import * as pulumi from "@pulumi/pulumi";
/**
 * Manages the API permissions for an application registration.
 *
 * This resource is analogous to the `requiredResourceAccess` block in the `azuread.Application` resource. When using these resources together, you should use the `ignoreChanges` lifecycle meta-argument (see example below).
 *
 * ## API Permissions
 *
 * The following API permissions are required in order to use this resource.
 *
 * When authenticated with a service principal, this resource requires one of the following application roles: `Application.ReadWrite.OwnedBy` or `Application.ReadWrite.All`
 *
 * > When using the `Application.ReadWrite.OwnedBy` application role, the principal being used to run Terraform must be an owner of the application.
 *
 * When authenticated with a user principal, this resource may require one of the following directory roles: `Application Administrator` or `Global Administrator`
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const wellKnown = azuread.getApplicationPublishedAppIds({});
 * const msgraph = wellKnown.then(wellKnown => azuread.getServicePrincipal({
 *     clientId: wellKnown.result?.MicrosoftGraph,
 * }));
 * const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
 * const exampleMsgraph = new azuread.ApplicationApiAccess("example_msgraph", {
 *     applicationId: example.id,
 *     apiClientId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
 *     roleIds: [
 *         msgraph.then(msgraph => msgraph.appRoleIds?.["Group.Read.All"]),
 *         msgraph.then(msgraph => msgraph.appRoleIds?.["User.Read.All"]),
 *     ],
 *     scopeIds: [msgraph.then(msgraph => msgraph.oauth2PermissionScopeIds?.["User.ReadWrite"])],
 * });
 * ```
 *
 * > **Tip** For managing permissions for an additional API, create another instance of this resource
 *
 * *Usage with azuread.Application resource*
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const example = new azuread.Application("example", {displayName: "example"});
 * const exampleApplicationApiAccess = new azuread.ApplicationApiAccess("example", {applicationId: example.id});
 * ```
 *
 * ## Import
 *
 * Application API Access can be imported using the object ID of the application and the client ID of the API, in the following format.
 *
 * ```sh
 * $ pulumi import azuread:index/applicationApiAccess:ApplicationApiAccess example /applications/00000000-0000-0000-0000-000000000000/apiAccess/11111111-1111-1111-1111-111111111111
 * ```
 */
export declare class ApplicationApiAccess extends pulumi.CustomResource {
    /**
     * Get an existing ApplicationApiAccess resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ApplicationApiAccessState, opts?: pulumi.CustomResourceOptions): ApplicationApiAccess;
    /**
     * Returns true if the given object is an instance of ApplicationApiAccess.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is ApplicationApiAccess;
    /**
     * The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
     */
    readonly apiClientId: pulumi.Output<string>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    readonly applicationId: pulumi.Output<string>;
    /**
     * A set of role IDs to be granted to the application, as published by the API.
     */
    readonly roleIds: pulumi.Output<string[] | undefined>;
    /**
     * A set of scope IDs to be granted to the application, as published by the API.
     *
     * > At least one of `roleIds` or `scopeIds` must be specified.
     */
    readonly scopeIds: pulumi.Output<string[] | undefined>;
    /**
     * Create a ApplicationApiAccess resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: ApplicationApiAccessArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering ApplicationApiAccess resources.
 */
export interface ApplicationApiAccessState {
    /**
     * The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
     */
    apiClientId?: pulumi.Input<string | undefined>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    applicationId?: pulumi.Input<string | undefined>;
    /**
     * A set of role IDs to be granted to the application, as published by the API.
     */
    roleIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * A set of scope IDs to be granted to the application, as published by the API.
     *
     * > At least one of `roleIds` or `scopeIds` must be specified.
     */
    scopeIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
}
/**
 * The set of arguments for constructing a ApplicationApiAccess resource.
 */
export interface ApplicationApiAccessArgs {
    /**
     * The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
     */
    apiClientId: pulumi.Input<string>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    applicationId: pulumi.Input<string>;
    /**
     * A set of role IDs to be granted to the application, as published by the API.
     */
    roleIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * A set of scope IDs to be granted to the application, as published by the API.
     *
     * > At least one of `roleIds` or `scopeIds` must be specified.
     */
    scopeIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
}
//# sourceMappingURL=applicationApiAccess.d.ts.map