Docs Home
Astra DB v1.0.42 published on Tuesday, Jun 6, 2023 by pulumiverse
astra.Role
Explore with Pulumi AI
astra.Role resource represents custom roles for a particular Astra Org. Custom roles can be assigned to an Astra user is to grant them granular permissions when the default roles in the UI are not specific enough. Roles are composed of policies which are granted to resources.
Example Usage
using System.Collections.Generic;
using Pulumi;
using Astra = Pulumiverse.Astra;
return await Deployment.RunAsync(() =>
{
// Example role that grants policy permissions to ALL Astra DBs in an organization
var alldbsrole = new Astra.Role("alldbsrole", new()
{
RoleName = "alldbsrole",
Description = "Role that applies to all DBs in an org",
Effect = "allow",
Resources = new[]
{
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*",
},
Policies = new[]
{
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
},
});
// Example resources for a more restricted role
// A Terraform managed Astra DB resource
var exampledb = new Astra.Database("exampledb", new()
{
Keyspace = "primaryks",
CloudProvider = "gcp",
Regions = new[]
{
"us-east1",
},
});
// Example application keyspaces
var appks1 = new Astra.Keyspace("appks1", new()
{
DatabaseId = exampledb.Id,
});
var appks2 = new Astra.Keyspace("appks2", new()
{
DatabaseId = exampledb.Id,
});
var appks3 = new Astra.Keyspace("appks3", new()
{
DatabaseId = exampledb.Id,
});
// Example role that grants policy permissions to specific keyspaces within a single Astra DB
var singledbrole = new Astra.Role("singledbrole", new()
{
RoleName = "singledbrole",
Description = "Role that applies to specific keyspaces for a single Astra DB",
Effect = "allow",
Resources = new[]
{
Output.Tuple(exampledb.Id, exampledb.Keyspace).Apply(values =>
{
var id = values.Item1;
var keyspace = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{keyspace}";
}),
Output.Tuple(exampledb.Id, exampledb.Keyspace).Apply(values =>
{
var id = values.Item1;
var keyspace = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{keyspace}:table:*";
}),
Output.Tuple(exampledb.Id, appks1.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}";
}),
Output.Tuple(exampledb.Id, appks1.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*";
}),
Output.Tuple(exampledb.Id, appks2.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}";
}),
Output.Tuple(exampledb.Id, appks2.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*";
}),
Output.Tuple(exampledb.Id, appks3.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}";
}),
Output.Tuple(exampledb.Id, appks3.Name).Apply(values =>
{
var id = values.Item1;
var name = values.Item2;
return $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*";
}),
exampledb.Id.Apply(id => $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:futureks"),
exampledb.Id.Apply(id => $"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:futureks:table:*"),
},
Policies = new[]
{
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-astra/sdk/go/astra"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := astra.NewRole(ctx, "alldbsrole", &astra.RoleArgs{
RoleName: pulumi.String("alldbsrole"),
Description: pulumi.String("Role that applies to all DBs in an org"),
Effect: pulumi.String("allow"),
Resources: pulumi.StringArray{
pulumi.String("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*"),
pulumi.String("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*"),
pulumi.String("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*"),
},
Policies: pulumi.StringArray{
pulumi.String("org-db-view"),
pulumi.String("db-cql"),
pulumi.String("db-table-alter"),
pulumi.String("db-table-create"),
pulumi.String("db-table-describe"),
pulumi.String("db-table-modify"),
pulumi.String("db-table-select"),
pulumi.String("db-keyspace-alter"),
pulumi.String("db-keyspace-describe"),
pulumi.String("db-keyspace-modify"),
pulumi.String("db-keyspace-authorize"),
pulumi.String("db-keyspace-drop"),
pulumi.String("db-keyspace-create"),
pulumi.String("db-keyspace-grant"),
},
})
if err != nil {
return err
}
exampledb, err := astra.NewDatabase(ctx, "exampledb", &astra.DatabaseArgs{
Keyspace: pulumi.String("primaryks"),
CloudProvider: pulumi.String("gcp"),
Regions: pulumi.StringArray{
pulumi.String("us-east1"),
},
})
if err != nil {
return err
}
appks1, err := astra.NewKeyspace(ctx, "appks1", &astra.KeyspaceArgs{
DatabaseId: exampledb.ID(),
})
if err != nil {
return err
}
appks2, err := astra.NewKeyspace(ctx, "appks2", &astra.KeyspaceArgs{
DatabaseId: exampledb.ID(),
})
if err != nil {
return err
}
appks3, err := astra.NewKeyspace(ctx, "appks3", &astra.KeyspaceArgs{
DatabaseId: exampledb.ID(),
})
if err != nil {
return err
}
_, err = astra.NewRole(ctx, "singledbrole", &astra.RoleArgs{
RoleName: pulumi.String("singledbrole"),
Description: pulumi.String("Role that applies to specific keyspaces for a single Astra DB"),
Effect: pulumi.String("allow"),
Resources: pulumi.StringArray{
pulumi.All(exampledb.ID(), exampledb.Keyspace).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
keyspace := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v", id, keyspace), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), exampledb.Keyspace).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
keyspace := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v:table:*", id, keyspace), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks1.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v", id, name), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks1.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v:table:*", id, name), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks2.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v", id, name), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks2.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v:table:*", id, name), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks3.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v", id, name), nil
}).(pulumi.StringOutput),
pulumi.All(exampledb.ID(), appks3.Name).ApplyT(func(_args []interface{}) (string, error) {
id := _args[0].(string)
name := _args[1].(string)
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:%v:table:*", id, name), nil
}).(pulumi.StringOutput),
exampledb.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:futureks", id), nil
}).(pulumi.StringOutput),
exampledb.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%v:keyspace:futureks:table:*", id), nil
}).(pulumi.StringOutput),
},
Policies: pulumi.StringArray{
pulumi.String("org-db-view"),
pulumi.String("db-cql"),
pulumi.String("db-table-alter"),
pulumi.String("db-table-create"),
pulumi.String("db-table-describe"),
pulumi.String("db-table-modify"),
pulumi.String("db-table-select"),
pulumi.String("db-keyspace-alter"),
pulumi.String("db-keyspace-describe"),
pulumi.String("db-keyspace-modify"),
pulumi.String("db-keyspace-authorize"),
pulumi.String("db-keyspace-drop"),
pulumi.String("db-keyspace-create"),
pulumi.String("db-keyspace-grant"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.astra.Role;
import com.pulumi.astra.RoleArgs;
import com.pulumi.astra.Database;
import com.pulumi.astra.DatabaseArgs;
import com.pulumi.astra.Keyspace;
import com.pulumi.astra.KeyspaceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var alldbsrole = new Role("alldbsrole", RoleArgs.builder()
.roleName("alldbsrole")
.description("Role that applies to all DBs in an org")
.effect("allow")
.resources(
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*")
.policies(
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant")
.build());
var exampledb = new Database("exampledb", DatabaseArgs.builder()
.keyspace("primaryks")
.cloudProvider("gcp")
.regions("us-east1")
.build());
var appks1 = new Keyspace("appks1", KeyspaceArgs.builder()
.databaseId(exampledb.id())
.build());
var appks2 = new Keyspace("appks2", KeyspaceArgs.builder()
.databaseId(exampledb.id())
.build());
var appks3 = new Keyspace("appks3", KeyspaceArgs.builder()
.databaseId(exampledb.id())
.build());
var singledbrole = new Role("singledbrole", RoleArgs.builder()
.roleName("singledbrole")
.description("Role that applies to specific keyspaces for a single Astra DB")
.effect("allow")
.resources(
Output.tuple(exampledb.id(), exampledb.keyspace()).applyValue(values -> {
var id = values.t1;
var keyspace = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s", id,keyspace);
}),
Output.tuple(exampledb.id(), exampledb.keyspace()).applyValue(values -> {
var id = values.t1;
var keyspace = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s:table:*", id,keyspace);
}),
Output.tuple(exampledb.id(), appks1.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s", id,name);
}),
Output.tuple(exampledb.id(), appks1.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s:table:*", id,name);
}),
Output.tuple(exampledb.id(), appks2.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s", id,name);
}),
Output.tuple(exampledb.id(), appks2.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s:table:*", id,name);
}),
Output.tuple(exampledb.id(), appks3.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s", id,name);
}),
Output.tuple(exampledb.id(), appks3.name()).applyValue(values -> {
var id = values.t1;
var name = values.t2;
return String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:%s:table:*", id,name);
}),
exampledb.id().applyValue(id -> String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:futureks", id)),
exampledb.id().applyValue(id -> String.format("drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:%s:keyspace:futureks:table:*", id)))
.policies(
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant")
.build());
}
}
import pulumi
import pulumiverse_astra as astra
# Example role that grants policy permissions to ALL Astra DBs in an organization
alldbsrole = astra.Role("alldbsrole",
role_name="alldbsrole",
description="Role that applies to all DBs in an org",
effect="allow",
resources=[
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*",
],
policies=[
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
])
# Example resources for a more restricted role
# A Terraform managed Astra DB resource
exampledb = astra.Database("exampledb",
keyspace="primaryks",
cloud_provider="gcp",
regions=["us-east1"])
# Example application keyspaces
appks1 = astra.Keyspace("appks1", database_id=exampledb.id)
appks2 = astra.Keyspace("appks2", database_id=exampledb.id)
appks3 = astra.Keyspace("appks3", database_id=exampledb.id)
# Example role that grants policy permissions to specific keyspaces within a single Astra DB
singledbrole = astra.Role("singledbrole",
role_name="singledbrole",
description="Role that applies to specific keyspaces for a single Astra DB",
effect="allow",
resources=[
pulumi.Output.all(exampledb.id, exampledb.keyspace).apply(lambda id, keyspace: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{keyspace}"),
pulumi.Output.all(exampledb.id, exampledb.keyspace).apply(lambda id, keyspace: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{keyspace}:table:*"),
pulumi.Output.all(exampledb.id, appks1.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}"),
pulumi.Output.all(exampledb.id, appks1.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*"),
pulumi.Output.all(exampledb.id, appks2.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}"),
pulumi.Output.all(exampledb.id, appks2.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*"),
pulumi.Output.all(exampledb.id, appks3.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}"),
pulumi.Output.all(exampledb.id, appks3.name).apply(lambda id, name: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:{name}:table:*"),
exampledb.id.apply(lambda id: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:futureks"),
exampledb.id.apply(lambda id: f"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:{id}:keyspace:futureks:table:*"),
],
policies=[
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
])
import * as pulumi from "@pulumi/pulumi";
import * as astra from "@pulumiverse/astra";
// Example role that grants policy permissions to ALL Astra DBs in an organization
const alldbsrole = new astra.Role("alldbsrole", {
roleName: "alldbsrole",
description: "Role that applies to all DBs in an org",
effect: "allow",
resources: [
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*",
"drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*",
],
policies: [
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
],
});
// Example resources for a more restricted role
// A Terraform managed Astra DB resource
const exampledb = new astra.Database("exampledb", {
keyspace: "primaryks",
cloudProvider: "gcp",
regions: ["us-east1"],
});
// Example application keyspaces
const appks1 = new astra.Keyspace("appks1", {databaseId: exampledb.id});
const appks2 = new astra.Keyspace("appks2", {databaseId: exampledb.id});
const appks3 = new astra.Keyspace("appks3", {databaseId: exampledb.id});
// Example role that grants policy permissions to specific keyspaces within a single Astra DB
const singledbrole = new astra.Role("singledbrole", {
roleName: "singledbrole",
description: "Role that applies to specific keyspaces for a single Astra DB",
effect: "allow",
resources: [
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${exampledb.keyspace}`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${exampledb.keyspace}:table:*`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks1.name}`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks1.name}:table:*`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks2.name}`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks2.name}:table:*`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks3.name}`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks3.name}:table:*`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:futureks`,
pulumi.interpolate`drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:futureks:table:*`,
],
policies: [
"org-db-view",
"db-cql",
"db-table-alter",
"db-table-create",
"db-table-describe",
"db-table-modify",
"db-table-select",
"db-keyspace-alter",
"db-keyspace-describe",
"db-keyspace-modify",
"db-keyspace-authorize",
"db-keyspace-drop",
"db-keyspace-create",
"db-keyspace-grant",
],
});
resources:
# Example role that grants policy permissions to ALL Astra DBs in an organization
alldbsrole:
type: astra:Role
properties:
roleName: alldbsrole
description: Role that applies to all DBs in an org
effect: allow
resources:
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:*:keyspace:*:table:*
policies:
- org-db-view
- db-cql
- db-table-alter
- db-table-create
- db-table-describe
- db-table-modify
- db-table-select
- db-keyspace-alter
- db-keyspace-describe
- db-keyspace-modify
- db-keyspace-authorize
- db-keyspace-drop
- db-keyspace-create
- db-keyspace-grant
# Example resources for a more restricted role
# A Terraform managed Astra DB resource
exampledb:
type: astra:Database
properties:
keyspace: primaryks
cloudProvider: gcp
regions:
- us-east1
# Example application keyspaces
appks1:
type: astra:Keyspace
properties:
databaseId: ${exampledb.id}
appks2:
type: astra:Keyspace
properties:
databaseId: ${exampledb.id}
appks3:
type: astra:Keyspace
properties:
databaseId: ${exampledb.id}
# Example role that grants policy permissions to specific keyspaces within a single Astra DB
singledbrole:
type: astra:Role
properties:
roleName: singledbrole
description: Role that applies to specific keyspaces for a single Astra DB
effect: allow
resources:
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${exampledb.keyspace}
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${exampledb.keyspace}:table:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks1.name}
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks1.name}:table:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks2.name}
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks2.name}:table:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks3.name}
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:${appks3.name}:table:*
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:futureks
- drn:astra:org:f9f4b1e0-4c05-451e-9bba-d631295a7f73:db:${exampledb.id}:keyspace:futureks:table:*
policies:
- org-db-view
- db-cql
- db-table-alter
- db-table-create
- db-table-describe
- db-table-modify
- db-table-select
- db-keyspace-alter
- db-keyspace-describe
- db-keyspace-modify
- db-keyspace-authorize
- db-keyspace-drop
- db-keyspace-create
- db-keyspace-grant
Create Role Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Role(name: string, args: RoleArgs, opts?: CustomResourceOptions);@overload
def Role(resource_name: str,
args: RoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Role(resource_name: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
effect: Optional[str] = None,
policies: Optional[Sequence[str]] = None,
resources: Optional[Sequence[str]] = None,
role_name: Optional[str] = None)func NewRole(ctx *Context, name string, args RoleArgs, opts ...ResourceOption) (*Role, error)public Role(string name, RoleArgs args, CustomResourceOptions? opts = null)type: astra:Role
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleResource = new Astra.Role("roleResource", new()
{
Description = "string",
Effect = "string",
Policies = new[]
{
"string",
},
Resources = new[]
{
"string",
},
RoleName = "string",
});
example, err := astra.NewRole(ctx, "roleResource", &astra.RoleArgs{
Description: pulumi.String("string"),
Effect: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
Resources: pulumi.StringArray{
pulumi.String("string"),
},
RoleName: pulumi.String("string"),
})
var roleResource = new Role("roleResource", RoleArgs.builder()
.description("string")
.effect("string")
.policies("string")
.resources("string")
.roleName("string")
.build());
role_resource = astra.Role("roleResource",
description="string",
effect="string",
policies=["string"],
resources=["string"],
role_name="string")
const roleResource = new astra.Role("roleResource", {
description: "string",
effect: "string",
policies: ["string"],
resources: ["string"],
roleName: "string",
});
type: astra:Role
properties:
description: string
effect: string
policies:
- string
resources:
- string
roleName: string
Role Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Role resource accepts the following input properties:
- Description string
- Role description
- Effect string
- Role effect
- Policies List<string>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- Resources List<string>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- Role
Name string - Role name
- Description string
- Role description
- Effect string
- Role effect
- Policies []string
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- Resources []string
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- Role
Name string - Role name
- description String
- Role description
- effect String
- Role effect
- policies List<String>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources List<String>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Name String - Role name
- description string
- Role description
- effect string
- Role effect
- policies string[]
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources string[]
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Name string - Role name
- description str
- Role description
- effect str
- Role effect
- policies Sequence[str]
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources Sequence[str]
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role_
name str - Role name
- description String
- Role description
- effect String
- Role effect
- policies List<String>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources List<String>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Name String - Role name
Outputs
All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:
Look up Existing Role Resource
Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
effect: Optional[str] = None,
policies: Optional[Sequence[str]] = None,
resources: Optional[Sequence[str]] = None,
role_id: Optional[str] = None,
role_name: Optional[str] = None) -> Rolefunc GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Description string
- Role description
- Effect string
- Role effect
- Policies List<string>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- Resources List<string>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- Role
Id string - Role ID, system generated
- Role
Name string - Role name
- Description string
- Role description
- Effect string
- Role effect
- Policies []string
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- Resources []string
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- Role
Id string - Role ID, system generated
- Role
Name string - Role name
- description String
- Role description
- effect String
- Role effect
- policies List<String>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources List<String>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Id String - Role ID, system generated
- role
Name String - Role name
- description string
- Role description
- effect string
- Role effect
- policies string[]
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources string[]
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Id string - Role ID, system generated
- role
Name string - Role name
- description str
- Role description
- effect str
- Role effect
- policies Sequence[str]
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources Sequence[str]
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role_
id str - Role ID, system generated
- role_
name str - Role name
- description String
- Role description
- effect String
- Role effect
- policies List<String>
- List of policies for the role. See https://docs.datastax.com/en/astra/docs/user-permissions.html#operationalroles_detail for supported policies.
- resources List<String>
- Resources for which role is applicable (format is "drn:astra:org:\n\n", followed by optional resource criteria. See example usage above).
- role
Id String - Role ID, system generated
- role
Name String - Role name
Import
$ pulumi import astra:index/role:Role example role-id
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- astra pulumiverse/pulumi-astra
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
astraTerraform Provider.