Role
data class RoleManagementPolicyArgs(val activationRules: Output<RoleManagementPolicyActivationRulesArgs>? = null, val activeAssignmentRules: Output<RoleManagementPolicyActiveAssignmentRulesArgs>? = null, val eligibleAssignmentRules: Output<RoleManagementPolicyEligibleAssignmentRulesArgs>? = null, val notificationRules: Output<RoleManagementPolicyNotificationRulesArgs>? = null, val roleDefinitionId: Output<String>? = null, val scope: Output<String>? = null) : ConvertibleToJava<RoleManagementPolicyArgs>
Manage a role policy for an Azure Management Group, Subscription, Resource Group or resource.
Example Usage
Resource Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
const example = new azure.core.ResourceGroup("example", {
name: "example-rg",
location: "East US",
});
const rgContributor = azure.authorization.getRoleDefinitionOutput({
name: "Contributor",
scope: example.id,
});
const approvers = azuread.getGroup({
displayName: "Example Approver Group",
});
const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
scope: test.id,
roleDefinitionId: contributor.id,
activeAssignmentRules: {
expireAfter: "P365D",
},
eligibleAssignmentRules: {
expirationRequired: false,
},
activationRules: {
maximumDuration: "PT1H",
requireApproval: true,
approvalStage: {
primaryApprovers: [{
objectId: approvers.then(approvers => approvers.objectId),
type: "Group",
}],
},
},
notificationRules: {
eligibleAssignments: {
approverNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: ["someone@example.com"],
},
},
eligibleActivations: {
assigneeNotifications: {
notificationLevel: "All",
defaultRecipients: true,
additionalRecipients: ["someone.else@example.com"],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
import pulumi_azuread as azuread
example = azure.core.ResourceGroup("example",
name="example-rg",
location="East US")
rg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
scope=example.id)
approvers = azuread.get_group(display_name="Example Approver Group")
example_role_management_policy = azure.pim.RoleManagementPolicy("example",
scope=test["id"],
role_definition_id=contributor["id"],
active_assignment_rules={
"expire_after": "P365D",
},
eligible_assignment_rules={
"expiration_required": False,
},
activation_rules={
"maximum_duration": "PT1H",
"require_approval": True,
"approval_stage": {
"primary_approvers": [{
"object_id": approvers.object_id,
"type": "Group",
}],
},
},
notification_rules={
"eligible_assignments": {
"approver_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": ["someone@example.com"],
},
},
"eligible_activations": {
"assignee_notifications": {
"notification_level": "All",
"default_recipients": True,
"additional_recipients": ["someone.else@example.com"],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-rg",
Location = "East US",
});
var rgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
Scope = example.Id,
});
var approvers = AzureAD.GetGroup.Invoke(new()
{
DisplayName = "Example Approver Group",
});
var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
{
Scope = test.Id,
RoleDefinitionId = contributor.Id,
ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P365D",
},
EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
{
MaximumDuration = "PT1H",
RequireApproval = true,
ApprovalStage = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStageArgs
{
PrimaryApprovers = new[]
{
new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
{
ObjectId = approvers.Apply(getGroupResult => getGroupResult.ObjectId),
Type = "Group",
},
},
},
},
NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
{
EligibleAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
{
ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
},
},
},
EligibleActivations = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs
{
AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
{
NotificationLevel = "All",
DefaultRecipients = true,
AdditionalRecipients = new[]
{
"someone.else@example.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-rg"),
Location: pulumi.String("East US"),
})
if err != nil {
return err
}
_ = authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
Name: pulumi.String("Contributor"),
Scope: example.ID(),
}, nil)
approvers, err := azuread.LookupGroup(ctx, &azuread.LookupGroupArgs{
DisplayName: pulumi.StringRef("Example Approver Group"),
}, nil)
if err != nil {
return err
}
_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
Scope: pulumi.Any(test.Id),
RoleDefinitionId: pulumi.Any(contributor.Id),
ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P365D"),
},
EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
MaximumDuration: pulumi.String("PT1H"),
RequireApproval: pulumi.Bool(true),
ApprovalStage: &pim.RoleManagementPolicyActivationRulesApprovalStageArgs{
PrimaryApprovers: pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
&pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
ObjectId: pulumi.String(approvers.ObjectId),
Type: pulumi.String("Group"),
},
},
},
},
NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
EligibleAssignments: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
},
},
},
EligibleActivations: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsArgs{
AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
NotificationLevel: pulumi.String("All"),
DefaultRecipients: pulumi.Bool(true),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone.else@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesApprovalStageArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("East US")
.build());
final var rgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
final var approvers = AzureadFunctions.getGroup(GetGroupArgs.builder()
.displayName("Example Approver Group")
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(test.id())
.roleDefinitionId(contributor.id())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P365D")
.build())
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.approvalStage(RoleManagementPolicyActivationRulesApprovalStageArgs.builder()
.primaryApprovers(RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
.objectId(approvers.applyValue(getGroupResult -> getGroupResult.objectId()))
.type("Group")
.build())
.build())
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.eligibleAssignments(RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
.approverNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.eligibleActivations(RoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
.assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
.notificationLevel("All")
.defaultRecipients(true)
.additionalRecipients("someone.else@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-rg
location: East US
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${test.id}
roleDefinitionId: ${contributor.id}
activeAssignmentRules:
expireAfter: P365D
eligibleAssignmentRules:
expirationRequired: false
activationRules:
maximumDuration: PT1H
requireApproval: true
approvalStage:
primaryApprovers:
- objectId: ${approvers.objectId}
type: Group
notificationRules:
eligibleAssignments:
approverNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
eligibleActivations:
assigneeNotifications:
notificationLevel: All
defaultRecipients: true
additionalRecipients:
- someone.else@example.com
variables:
rgContributor:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Contributor
scope: ${example.id}
approvers:
fn::invoke:
function: azuread:getGroup
arguments:
displayName: Example Approver GroupContent copied to clipboard
Management Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.management.Group("example", {name: "example-group"});
const mgContributor = azure.authorization.getRoleDefinitionOutput({
name: "Contributor",
scope: example.id,
});
const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
scope: example.id,
roleDefinitionId: mgContributor.apply(mgContributor => mgContributor.id),
eligibleAssignmentRules: {
expirationRequired: false,
},
activeAssignmentRules: {
expireAfter: "P90D",
},
activationRules: {
maximumDuration: "PT1H",
requireApproval: true,
},
notificationRules: {
activeAssignments: {
adminNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: ["someone@example.com"],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.management.Group("example", name="example-group")
mg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
scope=example.id)
example_role_management_policy = azure.pim.RoleManagementPolicy("example",
scope=example.id,
role_definition_id=mg_contributor.id,
eligible_assignment_rules={
"expiration_required": False,
},
active_assignment_rules={
"expire_after": "P90D",
},
activation_rules={
"maximum_duration": "PT1H",
"require_approval": True,
},
notification_rules={
"active_assignments": {
"admin_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": ["someone@example.com"],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Management.Group("example", new()
{
Name = "example-group",
});
var mgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
Scope = example.Id,
});
var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
{
Scope = example.Id,
RoleDefinitionId = mgContributor.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P90D",
},
ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
{
MaximumDuration = "PT1H",
RequireApproval = true,
},
NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
{
ActiveAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs
{
AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
Name: pulumi.String("example-group"),
})
if err != nil {
return err
}
mgContributor := authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
Name: pulumi.String("Contributor"),
Scope: example.ID(),
}, nil)
_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
Scope: example.ID(),
RoleDefinitionId: pulumi.String(mgContributor.ApplyT(func(mgContributor authorization.GetRoleDefinitionResult) (*string, error) {
return &mgContributor.Id, nil
}).(pulumi.StringPtrOutput)),
EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P90D"),
},
ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
MaximumDuration: pulumi.String("PT1H"),
RequireApproval: pulumi.Bool(true),
},
NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
ActiveAssignments: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
AdminNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.management.Group;
import com.pulumi.azure.management.GroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Group("example", GroupArgs.builder()
.name("example-group")
.build());
final var mgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(example.id())
.roleDefinitionId(mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult).applyValue(mgContributor -> mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.id())))
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P90D")
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.activeAssignments(RoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
.adminNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:management:Group
properties:
name: example-group
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${example.id}
roleDefinitionId: ${mgContributor.id}
eligibleAssignmentRules:
expirationRequired: false
activeAssignmentRules:
expireAfter: P90D
activationRules:
maximumDuration: PT1H
requireApproval: true
notificationRules:
activeAssignments:
adminNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
variables:
mgContributor:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Contributor
scope: ${example.id}Content copied to clipboard
Import
Because these policies are created automatically by Azure, they will auto-import on first use. They can be imported using the resource id of the role definition, combined with the scope id, e.g.
$ pulumi import azure:pim/roleManagementPolicy:RoleManagementPolicy example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|<scope>"Content copied to clipboard
Constructors
Link copied to clipboard
constructor(activationRules: Output<RoleManagementPolicyActivationRulesArgs>? = null, activeAssignmentRules: Output<RoleManagementPolicyActiveAssignmentRulesArgs>? = null, eligibleAssignmentRules: Output<RoleManagementPolicyEligibleAssignmentRulesArgs>? = null, notificationRules: Output<RoleManagementPolicyNotificationRulesArgs>? = null, roleDefinitionId: Output<String>? = null, scope: Output<String>? = null)
Properties
Link copied to clipboard
An activation_rules block as defined below.
Link copied to clipboard
An active_assignment_rules block as defined below.
Link copied to clipboard
An eligible_assignment_rules block as defined below.
Link copied to clipboard
A notification_rules block as defined below.
Link copied to clipboard
The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.