import * as pulumi from "@pulumi/pulumi"; /** * Manages an app role assignment for a group, user or service principal. Can be used to grant admin consent for application permissions. * * ## API Permissions * * The following API permissions are required in order to use this resource. * * When authenticated with a service principal, this resource requires one of the following application roles: `AppRoleAssignment.ReadWrite.All` and `Application.Read.All`, or `AppRoleAssignment.ReadWrite.All` and `Directory.Read.All`, or `Application.ReadWrite.All`, or `Directory.ReadWrite.All` * * When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` * * ## Example Usage * * *App role assignment for accessing Microsoft Graph* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const wellKnown = azuread.getApplicationPublishedAppIds({}); * const msgraph = new azuread.ServicePrincipal("msgraph", { * clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph), * useExisting: true, * }); * const example = new azuread.Application("example", { * displayName: "example", * requiredResourceAccesses: [{ * resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph), * resourceAccesses: [ * { * id: msgraph.appRoleIds["User.Read.All"], * type: "Role", * }, * { * id: msgraph.oauth2PermissionScopeIds["User.ReadWrite"], * type: "Scope", * }, * ], * }], * }); * const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId}); * const exampleAppRoleAssignment = new azuread.AppRoleAssignment("example", { * appRoleId: msgraph.appRoleIds["User.Read.All"], * principalObjectId: exampleServicePrincipal.objectId, * resourceObjectId: msgraph.objectId, * }); * ``` * * *App role assignment for internal application* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const internal = new azuread.Application("internal", { * displayName: "internal", * appRoles: [{ * allowedMemberTypes: ["Application"], * description: "Apps can query the database", * displayName: "Query", * enabled: true, * id: "00000000-0000-0000-0000-111111111111", * value: "Query.All", * }], * }); * const internalServicePrincipal = new azuread.ServicePrincipal("internal", {clientId: internal.clientId}); * const example = new azuread.Application("example", { * displayName: "example", * requiredResourceAccesses: [{ * resourceAppId: internal.clientId, * resourceAccesses: [{ * id: internalServicePrincipal.appRoleIds["Query.All"], * type: "Role", * }], * }], * }); * const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId}); * const exampleAppRoleAssignment = new azuread.AppRoleAssignment("example", { * appRoleId: internalServicePrincipal.appRoleIds["Query.All"], * principalObjectId: exampleServicePrincipal.objectId, * resourceObjectId: internalServicePrincipal.objectId, * }); * ``` * * *Assign a user and group to an internal application* * * ## Import * * App role assignments can be imported using the object ID of the service principal representing the resource and the ID of the app role assignment (note: _not_ the ID of the app role), e.g. * * ```sh * $ pulumi import azuread:index/appRoleAssignment:AppRoleAssignment example /servicePrincipals/00000000-0000-0000-0000-000000000000/appRoleAssignedTo/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz * ``` * * -> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format `/servicePrincipals/{ResourcePrincipalID}/appRoleAssignedTo/{AppRoleAssignmentID}`. */ export declare class AppRoleAssignment extends pulumi.CustomResource { /** * Get an existing AppRoleAssignment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AppRoleAssignmentState, opts?: pulumi.CustomResourceOptions): AppRoleAssignment; /** * Returns true if the given object is an instance of AppRoleAssignment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AppRoleAssignment; /** * The ID of the app role to be assigned, or the default role ID `00000000-0000-0000-0000-000000000000`. Changing this forces a new resource to be created. */ readonly appRoleId: pulumi.Output; /** * The display name of the principal to which the app role is assigned. */ readonly principalDisplayName: pulumi.Output; /** * The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ readonly principalObjectId: pulumi.Output; /** * The object type of the principal to which the app role is assigned. */ readonly principalType: pulumi.Output; /** * The display name of the application representing the resource. */ readonly resourceDisplayName: pulumi.Output; /** * The object ID of the service principal representing the resource. Changing this forces a new resource to be created. */ readonly resourceObjectId: pulumi.Output; /** * Create a AppRoleAssignment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AppRoleAssignmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AppRoleAssignment resources. */ export interface AppRoleAssignmentState { /** * The ID of the app role to be assigned, or the default role ID `00000000-0000-0000-0000-000000000000`. Changing this forces a new resource to be created. */ appRoleId?: pulumi.Input; /** * The display name of the principal to which the app role is assigned. */ principalDisplayName?: pulumi.Input; /** * The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ principalObjectId?: pulumi.Input; /** * The object type of the principal to which the app role is assigned. */ principalType?: pulumi.Input; /** * The display name of the application representing the resource. */ resourceDisplayName?: pulumi.Input; /** * The object ID of the service principal representing the resource. Changing this forces a new resource to be created. */ resourceObjectId?: pulumi.Input; } /** * The set of arguments for constructing a AppRoleAssignment resource. */ export interface AppRoleAssignmentArgs { /** * The ID of the app role to be assigned, or the default role ID `00000000-0000-0000-0000-000000000000`. Changing this forces a new resource to be created. */ appRoleId: pulumi.Input; /** * The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ principalObjectId: pulumi.Input; /** * The object ID of the service principal representing the resource. Changing this forces a new resource to be created. */ resourceObjectId: pulumi.Input; }