We recommend using Azure Native.
azure.authorization.RoleDefinition
Explore with Pulumi AI
Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = new azure.authorization.RoleDefinition("example", {
name: "my-custom-role",
scope: primary.then(primary => primary.id),
description: "This is a custom role created",
permissions: [{
actions: ["*"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.authorization.RoleDefinition("example",
name="my-custom-role",
scope=primary.id,
description="This is a custom role created",
permissions=[{
"actions": ["*"],
"not_actions": [],
}],
assignable_scopes=[primary.id])
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
_, err = authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
Name: pulumi.String("my-custom-role"),
Scope: pulumi.String(primary.Id),
Description: pulumi.String("This is a custom role created"),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("*"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = new Azure.Authorization.RoleDefinition("example", new()
{
Name = "my-custom-role",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Description = "This is a custom role created",
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"*",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
var example = new RoleDefinition("example", RoleDefinitionArgs.builder()
.name("my-custom-role")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.description("This is a custom role created")
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("*")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
}
}
resources:
example:
type: azure:authorization:RoleDefinition
properties:
name: my-custom-role
scope: ${primary.id}
description: This is a custom role created
permissions:
- actions:
- '*'
notActions: []
assignableScopes:
- ${primary.id}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
With Management Group
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getSubscription({});
const example = new azure.management.Group("example", {
displayName: "ParentGroup",
subscriptionIds: [current.then(current => current.subscriptionId)],
});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
name: "example-mg-role",
scope: example.id,
description: "Example custom role scoped to a management group.",
permissions: [{
actions: ["Microsoft.Insights/alertRules/*"],
notActions: [],
}],
assignableScopes: [example.id],
});
import pulumi
import pulumi_azure as azure
current = azure.core.get_subscription()
example = azure.management.Group("example",
display_name="ParentGroup",
subscription_ids=[current.subscription_id])
example_role_definition = azure.authorization.RoleDefinition("example",
name="example-mg-role",
scope=example.id,
description="Example custom role scoped to a management group.",
permissions=[{
"actions": ["Microsoft.Insights/alertRules/*"],
"not_actions": [],
}],
assignable_scopes=[example.id])
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
DisplayName: pulumi.String("ParentGroup"),
SubscriptionIds: pulumi.StringArray{
pulumi.String(current.SubscriptionId),
},
})
if err != nil {
return err
}
_, err = authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
Name: pulumi.String("example-mg-role"),
Scope: example.ID(),
Description: pulumi.String("Example custom role scoped to a management group."),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Insights/alertRules/*"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
example.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetSubscription.Invoke();
var example = new Azure.Management.Group("example", new()
{
DisplayName = "ParentGroup",
SubscriptionIds = new[]
{
current.Apply(getSubscriptionResult => getSubscriptionResult.SubscriptionId),
},
});
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
{
Name = "example-mg-role",
Scope = example.Id,
Description = "Example custom role scoped to a management group.",
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Insights/alertRules/*",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
example.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.management.Group;
import com.pulumi.azure.management.GroupArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getSubscription();
var example = new Group("example", GroupArgs.builder()
.displayName("ParentGroup")
.subscriptionIds(current.applyValue(getSubscriptionResult -> getSubscriptionResult.subscriptionId()))
.build());
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.name("example-mg-role")
.scope(example.id())
.description("Example custom role scoped to a management group.")
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Insights/alertRules/*")
.notActions()
.build())
.assignableScopes(example.id())
.build());
}
}
resources:
example:
type: azure:management:Group
properties:
displayName: ParentGroup
subscriptionIds:
- ${current.subscriptionId}
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
name: example
properties:
name: example-mg-role
scope: ${example.id}
description: Example custom role scoped to a management group.
permissions:
- actions:
- Microsoft.Insights/alertRules/*
notActions: []
assignableScopes:
- ${example.id}
variables:
current:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
Create RoleDefinition Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RoleDefinition(name: string, args: RoleDefinitionArgs, opts?: CustomResourceOptions);
@overload
def RoleDefinition(resource_name: str,
args: RoleDefinitionArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RoleDefinition(resource_name: str,
opts: Optional[ResourceOptions] = None,
scope: Optional[str] = None,
assignable_scopes: Optional[Sequence[str]] = None,
description: Optional[str] = None,
name: Optional[str] = None,
permissions: Optional[Sequence[RoleDefinitionPermissionArgs]] = None,
role_definition_id: Optional[str] = None)
func NewRoleDefinition(ctx *Context, name string, args RoleDefinitionArgs, opts ...ResourceOption) (*RoleDefinition, error)
public RoleDefinition(string name, RoleDefinitionArgs args, CustomResourceOptions? opts = null)
public RoleDefinition(String name, RoleDefinitionArgs args)
public RoleDefinition(String name, RoleDefinitionArgs args, CustomResourceOptions options)
type: azure:authorization:RoleDefinition
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleDefinitionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleDefinitionArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleDefinitionArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleDefinitionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleDefinitionArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleDefinitionResource = new Azure.Authorization.RoleDefinition("roleDefinitionResource", new()
{
Scope = "string",
AssignableScopes = new[]
{
"string",
},
Description = "string",
Name = "string",
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"string",
},
DataActions = new[]
{
"string",
},
NotActions = new[]
{
"string",
},
NotDataActions = new[]
{
"string",
},
},
},
RoleDefinitionId = "string",
});
example, err := authorization.NewRoleDefinition(ctx, "roleDefinitionResource", &authorization.RoleDefinitionArgs{
Scope: pulumi.String("string"),
AssignableScopes: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
Name: pulumi.String("string"),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("string"),
},
DataActions: pulumi.StringArray{
pulumi.String("string"),
},
NotActions: pulumi.StringArray{
pulumi.String("string"),
},
NotDataActions: pulumi.StringArray{
pulumi.String("string"),
},
},
},
RoleDefinitionId: pulumi.String("string"),
})
var roleDefinitionResource = new RoleDefinition("roleDefinitionResource", RoleDefinitionArgs.builder()
.scope("string")
.assignableScopes("string")
.description("string")
.name("string")
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("string")
.dataActions("string")
.notActions("string")
.notDataActions("string")
.build())
.roleDefinitionId("string")
.build());
role_definition_resource = azure.authorization.RoleDefinition("roleDefinitionResource",
scope="string",
assignable_scopes=["string"],
description="string",
name="string",
permissions=[{
"actions": ["string"],
"data_actions": ["string"],
"not_actions": ["string"],
"not_data_actions": ["string"],
}],
role_definition_id="string")
const roleDefinitionResource = new azure.authorization.RoleDefinition("roleDefinitionResource", {
scope: "string",
assignableScopes: ["string"],
description: "string",
name: "string",
permissions: [{
actions: ["string"],
dataActions: ["string"],
notActions: ["string"],
notDataActions: ["string"],
}],
roleDefinitionId: "string",
});
type: azure:authorization:RoleDefinition
properties:
assignableScopes:
- string
description: string
name: string
permissions:
- actions:
- string
dataActions:
- string
notActions:
- string
notDataActions:
- string
roleDefinitionId: string
scope: string
RoleDefinition Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RoleDefinition resource accepts the following input properties:
- Scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - Assignable
Scopes List<string> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- Description string
- A description of the Role Definition.
- Name string
- The name of the Role Definition.
- Permissions
List<Role
Definition Permission> - A
permissions
block as defined below. - Role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- Scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - Assignable
Scopes []string One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- Description string
- A description of the Role Definition.
- Name string
- The name of the Role Definition.
- Permissions
[]Role
Definition Permission Args - A
permissions
block as defined below. - Role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- scope String
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - assignable
Scopes List<String> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description String
- A description of the Role Definition.
- name String
- The name of the Role Definition.
- permissions
List<Role
Definition Permission> - A
permissions
block as defined below. - role
Definition StringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - assignable
Scopes string[] One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description string
- A description of the Role Definition.
- name string
- The name of the Role Definition.
- permissions
Role
Definition Permission[] - A
permissions
block as defined below. - role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- scope str
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - assignable_
scopes Sequence[str] One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description str
- A description of the Role Definition.
- name str
- The name of the Role Definition.
- permissions
Sequence[Role
Definition Permission Args] - A
permissions
block as defined below. - role_
definition_ strid - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- scope String
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created. - assignable
Scopes List<String> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description String
- A description of the Role Definition.
- name String
- The name of the Role Definition.
- permissions List<Property Map>
- A
permissions
block as defined below. - role
Definition StringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
Outputs
All input properties are implicitly available as output properties. Additionally, the RoleDefinition resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- id String
- The provider-assigned unique ID for this managed resource.
- role
Definition StringResource Id - The Azure Resource Manager ID for the resource.
- id string
- The provider-assigned unique ID for this managed resource.
- role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- id str
- The provider-assigned unique ID for this managed resource.
- role_
definition_ strresource_ id - The Azure Resource Manager ID for the resource.
- id String
- The provider-assigned unique ID for this managed resource.
- role
Definition StringResource Id - The Azure Resource Manager ID for the resource.
Look up Existing RoleDefinition Resource
Get an existing RoleDefinition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RoleDefinitionState, opts?: CustomResourceOptions): RoleDefinition
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
assignable_scopes: Optional[Sequence[str]] = None,
description: Optional[str] = None,
name: Optional[str] = None,
permissions: Optional[Sequence[RoleDefinitionPermissionArgs]] = None,
role_definition_id: Optional[str] = None,
role_definition_resource_id: Optional[str] = None,
scope: Optional[str] = None) -> RoleDefinition
func GetRoleDefinition(ctx *Context, name string, id IDInput, state *RoleDefinitionState, opts ...ResourceOption) (*RoleDefinition, error)
public static RoleDefinition Get(string name, Input<string> id, RoleDefinitionState? state, CustomResourceOptions? opts = null)
public static RoleDefinition get(String name, Output<String> id, RoleDefinitionState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Assignable
Scopes List<string> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- Description string
- A description of the Role Definition.
- Name string
- The name of the Role Definition.
- Permissions
List<Role
Definition Permission> - A
permissions
block as defined below. - Role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- Role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- Scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
- Assignable
Scopes []string One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- Description string
- A description of the Role Definition.
- Name string
- The name of the Role Definition.
- Permissions
[]Role
Definition Permission Args - A
permissions
block as defined below. - Role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- Role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- Scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
- assignable
Scopes List<String> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description String
- A description of the Role Definition.
- name String
- The name of the Role Definition.
- permissions
List<Role
Definition Permission> - A
permissions
block as defined below. - role
Definition StringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition StringResource Id - The Azure Resource Manager ID for the resource.
- scope String
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
- assignable
Scopes string[] One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description string
- A description of the Role Definition.
- name string
- The name of the Role Definition.
- permissions
Role
Definition Permission[] - A
permissions
block as defined below. - role
Definition stringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition stringResource Id - The Azure Resource Manager ID for the resource.
- scope string
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
- assignable_
scopes Sequence[str] One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description str
- A description of the Role Definition.
- name str
- The name of the Role Definition.
- permissions
Sequence[Role
Definition Permission Args] - A
permissions
block as defined below. - role_
definition_ strid - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- role_
definition_ strresource_ id - The Azure Resource Manager ID for the resource.
- scope str
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
- assignable
Scopes List<String> One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
.NOTE: The value for
scope
is automatically included in this list if no other values supplied.- description String
- A description of the Role Definition.
- name String
- The name of the Role Definition.
- permissions List<Property Map>
- A
permissions
block as defined below. - role
Definition StringId - A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition StringResource Id - The Azure Resource Manager ID for the resource.
- scope String
- The scope at which the Role Definition applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
,/providers/Microsoft.Management/managementGroups/0b1f6471-1bf0-4dda-aec3-111122223333
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
. It is recommended to use the first entry of theassignable_scopes
. Changing this forces a new resource to be created.
Supporting Types
RoleDefinitionPermission, RoleDefinitionPermissionArgs
- Actions List<string>
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - Data
Actions List<string> - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - Not
Actions List<string> - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - Not
Data List<string>Actions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
- Actions []string
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - Data
Actions []string - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - Not
Actions []string - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - Not
Data []stringActions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
- actions List<String>
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - data
Actions List<String> - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Actions List<String> - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Data List<String>Actions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
- actions string[]
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - data
Actions string[] - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Actions string[] - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Data string[]Actions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
- actions Sequence[str]
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - data_
actions Sequence[str] - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - not_
actions Sequence[str] - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - not_
data_ Sequence[str]actions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
- actions List<String>
- One or more Allowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - data
Actions List<String> - One or more Allowed Data Actions, such as
*
,Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Actions List<String> - One or more Disallowed Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details. - not
Data List<String>Actions - One or more Disallowed Data Actions, such as
*
,Microsoft.Resources/subscriptions/resourceGroups/read
. See 'Azure Resource Manager resource provider operations' for details.
Import
Role Definitions can be imported using the resource id
, e.g.
$ pulumi import azure:authorization/roleDefinition:RoleDefinition example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|/subscriptions/00000000-0000-0000-0000-000000000000"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurerm
Terraform Provider.