id str - The ID of the role to share
- str
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- target_
organization_ strid - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam_
role_ strsharing_ policy_ id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose str
- The purpose of this role sharing policy mapping
- role
Id String - The ID of the role to share
- String
- The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- target
Organization StringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role StringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose String
- The purpose of this role sharing policy mapping
Outputs
All input properties are implicitly available as output properties. Additionally, the IamRoleSharingPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Role
Name string - The role name
- Source
Organization stringId - The source organization ID
- Id string
- The provider-assigned unique ID for this managed resource.
- Role
Name string - The role name
- Source
Organization stringId - The source organization ID
- id String
- The provider-assigned unique ID for this managed resource.
- role
Name String - The role name
- source
Organization StringId - The source organization ID
- id string
- The provider-assigned unique ID for this managed resource.
- role
Name string - The role name
- source
Organization stringId - The source organization ID
- id str
- The provider-assigned unique ID for this managed resource.
- role_
name str - The role name
- source_
organization_ strid - The source organization ID
- id String
- The provider-assigned unique ID for this managed resource.
- role
Name String - The role name
- source
Organization StringId - The source organization ID
Look up Existing IamRoleSharingPolicy Resource
Get an existing IamRoleSharingPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IamRoleSharingPolicyState, opts?: CustomResourceOptions): IamRoleSharingPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
iam_role_sharing_policy_id: Optional[str] = None,
purpose: Optional[str] = None,
role_id: Optional[str] = None,
role_name: Optional[str] = None,
sharing_policy: Optional[str] = None,
source_organization_id: Optional[str] = None,
target_organization_id: Optional[str] = None) -> IamRoleSharingPolicyfunc GetIamRoleSharingPolicy(ctx *Context, name string, id IDInput, state *IamRoleSharingPolicyState, opts ...ResourceOption) (*IamRoleSharingPolicy, error)public static IamRoleSharingPolicy Get(string name, Input<string> id, IamRoleSharingPolicyState? state, CustomResourceOptions? opts = null)public static IamRoleSharingPolicy get(String name, Output<String> id, IamRoleSharingPolicyState state, CustomResourceOptions options)resources: _: type: hsdp:IamRoleSharingPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - Purpose string
- The purpose of this role sharing policy mapping
- Role
Id string - The ID of the role to share
- Role
Name string - The role name
- Sharing
Policy string - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- Source
Organization stringId - The source organization ID
- Target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- Iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - Purpose string
- The purpose of this role sharing policy mapping
- Role
Id string - The ID of the role to share
- Role
Name string - The role name
- Sharing
Policy string - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- Source
Organization stringId - The source organization ID
- Target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role StringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose String
- The purpose of this role sharing policy mapping
- role
Id String - The ID of the role to share
- role
Name String - The role name
- sharing
Policy String - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- source
Organization StringId - The source organization ID
- target
Organization StringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role stringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose string
- The purpose of this role sharing policy mapping
- role
Id string - The ID of the role to share
- role
Name string - The role name
- sharing
Policy string - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- source
Organization stringId - The source organization ID
- target
Organization stringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam_
role_ strsharing_ policy_ id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose str
- The purpose of this role sharing policy mapping
- role_
id str - The ID of the role to share
- role_
name str - The role name
- sharing_
policy str - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- source_
organization_ strid - The source organization ID
- target_
organization_ strid - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
- iam
Role StringSharing Policy Id - The GUID of the role sharing policy (also known as
internalIdat the API level) - purpose String
- The purpose of this role sharing policy mapping
- role
Id String - The ID of the role to share
- role
Name String - The role name
- sharing
Policy String - The policy to use
Sharing of a role with a tenant organization can be in one of the following modes:
- Restricted: - The assignment role to group operation shall check and allow assignment to the groups present in the target organizations. Any assignment operation - both upward and downward organization hierarchy - shall fail the API.
- AllowChildren: - The assignment role to group operations shall check to restrict the assignment to any group in the target or its children organization. Any assignment operation in the parent organization hierarchy shall fail the API.
- Denied: - The tenant organization cannot make use of this role. Any attempt to assign the role shall fail the API.
- source
Organization StringId - The source organization ID
- target
Organization StringId - The target organization UUID to apply this policy for. This can either be a root IAM Org or a subOrg in an existing hierarchy
Import
$ pulumi import hsdp:index/iamRoleSharingPolicy:IamRoleSharingPolicy An existing role sharing policy can be imported using `hsdp_iam_role_sharing_policy`, e.g.
$ pulumi import hsdp:index/iamRoleSharingPolicy:IamRoleSharingPolicy > hsdp_iam_role_sharing_policy.mypolicy a-guid
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- hsdp philips-software/terraform-provider-hsdp
- License
- Notes
- This Pulumi package is based on the
hsdpTerraform Provider.
hsdp 0.65.3 published on Tuesday, Apr 15, 2025 by philips-software