com.pulumi.azure.role.Assignment Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of azure Show documentation
Show all versions of azure Show documentation
A Pulumi package for creating and managing Microsoft Azure cloud resources, based on the Terraform azurerm provider. We recommend using the [Azure Native provider](https://github.com/pulumi/pulumi-azure-native) to provision Azure infrastructure. Azure Native provides complete coverage of Azure resources and same-day access to new resources and resource updates.
// *** WARNING: this file was generated by pulumi-java-gen. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
package com.pulumi.azure.role;
import com.pulumi.azure.Utilities;
import com.pulumi.azure.role.AssignmentArgs;
import com.pulumi.azure.role.inputs.AssignmentState;
import com.pulumi.core.Output;
import com.pulumi.core.annotations.Export;
import com.pulumi.core.annotations.ResourceType;
import com.pulumi.core.internal.Codegen;
import java.lang.Boolean;
import java.lang.String;
import java.util.Optional;
import javax.annotation.Nullable;
/**
* Assigns a given Principal (User or Group) to a given Role.
*
* ## Example Usage
*
* ### Using A Built-In Role)
*
* <!--Start PulumiCodeChooser -->
*
* {@code
* package generated_program;
*
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.azure.core.CoreFunctions;
* import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
* import com.pulumi.azure.authorization.Assignment;
* import com.pulumi.azure.authorization.AssignmentArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
*
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
*
* public static void stack(Context ctx) {
* final var primary = CoreFunctions.getSubscription();
*
* final var example = CoreFunctions.getClientConfig();
*
* var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .roleDefinitionName("Reader")
* .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
* .build());
*
* }
* }
* }
*
* <!--End PulumiCodeChooser -->
*
* ### Custom Role & Service Principal)
*
* <!--Start PulumiCodeChooser -->
*
* {@code
* package generated_program;
*
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.azure.core.CoreFunctions;
* import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
* import com.pulumi.azure.authorization.RoleDefinition;
* import com.pulumi.azure.authorization.RoleDefinitionArgs;
* import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
* import com.pulumi.azure.authorization.Assignment;
* import com.pulumi.azure.authorization.AssignmentArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
*
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
*
* public static void stack(Context ctx) {
* final var primary = CoreFunctions.getSubscription();
*
* final var example = CoreFunctions.getClientConfig();
*
* var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
* .roleDefinitionId("00000000-0000-0000-0000-000000000000")
* .name("my-custom-role-definition")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .permissions(RoleDefinitionPermissionArgs.builder()
* .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
* .notActions()
* .build())
* .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .build());
*
* var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
* .name("00000000-0000-0000-0000-000000000000")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
* .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
* .build());
*
* }
* }
* }
*
* <!--End PulumiCodeChooser -->
*
* ### Custom Role & User)
*
* <!--Start PulumiCodeChooser -->
*
* {@code
* package generated_program;
*
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.azure.core.CoreFunctions;
* import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
* import com.pulumi.azure.authorization.RoleDefinition;
* import com.pulumi.azure.authorization.RoleDefinitionArgs;
* import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
* import com.pulumi.azure.authorization.Assignment;
* import com.pulumi.azure.authorization.AssignmentArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
*
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
*
* public static void stack(Context ctx) {
* final var primary = CoreFunctions.getSubscription();
*
* final var example = CoreFunctions.getClientConfig();
*
* var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
* .roleDefinitionId("00000000-0000-0000-0000-000000000000")
* .name("my-custom-role-definition")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .permissions(RoleDefinitionPermissionArgs.builder()
* .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
* .notActions()
* .build())
* .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .build());
*
* var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
* .name("00000000-0000-0000-0000-000000000000")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
* .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
* .build());
*
* }
* }
* }
*
* <!--End PulumiCodeChooser -->
*
* ### Custom Role & Management Group)
*
* <!--Start PulumiCodeChooser -->
*
* {@code
* package generated_program;
*
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.azure.core.CoreFunctions;
* import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
* import com.pulumi.azure.management.ManagementFunctions;
* import com.pulumi.azure.management.inputs.GetGroupArgs;
* import com.pulumi.azure.authorization.RoleDefinition;
* import com.pulumi.azure.authorization.RoleDefinitionArgs;
* import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
* import com.pulumi.azure.authorization.Assignment;
* import com.pulumi.azure.authorization.AssignmentArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
*
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
*
* public static void stack(Context ctx) {
* final var primary = CoreFunctions.getSubscription();
*
* final var example = CoreFunctions.getClientConfig();
*
* final var exampleGetGroup = ManagementFunctions.getGroup(GetGroupArgs.builder()
* .name("00000000-0000-0000-0000-000000000000")
* .build());
*
* var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
* .roleDefinitionId("00000000-0000-0000-0000-000000000000")
* .name("my-custom-role-definition")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .permissions(RoleDefinitionPermissionArgs.builder()
* .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
* .notActions()
* .build())
* .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .build());
*
* var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
* .name("00000000-0000-0000-0000-000000000000")
* .scope(primaryAzurermManagementGroup.id())
* .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
* .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
* .build());
*
* }
* }
* }
*
* <!--End PulumiCodeChooser -->
*
* ### ABAC Condition)
*
* <!--Start PulumiCodeChooser -->
*
* {@code
* package generated_program;
*
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.azure.core.CoreFunctions;
* import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
* import com.pulumi.azure.authorization.AuthorizationFunctions;
* import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
* import com.pulumi.azure.authorization.Assignment;
* import com.pulumi.azure.authorization.AssignmentArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
*
* public class App }{{@code
* public static void main(String[] args) }{{@code
* Pulumi.run(App::stack);
* }}{@code
*
* public static void stack(Context ctx) }{{@code
* final var primary = CoreFunctions.getSubscription();
*
* final var example = CoreFunctions.getClientConfig();
*
* final var builtin = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
* .name("Reader")
* .build());
*
* var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
* .roleDefinitionName("Role Based Access Control Administrator")
* .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
* .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
* .principalType("ServicePrincipal")
* .description("Role Based Access Control Administrator role assignment with ABAC Condition.")
* .conditionVersion("2.0")
* .condition("""
* (
* (
* !(ActionMatches}{{@code 'Microsoft.Authorization/roleAssignments/write'}}{@code )
* )
* OR
* (
* }{@literal @}{@code Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals }{{@code %s}}{@code
* )
* )
* AND
* (
* (
* !(ActionMatches}{{@code 'Microsoft.Authorization/roleAssignments/delete'}}{@code )
* )
* OR
* (
* }{@literal @}{@code Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals }{{@code %s}}{@code
* )
* )
* ", StdFunctions.basename(BasenameArgs.builder()
* .input(builtin.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.roleDefinitionId()))
* .build()).result(),StdFunctions.basename(BasenameArgs.builder()
* .input(builtin.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.roleDefinitionId()))
* .build()).result()))
* .build());
*
* }}{@code
* }}{@code
* }
*
* <!--End PulumiCodeChooser -->
*
* ## Import
*
* Role Assignments can be imported using the `resource id`, e.g.
*
* ```sh
* $ pulumi import azure:role/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
* ```
*
* * for scope `Subscription`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000`
*
* * for scope `Resource Group`, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000`
*
* * for scope referencing a Key Vault, the id format is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.KeyVault/vaults/vaultname/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000`
*
* text
*
* /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000
*
* @deprecated
* azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment
*
*/
@Deprecated /* azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment */
@ResourceType(type="azure:role/assignment:Assignment")
public class Assignment extends com.pulumi.resources.CustomResource {
/**
* The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
*
*/
@Export(name="condition", refs={String.class}, tree="[0]")
private Output condition;
/**
* @return The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
*
*/
public Output> condition() {
return Codegen.optional(this.condition);
}
/**
* The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created.
*
*/
@Export(name="conditionVersion", refs={String.class}, tree="[0]")
private Output conditionVersion;
/**
* @return The version of the condition. Possible values are `1.0` or `2.0`. Changing this forces a new resource to be created.
*
*/
public Output> conditionVersion() {
return Codegen.optional(this.conditionVersion);
}
/**
* The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
*
* > **NOTE:** this field is only used in cross tenant scenario.
*
*/
@Export(name="delegatedManagedIdentityResourceId", refs={String.class}, tree="[0]")
private Output delegatedManagedIdentityResourceId;
/**
* @return The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
*
* > **NOTE:** this field is only used in cross tenant scenario.
*
*/
public Output> delegatedManagedIdentityResourceId() {
return Codegen.optional(this.delegatedManagedIdentityResourceId);
}
/**
* The description for this Role Assignment. Changing this forces a new resource to be created.
*
*/
@Export(name="description", refs={String.class}, tree="[0]")
private Output description;
/**
* @return The description for this Role Assignment. Changing this forces a new resource to be created.
*
*/
public Output> description() {
return Codegen.optional(this.description);
}
/**
* A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
*
*/
@Export(name="name", refs={String.class}, tree="[0]")
private Output name;
/**
* @return A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
*
*/
public Output name() {
return this.name;
}
/**
* The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
*
* > **NOTE:** The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
*
*/
@Export(name="principalId", refs={String.class}, tree="[0]")
private Output principalId;
/**
* @return The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
*
* > **NOTE:** The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
*
*/
public Output principalId() {
return this.principalId;
}
/**
* The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
*
* > **NOTE:** If one of `condition` or `condition_version` is set both fields must be present.
*
*/
@Export(name="principalType", refs={String.class}, tree="[0]")
private Output principalType;
/**
* @return The type of the `principal_id`. Possible values are `User`, `Group` and `ServicePrincipal`. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
*
* > **NOTE:** If one of `condition` or `condition_version` is set both fields must be present.
*
*/
public Output principalType() {
return this.principalType;
}
/**
* The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `role_definition_name`.
*
*/
@Export(name="roleDefinitionId", refs={String.class}, tree="[0]")
private Output roleDefinitionId;
/**
* @return The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with `role_definition_name`.
*
*/
public Output roleDefinitionId() {
return this.roleDefinitionId;
}
/**
* The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `role_definition_id`.
*
*/
@Export(name="roleDefinitionName", refs={String.class}, tree="[0]")
private Output roleDefinitionName;
/**
* @return The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with `role_definition_id`.
*
*/
public Output roleDefinitionName() {
return this.roleDefinitionName;
}
/**
* The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created.
*
*/
@Export(name="scope", refs={String.class}, tree="[0]")
private Output scope;
/**
* @return The scope at which the Role Assignment applies to, such as `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333`, `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`, or `/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM`, or `/providers/Microsoft.Management/managementGroups/myMG`. Changing this forces a new resource to be created.
*
*/
public Output scope() {
return this.scope;
}
/**
* If the `principal_id` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principal_id` is a `Service Principal` identity. Defaults to `false`.
*
* > **NOTE:** If it is not a `Service Principal` identity it will cause the role assignment to fail.
*
*/
@Export(name="skipServicePrincipalAadCheck", refs={Boolean.class}, tree="[0]")
private Output skipServicePrincipalAadCheck;
/**
* @return If the `principal_id` is a newly provisioned `Service Principal` set this value to `true` to skip the `Azure Active Directory` check which may fail due to replication lag. This argument is only valid if the `principal_id` is a `Service Principal` identity. Defaults to `false`.
*
* > **NOTE:** If it is not a `Service Principal` identity it will cause the role assignment to fail.
*
*/
public Output skipServicePrincipalAadCheck() {
return this.skipServicePrincipalAadCheck;
}
/**
*
* @param name The _unique_ name of the resulting resource.
*/
public Assignment(java.lang.String name) {
this(name, AssignmentArgs.Empty);
}
/**
*
* @param name The _unique_ name of the resulting resource.
* @param args The arguments to use to populate this resource's properties.
*/
public Assignment(java.lang.String name, AssignmentArgs args) {
this(name, args, null);
}
/**
*
* @param name The _unique_ name of the resulting resource.
* @param args The arguments to use to populate this resource's properties.
* @param options A bag of options that control this resource's behavior.
*/
public Assignment(java.lang.String name, AssignmentArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) {
super("azure:role/assignment:Assignment", name, makeArgs(args, options), makeResourceOptions(options, Codegen.empty()), false);
}
private Assignment(java.lang.String name, Output id, @Nullable AssignmentState state, @Nullable com.pulumi.resources.CustomResourceOptions options) {
super("azure:role/assignment:Assignment", name, state, makeResourceOptions(options, id), false);
}
private static AssignmentArgs makeArgs(AssignmentArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) {
if (options != null && options.getUrn().isPresent()) {
return null;
}
return args == null ? AssignmentArgs.Empty : args;
}
private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) {
var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder()
.version(Utilities.getVersion())
.build();
return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id);
}
/**
* Get an existing Host resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state
* @param options Optional settings to control the behavior of the CustomResource.
*/
public static Assignment get(java.lang.String name, Output id, @Nullable AssignmentState state, @Nullable com.pulumi.resources.CustomResourceOptions options) {
return new Assignment(name, id, state, options);
}
}