Role
data class RoleManagementPolicyArgs(val description: Output<String>? = null, val displayName: Output<String>? = null, val isOrganizationDefault: Output<Boolean>? = null, val roleManagementPolicyName: Output<String>? = null, val rules: Output<List<Any>>? = null, val scope: Output<String>? = null) : ConvertibleToJava<RoleManagementPolicyArgs>
Role management policy Uses Azure REST API version 2024-09-01-preview. In version 2.x of the Azure Native provider, it used API version 2024-09-01-preview. Other available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native authorization [ApiVersion]. See the ../../../version-guide/#accessing-any-api-version-via-local-packages for details.
Example Usage
PatchPartialRoleManagementPolicy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});Content copied to clipboard
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}Content copied to clipboard
PatchRoleManagementPolicy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"approver_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new() { },
Id = "Enablement_Admin_Eligibility",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Assignment",
IsExpirationRequired = false,
MaximumDuration = "P90D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new[]
{
AzureNative.Authorization.EnablementRules.Justification,
AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,
},
Id = "Enablement_Admin_Assignment",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"approver_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_EndUser_Assignment",
IsExpirationRequired = true,
MaximumDuration = "PT7H",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new[]
{
AzureNative.Authorization.EnablementRules.Justification,
AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,
AzureNative.Authorization.EnablementRules.Ticketing,
},
Id = "Enablement_EndUser_Assignment",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyApprovalRuleArgs
{
Id = "Approval_EndUser_Assignment",
RuleType = "RoleManagementPolicyApprovalRule",
Setting = new AzureNative.Authorization.Inputs.ApprovalSettingsArgs
{
ApprovalMode = AzureNative.Authorization.ApprovalMode.SingleStage,
ApprovalStages = new[]
{
new AzureNative.Authorization.Inputs.ApprovalStageArgs
{
ApprovalStageTimeOutInDays = 1,
EscalationTimeInMinutes = 0,
IsApproverJustificationRequired = true,
IsEscalationEnabled = false,
PrimaryApprovers = new[]
{
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "amansw_new_group",
Id = "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
IsBackup = false,
UserType = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "amansw_group",
Id = "2f4913c9-d15b-406a-9946-1d66a28f2690",
IsBackup = false,
UserType = AzureNative.Authorization.UserType.Group,
},
},
},
},
IsApprovalRequired = true,
IsApprovalRequiredForExtension = false,
IsRequestorJustificationRequired = true,
},
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyAuthenticationContextRuleArgs
{
ClaimValue = "",
Id = "AuthenticationContext_EndUser_Assignment",
IsEnabled = false,
RuleType = "RoleManagementPolicyAuthenticationContextRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_EndUser_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_enduser_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_EndUser_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_enduser_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_EndUser_Assignment",
IsDefaultRecipientsEnabled = true,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});Content copied to clipboard
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"approver_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{},
Id: "Enablement_Admin_Eligibility",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Assignment",
IsExpirationRequired: false,
MaximumDuration: "P90D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{
authorization.EnablementRulesJustification,
authorization.EnablementRulesMultiFactorAuthentication,
},
Id: "Enablement_Admin_Assignment",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"approver_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_EndUser_Assignment",
IsExpirationRequired: true,
MaximumDuration: "PT7H",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{
authorization.EnablementRulesJustification,
authorization.EnablementRulesMultiFactorAuthentication,
authorization.EnablementRulesTicketing,
},
Id: "Enablement_EndUser_Assignment",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyApprovalRule{
Id: "Approval_EndUser_Assignment",
RuleType: "RoleManagementPolicyApprovalRule",
Setting: authorization.ApprovalSettings{
ApprovalMode: authorization.ApprovalModeSingleStage,
ApprovalStages: []authorization.ApprovalStage{
{
ApprovalStageTimeOutInDays: 1,
EscalationTimeInMinutes: 0,
IsApproverJustificationRequired: true,
IsEscalationEnabled: false,
PrimaryApprovers: []authorization.UserSet{
{
Description: "amansw_new_group",
Id: "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
IsBackup: false,
UserType: authorization.UserTypeGroup,
},
{
Description: "amansw_group",
Id: "2f4913c9-d15b-406a-9946-1d66a28f2690",
IsBackup: false,
UserType: authorization.UserTypeGroup,
},
},
},
},
IsApprovalRequired: true,
IsApprovalRequiredForExtension: false,
IsRequestorJustificationRequired: true,
},
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyAuthenticationContextRule{
ClaimValue: "",
Id: "AuthenticationContext_EndUser_Assignment",
IsEnabled: false,
RuleType: "RoleManagementPolicyAuthenticationContextRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_EndUser_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_enduser_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_EndUser_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_enduser_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_EndUser_Assignment",
IsDefaultRecipientsEnabled: true,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("approver_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules()
.id("Enablement_Admin_Eligibility")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Assignment")
.isExpirationRequired(false)
.maximumDuration("P90D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules(
"Justification",
"MultiFactorAuthentication")
.id("Enablement_Admin_Assignment")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_member@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_admin_member@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("approver_admin_member@test.com")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_EndUser_Assignment")
.isExpirationRequired(true)
.maximumDuration("PT7H")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules(
"Justification",
"MultiFactorAuthentication",
"Ticketing")
.id("Enablement_EndUser_Assignment")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyApprovalRuleArgs.builder()
.id("Approval_EndUser_Assignment")
.ruleType("RoleManagementPolicyApprovalRule")
.setting(ApprovalSettingsArgs.builder()
.approvalMode("SingleStage")
.approvalStages(ApprovalStageArgs.builder()
.approvalStageTimeOutInDays(1)
.escalationTimeInMinutes(0)
.isApproverJustificationRequired(true)
.isEscalationEnabled(false)
.primaryApprovers(
UserSetArgs.builder()
.description("amansw_new_group")
.id("2385b0f3-5fa9-43cf-8ca4-b01dc97298cd")
.isBackup(false)
.userType("Group")
.build(),
UserSetArgs.builder()
.description("amansw_group")
.id("2f4913c9-d15b-406a-9946-1d66a28f2690")
.isBackup(false)
.userType("Group")
.build())
.build())
.isApprovalRequired(true)
.isApprovalRequiredForExtension(false)
.isRequestorJustificationRequired(true)
.build())
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyAuthenticationContextRuleArgs.builder()
.claimValue("")
.id("AuthenticationContext_EndUser_Assignment")
.isEnabled(false)
.ruleType("RoleManagementPolicyAuthenticationContextRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_EndUser_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_enduser_member@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_EndUser_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_enduser_member@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_EndUser_Assignment")
.isDefaultRecipientsEnabled(true)
.notificationLevel("Critical")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}Content copied to clipboard
PatchRoleManagementPolicyToEnablePIMOnlyMode
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules = new[]
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});Content copied to clipboard
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}Content copied to clipboard
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:authorization:RoleManagementPolicy 570c3619-7688-4b34-b290-2b8bb3ccab2a /{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyName}Content copied to clipboard