Role
Manages a custom Role Definition, used to assign Roles to Users/Principals. See 'Understand role definitions' in the Azure documentation for more details.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = new azure.authorization.RoleDefinition("example", {
name: "my-custom-role",
scope: primary.then(primary => primary.id),
description: "This is a custom role created",
permissions: [{
actions: ["*"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.authorization.RoleDefinition("example",
name="my-custom-role",
scope=primary.id,
description="This is a custom role created",
permissions=[{
"actions": ["*"],
"not_actions": [],
}],
assignable_scopes=[primary.id])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = new Azure.Authorization.RoleDefinition("example", new()
{
Name = "my-custom-role",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Description = "This is a custom role created",
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"*",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
});package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, nil, nil)
if err != nil {
return err
}
_, err = authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
Name: pulumi.String("my-custom-role"),
Scope: pulumi.String(primary.Id),
Description: pulumi.String("This is a custom role created"),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("*"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
var example = new RoleDefinition("example", RoleDefinitionArgs.builder()
.name("my-custom-role")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.description("This is a custom role created")
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("*")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
}
}resources:
example:
type: azure:authorization:RoleDefinition
properties:
name: my-custom-role
scope: ${primary.id}
description: This is a custom role created
permissions:
- actions:
- '*'
notActions: []
assignableScopes:
- ${primary.id}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}Import
Role Definitions can be imported using the resource id, e.g.
$ pulumi import azure:authorization/roleDefinition:RoleDefinition example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|/subscriptions/00000000-0000-0000-0000-000000000000"Properties
One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
A description of the Role Definition.
A permissions block as defined below.
A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.