Role
Manage a role policy for an Azure Management Group, Subscription, Resource Group or resource.
Example Usage
Resource Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
const example = new azure.core.ResourceGroup("example", {
name: "example-rg",
location: "East US",
});
const rgContributor = azure.authorization.getRoleDefinitionOutput({
name: "Contributor",
scope: example.id,
});
const approvers = azuread.getGroup({
displayName: "Example Approver Group",
});
const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
scope: test.id,
roleDefinitionId: contributor.id,
activeAssignmentRules: {
expireAfter: "P365D",
},
eligibleAssignmentRules: {
expirationRequired: false,
},
activationRules: {
maximumDuration: "PT1H",
requireApproval: true,
approvalStage: {
primaryApprovers: [{
objectId: approvers.then(approvers => approvers.objectId),
type: "Group",
}],
},
},
notificationRules: {
eligibleAssignments: {
approverNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: ["someone@example.com"],
},
},
eligibleActivations: {
assigneeNotifications: {
notificationLevel: "All",
defaultRecipients: true,
additionalRecipients: ["someone.else@example.com"],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
import pulumi_azuread as azuread
example = azure.core.ResourceGroup("example",
name="example-rg",
location="East US")
rg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
scope=example.id)
approvers = azuread.get_group(display_name="Example Approver Group")
example_role_management_policy = azure.pim.RoleManagementPolicy("example",
scope=test["id"],
role_definition_id=contributor["id"],
active_assignment_rules={
"expire_after": "P365D",
},
eligible_assignment_rules={
"expiration_required": False,
},
activation_rules={
"maximum_duration": "PT1H",
"require_approval": True,
"approval_stage": {
"primary_approvers": [{
"object_id": approvers.object_id,
"type": "Group",
}],
},
},
notification_rules={
"eligible_assignments": {
"approver_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": ["someone@example.com"],
},
},
"eligible_activations": {
"assignee_notifications": {
"notification_level": "All",
"default_recipients": True,
"additional_recipients": ["someone.else@example.com"],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-rg",
Location = "East US",
});
var rgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
Scope = example.Id,
});
var approvers = AzureAD.GetGroup.Invoke(new()
{
DisplayName = "Example Approver Group",
});
var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
{
Scope = test.Id,
RoleDefinitionId = contributor.Id,
ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P365D",
},
EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
{
MaximumDuration = "PT1H",
RequireApproval = true,
ApprovalStage = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStageArgs
{
PrimaryApprovers = new[]
{
new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
{
ObjectId = approvers.Apply(getGroupResult => getGroupResult.ObjectId),
Type = "Group",
},
},
},
},
NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
{
EligibleAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
{
ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
},
},
},
EligibleActivations = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs
{
AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
{
NotificationLevel = "All",
DefaultRecipients = true,
AdditionalRecipients = new[]
{
"someone.else@example.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-rg"),
Location: pulumi.String("East US"),
})
if err != nil {
return err
}
_ = authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
Name: pulumi.String("Contributor"),
Scope: example.ID(),
}, nil)
approvers, err := azuread.LookupGroup(ctx, &azuread.LookupGroupArgs{
DisplayName: pulumi.StringRef("Example Approver Group"),
}, nil)
if err != nil {
return err
}
_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
Scope: pulumi.Any(test.Id),
RoleDefinitionId: pulumi.Any(contributor.Id),
ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P365D"),
},
EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
MaximumDuration: pulumi.String("PT1H"),
RequireApproval: pulumi.Bool(true),
ApprovalStage: &pim.RoleManagementPolicyActivationRulesApprovalStageArgs{
PrimaryApprovers: pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
&pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
ObjectId: pulumi.String(approvers.ObjectId),
Type: pulumi.String("Group"),
},
},
},
},
NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
EligibleAssignments: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
},
},
},
EligibleActivations: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsArgs{
AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
NotificationLevel: pulumi.String("All"),
DefaultRecipients: pulumi.Bool(true),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone.else@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesApprovalStageArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-rg")
.location("East US")
.build());
final var rgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
final var approvers = AzureadFunctions.getGroup(GetGroupArgs.builder()
.displayName("Example Approver Group")
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(test.id())
.roleDefinitionId(contributor.id())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P365D")
.build())
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.approvalStage(RoleManagementPolicyActivationRulesApprovalStageArgs.builder()
.primaryApprovers(RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
.objectId(approvers.applyValue(getGroupResult -> getGroupResult.objectId()))
.type("Group")
.build())
.build())
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.eligibleAssignments(RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
.approverNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.eligibleActivations(RoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
.assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
.notificationLevel("All")
.defaultRecipients(true)
.additionalRecipients("someone.else@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-rg
location: East US
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${test.id}
roleDefinitionId: ${contributor.id}
activeAssignmentRules:
expireAfter: P365D
eligibleAssignmentRules:
expirationRequired: false
activationRules:
maximumDuration: PT1H
requireApproval: true
approvalStage:
primaryApprovers:
- objectId: ${approvers.objectId}
type: Group
notificationRules:
eligibleAssignments:
approverNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
eligibleActivations:
assigneeNotifications:
notificationLevel: All
defaultRecipients: true
additionalRecipients:
- someone.else@example.com
variables:
rgContributor:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Contributor
scope: ${example.id}
approvers:
fn::invoke:
function: azuread:getGroup
arguments:
displayName: Example Approver GroupContent copied to clipboard
Management Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.management.Group("example", {name: "example-group"});
const mgContributor = azure.authorization.getRoleDefinitionOutput({
name: "Contributor",
scope: example.id,
});
const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
scope: example.id,
roleDefinitionId: mgContributor.apply(mgContributor => mgContributor.id),
eligibleAssignmentRules: {
expirationRequired: false,
},
activeAssignmentRules: {
expireAfter: "P90D",
},
activationRules: {
maximumDuration: "PT1H",
requireApproval: true,
},
notificationRules: {
activeAssignments: {
adminNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: ["someone@example.com"],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
example = azure.management.Group("example", name="example-group")
mg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
scope=example.id)
example_role_management_policy = azure.pim.RoleManagementPolicy("example",
scope=example.id,
role_definition_id=mg_contributor.id,
eligible_assignment_rules={
"expiration_required": False,
},
active_assignment_rules={
"expire_after": "P90D",
},
activation_rules={
"maximum_duration": "PT1H",
"require_approval": True,
},
notification_rules={
"active_assignments": {
"admin_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": ["someone@example.com"],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Management.Group("example", new()
{
Name = "example-group",
});
var mgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
Scope = example.Id,
});
var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
{
Scope = example.Id,
RoleDefinitionId = mgContributor.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P90D",
},
ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
{
MaximumDuration = "PT1H",
RequireApproval = true,
},
NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
{
ActiveAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs
{
AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
Name: pulumi.String("example-group"),
})
if err != nil {
return err
}
mgContributor := authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
Name: pulumi.String("Contributor"),
Scope: example.ID(),
}, nil)
_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
Scope: example.ID(),
RoleDefinitionId: pulumi.String(mgContributor.ApplyT(func(mgContributor authorization.GetRoleDefinitionResult) (*string, error) {
return &mgContributor.Id, nil
}).(pulumi.StringPtrOutput)),
EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P90D"),
},
ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
MaximumDuration: pulumi.String("PT1H"),
RequireApproval: pulumi.Bool(true),
},
NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
ActiveAssignments: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
AdminNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.management.Group;
import com.pulumi.azure.management.GroupArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azure.pim.RoleManagementPolicy;
import com.pulumi.azure.pim.RoleManagementPolicyArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs;
import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Group("example", GroupArgs.builder()
.name("example-group")
.build());
final var mgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.scope(example.id())
.build());
var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
.scope(example.id())
.roleDefinitionId(mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult).applyValue(mgContributor -> mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.id())))
.eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P90D")
.build())
.activationRules(RoleManagementPolicyActivationRulesArgs.builder()
.maximumDuration("PT1H")
.requireApproval(true)
.build())
.notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
.activeAssignments(RoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
.adminNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients("someone@example.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:management:Group
properties:
name: example-group
exampleRoleManagementPolicy:
type: azure:pim:RoleManagementPolicy
name: example
properties:
scope: ${example.id}
roleDefinitionId: ${mgContributor.id}
eligibleAssignmentRules:
expirationRequired: false
activeAssignmentRules:
expireAfter: P90D
activationRules:
maximumDuration: PT1H
requireApproval: true
notificationRules:
activeAssignments:
adminNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
variables:
mgContributor:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Contributor
scope: ${example.id}Content copied to clipboard
Import
Because these policies are created automatically by Azure, they will auto-import on first use. They can be imported using the resource id of the role definition, combined with the scope id, e.g.
$ pulumi import azure:pim/roleManagementPolicy:RoleManagementPolicy example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|<scope>"Content copied to clipboard
Properties
Link copied to clipboard
An activation_rules block as defined below.
Link copied to clipboard
An active_assignment_rules block as defined below.
Link copied to clipboard
(String) The description of this policy.
Link copied to clipboard
An eligible_assignment_rules block as defined below.
Link copied to clipboard
A notification_rules block as defined below.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.