Role
data class RoleManagementPolicyArgs(val activationRules: Output<RoleManagementPolicyActivationRulesArgs>? = null, val activeAssignmentRules: Output<RoleManagementPolicyActiveAssignmentRulesArgs>? = null, val eligibleAssignmentRules: Output<RoleManagementPolicyEligibleAssignmentRulesArgs>? = null, val notificationRules: Output<RoleManagementPolicyNotificationRulesArgs>? = null, val roleDefinitionId: Output<String>? = null, val scope: Output<String>? = null) : ConvertibleToJava<RoleManagementPolicyArgs>
Manage a role policy for an Azure Management Group, Subscription, Resource Group or resource.
Example Usage
Resource Group
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesApprovalStageArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("East US")
.build());
final var rgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
final var approvers = AzureadFunctions.getGroup(GetGroupArgs.builder()
.name("Example Approver Group")
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(test.id())
.roleDefinitionId(contributor.id())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P365D")
.build())
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.approvalStage(RoleManagementPolicyActivationRulesApprovalStageArgs.builder()
.primaryApprovers(RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
.objectId(approvers.applyValue(getGroupResult -> getGroupResult.objectId()))
.type("Group")
.build())
.build())
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.eligibleAssignments(RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
.approverNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.eligibleActivations(RoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
.assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
.notificationLevel("All")
.defaultRecipients(true)
.additionalRecipients("someone.else@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-rg
location: East US
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${test.id}
roleDefinitionId: ${contributor.id}
activeAssignmentRules:
expireAfter: P365D
eligibleAssignmentRules:
expirationRequired: false
activationRules:
maximumDuration: PT1H
requireApproval: true
approvalStage:
primaryApprovers:
- objectId: ${approvers.objectId}
type: Group
notificationRules:
eligibleAssignments:
approverNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
eligibleActivations:
assigneeNotifications:
notificationLevel: All
defaultRecipients: true
additionalRecipients:
- someone.else@example.com
variables:
rgContributor:
fn::invoke:
Function: azure:authorization:getRoleDefinition
Arguments:
name: Contributor
scope: ${example.id}
approvers:
fn::invoke:
Function: azuread:getGroup
Arguments:
name: Example Approver GroupContent copied to clipboard
Management Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.management.Group("example", {name: "example-group"});
const mgContributor = azure.authorization.getRoleDefinitionOutput({
name: "Contributor",
scope: example.id,
});
const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
scope: example.id,
roleDefinitionId: mgContributor.apply(mgContributor => mgContributor.id),
eligibleAssignmentRules: {
expirationRequired: false,
},
activeAssignmentRules: {
expireAfter: "P90D",
},
activationRules: {
maximumDuration: "PT1H",
requireApproval: true,
},
notificationRules: {
activeAssignments: {
adminNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: ["someone@example.com"],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.management.Group("example", name="example-group")
mg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
scope=example.id)
example_role_management_policy = azure.pim.RoleManagementPolicy("example",
scope=example.id,
role_definition_id=mg_contributor.id,
eligible_assignment_rules={
"expiration_required": False,
},
active_assignment_rules={
"expire_after": "P90D",
},
activation_rules={
"maximum_duration": "PT1H",
"require_approval": True,
},
notification_rules={
"active_assignments": {
"admin_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": ["someone@example.com"],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Management.Group("example", new()
{
Name = "example-group",
});
var mgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
Scope = example.Id,
});
var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
{
Scope = example.Id,
RoleDefinitionId = mgContributor.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P90D",
},
ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
{
MaximumDuration = "PT1H",
RequireApproval = true,
},
NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
{
ActiveAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs
{
AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/management"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/pim"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
Name: pulumi.String("example-group"),
})
if err != nil {
return err
}
mgContributor := authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
Name: pulumi.String("Contributor"),
Scope: example.ID(),
}, nil)
_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
Scope: example.ID(),
RoleDefinitionId: pulumi.String(mgContributor.ApplyT(func(mgContributor authorization.GetRoleDefinitionResult) (*string, error) {
return &mgContributor.Id, nil
}).(pulumi.StringPtrOutput)),
EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P90D"),
},
ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
MaximumDuration: pulumi.String("PT1H"),
RequireApproval: pulumi.Bool(true),
},
NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
ActiveAssignments: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
AdminNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.management.Group;
import com.pulumi.azure.management.GroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Group("example", GroupArgs.builder()
.name("example-group")
.build());
final var mgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(example.id())
.roleDefinitionId(mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult).applyValue(mgContributor -> mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.id())))
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P90D")
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.activeAssignments(RoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
.adminNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:management:Group
properties:
name: example-group
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${example.id}
roleDefinitionId: ${mgContributor.id}
eligibleAssignmentRules:
expirationRequired: false
activeAssignmentRules:
expireAfter: P90D
activationRules:
maximumDuration: PT1H
requireApproval: true
notificationRules:
activeAssignments:
adminNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
variables:
mgContributor:
fn::invoke:
Function: azure:authorization:getRoleDefinition
Arguments:
name: Contributor
scope: ${example.id}Content copied to clipboard
Import
Because these policies are created automatically by Azure, they will auto-import on first use. They can be imported using the resource id of the role definition, combined with the scope id, e.g.
$ pulumi import azure:pim/roleManagementPolicy:RoleManagementPolicy example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|<scope>"Content copied to clipboard
Constructors
Link copied to clipboard
constructor(activationRules: Output<RoleManagementPolicyActivationRulesArgs>? = null, activeAssignmentRules: Output<RoleManagementPolicyActiveAssignmentRulesArgs>? = null, eligibleAssignmentRules: Output<RoleManagementPolicyEligibleAssignmentRulesArgs>? = null, notificationRules: Output<RoleManagementPolicyNotificationRulesArgs>? = null, roleDefinitionId: Output<String>? = null, scope: Output<String>? = null)
Properties
Link copied to clipboard
An activation_rules block as defined below.
Link copied to clipboard
An active_assignment_rules block as defined below.
Link copied to clipboard
An eligible_assignment_rules block as defined below.
Link copied to clipboard
A notification_rules block as defined below.
Link copied to clipboard
The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.