import * as pulumi from "@pulumi/pulumi"; /** * Manages a single directory role assignment within Azure Active Directory. * * ## API Permissions * * The following API permissions are required in order to use this resource. * * When authenticated with a service principal, this resource requires one of the following application roles: `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All` * * When authenticated with a user principal, this resource requires one of the following directory roles: `Privileged Role Administrator` or `Global Administrator` * * ## Example Usage * * *Assignment for a built-in role* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const example = azuread.getUser({ * userPrincipalName: "jdoe@example.com", * }); * const exampleDirectoryRole = new azuread.DirectoryRole("example", {displayName: "Security administrator"}); * const exampleDirectoryRoleAssignment = new azuread.DirectoryRoleAssignment("example", { * roleId: exampleDirectoryRole.templateId, * principalObjectId: example.then(example => example.objectId), * }); * ``` * * > Note the use of the `templateId` attribute when referencing built-in roles. * * *Assignment for a custom role* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const example = azuread.getUser({ * userPrincipalName: "jdoe@example.com", * }); * const exampleCustomDirectoryRole = new azuread.CustomDirectoryRole("example", { * displayName: "My Custom Role", * enabled: true, * version: "1.0", * permissions: [{ * allowedResourceActions: [ * "microsoft.directory/applications/basic/update", * "microsoft.directory/applications/standard/read", * ], * }], * }); * const exampleDirectoryRoleAssignment = new azuread.DirectoryRoleAssignment("example", { * roleId: exampleCustomDirectoryRole.objectId, * principalObjectId: example.then(example => example.objectId), * }); * ``` * * *Scoped assignment for an application* * * ## Import * * Directory role assignments can be imported using the ID of the assignment, e.g. * * ```sh * $ pulumi import azuread:index/directoryRoleAssignment:DirectoryRoleAssignment example ePROZI_iKE653D_d6aoLHyr-lKgHI8ZGiIdz8CLVcng-1 * ``` */ export declare class DirectoryRoleAssignment extends pulumi.CustomResource { /** * Get an existing DirectoryRoleAssignment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: DirectoryRoleAssignmentState, opts?: pulumi.CustomResourceOptions): DirectoryRoleAssignment; /** * Returns true if the given object is an instance of DirectoryRoleAssignment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is DirectoryRoleAssignment; /** * Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directoryScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ readonly appScopeId: pulumi.Output; /** * Identifier of the directory object representing the scope of the assignment. Cannot be used with `appScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ readonly directoryScopeId: pulumi.Output; /** * The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ readonly principalObjectId: pulumi.Output; /** * The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created. */ readonly roleId: pulumi.Output; /** * Create a DirectoryRoleAssignment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: DirectoryRoleAssignmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering DirectoryRoleAssignment resources. */ export interface DirectoryRoleAssignmentState { /** * Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directoryScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ appScopeId?: pulumi.Input; /** * Identifier of the directory object representing the scope of the assignment. Cannot be used with `appScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ directoryScopeId?: pulumi.Input; /** * The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ principalObjectId?: pulumi.Input; /** * The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created. */ roleId?: pulumi.Input; } /** * The set of arguments for constructing a DirectoryRoleAssignment resource. */ export interface DirectoryRoleAssignmentArgs { /** * Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directoryScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ appScopeId?: pulumi.Input; /** * Identifier of the directory object representing the scope of the assignment. Cannot be used with `appScopeId`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created. */ directoryScopeId?: pulumi.Input; /** * The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created. */ principalObjectId: pulumi.Input; /** * The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created. */ roleId: pulumi.Input; }