@pulumi/azuread
Version:
A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.
198 lines • 10.3 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Manages a permission scope for an application registration.
*
* This resource is analogous to the `oauth2PermissionScope` block in the `api` block of the `azuread.Application` resource. When using these resources together, you should use the `ignoreChanges` lifecycle meta-argument (see example below).
*
* ## API Permissions
*
* The following API permissions are required in order to use this resource.
*
* When authenticated with a service principal, this resource requires one of the following application roles: `Application.ReadWrite.OwnedBy` or `Application.ReadWrite.All`
*
* > When using the `Application.ReadWrite.OwnedBy` application role, the principal being used to run Terraform must be an owner of the application.
*
* When authenticated with a user principal, this resource may require one of the following directory roles: `Application Administrator` or `Global Administrator`
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
* import * as random from "@pulumi/random";
*
* const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
* const exampleAdminister = new random.index.Uuid("example_administer", {});
* const exampleApplicationPermissionScope = new azuread.ApplicationPermissionScope("example", {
* applicationId: test.id,
* scopeId: exampleAdminister.id,
* value: "administer",
* adminConsentDescription: "Administer the application",
* adminConsentDisplayName: "Administer",
* });
* ```
*
* > **Tip** For managing more permissions scopes, create additional instances of this resource
*
* *Usage with azuread.Application resource*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const example = new azuread.Application("example", {displayName: "example"});
* const exampleApplicationPermissionScope = new azuread.ApplicationPermissionScope("example", {applicationId: example.id});
* ```
*
* ## Import
*
* Application App Roles can be imported using the object ID of the application and the ID of the permission scope, in the following format.
*
* ```sh
* $ pulumi import azuread:index/applicationPermissionScope:ApplicationPermissionScope example /applications/00000000-0000-0000-0000-000000000000/permissionScopes/11111111-1111-1111-1111-111111111111
* ```
*/
export declare class ApplicationPermissionScope extends pulumi.CustomResource {
/**
* Get an existing ApplicationPermissionScope resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ApplicationPermissionScopeState, opts?: pulumi.CustomResourceOptions): ApplicationPermissionScope;
/**
* Returns true if the given object is an instance of ApplicationPermissionScope. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is ApplicationPermissionScope;
/**
* Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
*/
readonly adminConsentDescription: pulumi.Output<string>;
/**
* Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
*/
readonly adminConsentDisplayName: pulumi.Output<string>;
/**
* The resource ID of the application registration. Changing this forces a new resource to be created.
*/
readonly applicationId: pulumi.Output<string>;
/**
* The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
*/
readonly scopeId: pulumi.Output<string>;
/**
* Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
*/
readonly type: pulumi.Output<string | undefined>;
/**
* Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
*/
readonly userConsentDescription: pulumi.Output<string | undefined>;
/**
* Display name for the delegated permission that appears in the end user consent experience.
*
* > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
*/
readonly userConsentDisplayName: pulumi.Output<string | undefined>;
/**
* The value that is used for the `scp` claim in OAuth access tokens.
*
* > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
*/
readonly value: pulumi.Output<string>;
/**
* Create a ApplicationPermissionScope resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: ApplicationPermissionScopeArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering ApplicationPermissionScope resources.
*/
export interface ApplicationPermissionScopeState {
/**
* Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDescription?: pulumi.Input<string | undefined>;
/**
* Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDisplayName?: pulumi.Input<string | undefined>;
/**
* The resource ID of the application registration. Changing this forces a new resource to be created.
*/
applicationId?: pulumi.Input<string | undefined>;
/**
* The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
*/
scopeId?: pulumi.Input<string | undefined>;
/**
* Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
*/
type?: pulumi.Input<string | undefined>;
/**
* Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
*/
userConsentDescription?: pulumi.Input<string | undefined>;
/**
* Display name for the delegated permission that appears in the end user consent experience.
*
* > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
*/
userConsentDisplayName?: pulumi.Input<string | undefined>;
/**
* The value that is used for the `scp` claim in OAuth access tokens.
*
* > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
*/
value?: pulumi.Input<string | undefined>;
}
/**
* The set of arguments for constructing a ApplicationPermissionScope resource.
*/
export interface ApplicationPermissionScopeArgs {
/**
* Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDescription: pulumi.Input<string>;
/**
* Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDisplayName: pulumi.Input<string>;
/**
* The resource ID of the application registration. Changing this forces a new resource to be created.
*/
applicationId: pulumi.Input<string>;
/**
* The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
*/
scopeId: pulumi.Input<string>;
/**
* Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
*/
type?: pulumi.Input<string | undefined>;
/**
* Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
*/
userConsentDescription?: pulumi.Input<string | undefined>;
/**
* Display name for the delegated permission that appears in the end user consent experience.
*
* > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
*/
userConsentDisplayName?: pulumi.Input<string | undefined>;
/**
* The value that is used for the `scp` claim in OAuth access tokens.
*
* > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
*/
value: pulumi.Input<string>;
}
//# sourceMappingURL=applicationPermissionScope.d.ts.map