Module role

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Resource Assignment

DEPRECATED azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment

class Assignment extends CustomResource

Assigns a given Principal (User or Group) to a given Role. #### Example Usage ##### Using A Built-In Role) ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const primary = azure.core.getSubscription({}); const exampleClientConfig = azure.core.getClientConfig({}); const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", { scope: primary.then(primary => primary.id), roleDefinitionName: "Reader", principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId), }); ``` ##### Custom Role & Service Principal) ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const primary = azure.core.getSubscription({}); const exampleClientConfig = azure.core.getClientConfig({}); const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", { roleDefinitionId: "00000000-0000-0000-0000-000000000000", scope: primary.then(primary => primary.id), permissions: [{ actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], notActions: [], }], assignableScopes: [primary.then(primary => primary.id)], }); const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", { name: "00000000-0000-0000-0000-000000000000", scope: primary.then(primary => primary.id), roleDefinitionId: exampleRoleDefinition.id, principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId), }); ``` ##### Custom Role & User) ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const primary = azure.core.getSubscription({}); const exampleClientConfig = azure.core.getClientConfig({}); const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", { roleDefinitionId: "00000000-0000-0000-0000-000000000000", scope: primary.then(primary => primary.id), permissions: [{ actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], notActions: [], }], assignableScopes: [primary.then(primary => primary.id)], }); const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", { name: "00000000-0000-0000-0000-000000000000", scope: primary.then(primary => primary.id), roleDefinitionId: exampleRoleDefinition.id, principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.clientId), }); ``` ##### Custom Role & Management Group) ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const primary = azure.core.getSubscription({}); const exampleClientConfig = azure.core.getClientConfig({}); const exampleGroup = azure.management.getGroup({}); const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", { roleDefinitionId: "00000000-0000-0000-0000-000000000000", scope: primary.then(primary => primary.id), permissions: [{ actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"], notActions: [], }], assignableScopes: [primary.then(primary => primary.id)], }); const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", { name: "00000000-0000-0000-0000-000000000000", scope: data.azurerm_management_group.primary.id, roleDefinitionId: exampleRoleDefinition.id, principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.clientId), }); ```

constructor

DEPRECATED azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment

new Assignment(name: string, args: AssignmentArgs, opts?: pulumi.CustomResourceOptions)

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AssignmentState, opts?: pulumi.CustomResourceOptions): Assignment

Get an existing Assignment resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Assignment

Returns true if the given object is an instance of Assignment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

public principalId: pulumi.Output<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property principalType

public principalType: pulumi.Output<string>;

The type of the `principalId`, e.g. User, Group, Service Principal, Application, etc.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `roleDefinitionName`.

property roleDefinitionName

public roleDefinitionName: pulumi.Output<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `roleDefinitionId`.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created.

property skipServicePrincipalAadCheck

public skipServicePrincipalAadCheck: pulumi.Output<boolean>;

If the `principalId` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principalId` is a `Service Principal` identity. If it is not a `Service Principal` identity it will cause the role assignment to fail. Defaults to `false`.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Definition

DEPRECATED azure.role.Definition has been deprecated in favor of azure.authorization.RoleDefinition

class Definition extends CustomResource

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ['Understand role definitions'](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions) in the Azure documentation for more details. #### Example Usage ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const primary = azure.core.getSubscription({}); const example = new azure.authorization.RoleDefinition("example", { scope: primary.then(primary => primary.id), description: "This is a custom role created", permissions: [{ actions: ["*"], notActions: [], }], assignableScopes: [primary.then(primary => primary.id)], }); ```

constructor

DEPRECATED azure.role.Definition has been deprecated in favor of azure.authorization.RoleDefinition

new Definition(name: string, args: DefinitionArgs, opts?: pulumi.CustomResourceOptions)

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefinitionState, opts?: pulumi.CustomResourceOptions): Definition

Get an existing Definition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Definition

Returns true if the given object is an instance of Definition. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property assignableScopes

public assignableScopes: pulumi.Output<string[]>;

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

public description: pulumi.Output<string | undefined>;

A description of the Role Definition.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

public permissions: pulumi.Output<DefinitionPermission[]>;

A permissions block as defined below.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignableScopes. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getRoleDefinition

DEPRECATED azure.role.getRoleDefinition has been deprecated in favor of azure.authorization.getRoleDefinition

getRoleDefinition(args?: GetRoleDefinitionArgs, opts?: pulumi.InvokeOptions): Promise<GetRoleDefinitionResult>

Others

interface AssignmentArgs

interface AssignmentArgs

The set of arguments for constructing a Assignment resource.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId: pulumi.Input<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope: pulumi.Input<string>;

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

property skipServicePrincipalAadCheck

skipServicePrincipalAadCheck?: pulumi.Input<boolean>;

If the principalId is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principalId is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

interface AssignmentState

interface AssignmentState

Input properties used for looking up and filtering Assignment resources.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId?: pulumi.Input<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property principalType

principalType?: pulumi.Input<string>;

The type of the principalId, e.g. User, Group, Service Principal, Application, etc.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope?: pulumi.Input<string>;

property skipServicePrincipalAadCheck

skipServicePrincipalAadCheck?: pulumi.Input<boolean>;

interface DefinitionArgs

interface DefinitionArgs

The set of arguments for constructing a Definition resource.

property assignableScopes

assignableScopes: pulumi.Input<pulumi.Input<string>[]>;

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions: pulumi.Input<pulumi.Input<DefinitionPermission>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope: pulumi.Input<string>;

interface DefinitionState

interface DefinitionState

Input properties used for looking up and filtering Definition resources.

property assignableScopes

assignableScopes?: pulumi.Input<pulumi.Input<string>[]>;

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions?: pulumi.Input<pulumi.Input<DefinitionPermission>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope?: pulumi.Input<string>;

interface GetRoleDefinitionArgs

interface GetRoleDefinitionArgs

A collection of arguments for invoking getRoleDefinition.

property name

name?: undefined | string;

property roleDefinitionId

roleDefinitionId?: undefined | string;

property scope

scope?: undefined | string;

interface GetRoleDefinitionResult

interface GetRoleDefinitionResult

A collection of values returned by getRoleDefinition.

property assignableScopes

assignableScopes: string[];

property description

description: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

property permissions

permissions: GetRoleDefinitionPermission[];

property roleDefinitionId

roleDefinitionId: string;

property scope

scope?: undefined | string;

property type

type: string;

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module role

Resources

Functions

Others

Resources

Functions

Others