azure-native.cosmosdb.SqlResourceSqlRoleDefinition
Explore with Pulumi AI
An Azure Cosmos DB SQL Role Definition.
Uses Azure REST API version 2024-11-15.
Other available API versions: 2020-06-01-preview, 2021-03-01-preview, 2021-04-01-preview, 2021-04-15, 2021-05-15, 2021-06-15, 2021-07-01-preview, 2021-10-15, 2021-10-15-preview, 2021-11-15-preview, 2022-02-15-preview, 2022-05-15, 2022-05-15-preview, 2022-08-15, 2022-08-15-preview, 2022-11-15, 2022-11-15-preview, 2023-03-01-preview, 2023-03-15, 2023-03-15-preview, 2023-04-15, 2023-09-15, 2023-09-15-preview, 2023-11-15, 2023-11-15-preview, 2024-02-15-preview, 2024-05-15, 2024-05-15-preview, 2024-08-15, 2024-09-01-preview, 2024-12-01-preview, 2025-04-15, 2025-05-01-preview. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native cosmosdb [ApiVersion]. See the version guide for details.
Example Usage
CosmosDBSqlRoleDefinitionCreateUpdate
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() => 
{
    var sqlResourceSqlRoleDefinition = new AzureNative.CosmosDB.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", new()
    {
        AccountName = "myAccountName",
        AssignableScopes = new[]
        {
            "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
            "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
        },
        Permissions = new[]
        {
            new AzureNative.CosmosDB.Inputs.PermissionArgs
            {
                DataActions = new[]
                {
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
                },
                NotDataActions = new() { },
            },
        },
        ResourceGroupName = "myResourceGroupName",
        RoleDefinitionId = "myRoleDefinitionId",
        RoleName = "myRoleName",
        Type = AzureNative.CosmosDB.RoleDefinitionType.CustomRole,
    });
});
package main
import (
	cosmosdb "github.com/pulumi/pulumi-azure-native-sdk/cosmosdb/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cosmosdb.NewSqlResourceSqlRoleDefinition(ctx, "sqlResourceSqlRoleDefinition", &cosmosdb.SqlResourceSqlRoleDefinitionArgs{
			AccountName: pulumi.String("myAccountName"),
			AssignableScopes: pulumi.StringArray{
				pulumi.String("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales"),
				pulumi.String("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"),
			},
			Permissions: cosmosdb.PermissionArray{
				&cosmosdb.PermissionArgs{
					DataActions: pulumi.StringArray{
						pulumi.String("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create"),
						pulumi.String("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"),
					},
					NotDataActions: pulumi.StringArray{},
				},
			},
			ResourceGroupName: pulumi.String("myResourceGroupName"),
			RoleDefinitionId:  pulumi.String("myRoleDefinitionId"),
			RoleName:          pulumi.String("myRoleName"),
			Type:              cosmosdb.RoleDefinitionTypeCustomRole,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.cosmosdb.SqlResourceSqlRoleDefinition;
import com.pulumi.azurenative.cosmosdb.SqlResourceSqlRoleDefinitionArgs;
import com.pulumi.azurenative.cosmosdb.inputs.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var sqlResourceSqlRoleDefinition = new SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", SqlResourceSqlRoleDefinitionArgs.builder()
            .accountName("myAccountName")
            .assignableScopes(            
                "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
                "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases")
            .permissions(PermissionArgs.builder()
                .dataActions(                
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read")
                .notDataActions()
                .build())
            .resourceGroupName("myResourceGroupName")
            .roleDefinitionId("myRoleDefinitionId")
            .roleName("myRoleName")
            .type("CustomRole")
            .build());
    }
}
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const sqlResourceSqlRoleDefinition = new azure_native.cosmosdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", {
    accountName: "myAccountName",
    assignableScopes: [
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions: [{
        dataActions: [
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        notDataActions: [],
    }],
    resourceGroupName: "myResourceGroupName",
    roleDefinitionId: "myRoleDefinitionId",
    roleName: "myRoleName",
    type: azure_native.cosmosdb.RoleDefinitionType.CustomRole,
});
import pulumi
import pulumi_azure_native as azure_native
sql_resource_sql_role_definition = azure_native.cosmosdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition",
    account_name="myAccountName",
    assignable_scopes=[
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions=[{
        "data_actions": [
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        "not_data_actions": [],
    }],
    resource_group_name="myResourceGroupName",
    role_definition_id="myRoleDefinitionId",
    role_name="myRoleName",
    type=azure_native.cosmosdb.RoleDefinitionType.CUSTOM_ROLE)
resources:
  sqlResourceSqlRoleDefinition:
    type: azure-native:cosmosdb:SqlResourceSqlRoleDefinition
    properties:
      accountName: myAccountName
      assignableScopes:
        - /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales
        - /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases
      permissions:
        - dataActions:
            - Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create
            - Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read
          notDataActions: []
      resourceGroupName: myResourceGroupName
      roleDefinitionId: myRoleDefinitionId
      roleName: myRoleName
      type: CustomRole
Create SqlResourceSqlRoleDefinition Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SqlResourceSqlRoleDefinition(name: string, args: SqlResourceSqlRoleDefinitionArgs, opts?: CustomResourceOptions);@overload
def SqlResourceSqlRoleDefinition(resource_name: str,
                                 args: SqlResourceSqlRoleDefinitionArgs,
                                 opts: Optional[ResourceOptions] = None)
@overload
def SqlResourceSqlRoleDefinition(resource_name: str,
                                 opts: Optional[ResourceOptions] = None,
                                 account_name: Optional[str] = None,
                                 resource_group_name: Optional[str] = None,
                                 assignable_scopes: Optional[Sequence[str]] = None,
                                 permissions: Optional[Sequence[PermissionArgs]] = None,
                                 role_definition_id: Optional[str] = None,
                                 role_name: Optional[str] = None,
                                 type: Optional[RoleDefinitionType] = None)func NewSqlResourceSqlRoleDefinition(ctx *Context, name string, args SqlResourceSqlRoleDefinitionArgs, opts ...ResourceOption) (*SqlResourceSqlRoleDefinition, error)public SqlResourceSqlRoleDefinition(string name, SqlResourceSqlRoleDefinitionArgs args, CustomResourceOptions? opts = null)
public SqlResourceSqlRoleDefinition(String name, SqlResourceSqlRoleDefinitionArgs args)
public SqlResourceSqlRoleDefinition(String name, SqlResourceSqlRoleDefinitionArgs args, CustomResourceOptions options)
type: azure-native:cosmosdb:SqlResourceSqlRoleDefinition
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SqlResourceSqlRoleDefinitionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SqlResourceSqlRoleDefinitionArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SqlResourceSqlRoleDefinitionArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SqlResourceSqlRoleDefinitionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SqlResourceSqlRoleDefinitionArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var sqlResourceSqlRoleDefinitionResource = new AzureNative.CosmosDB.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", new()
{
    AccountName = "string",
    ResourceGroupName = "string",
    AssignableScopes = new[]
    {
        "string",
    },
    Permissions = new[]
    {
        new AzureNative.CosmosDB.Inputs.PermissionArgs
        {
            DataActions = new[]
            {
                "string",
            },
            Id = "string",
            NotDataActions = new[]
            {
                "string",
            },
        },
    },
    RoleDefinitionId = "string",
    RoleName = "string",
    Type = AzureNative.CosmosDB.RoleDefinitionType.BuiltInRole,
});
example, err := cosmosdb.NewSqlResourceSqlRoleDefinition(ctx, "sqlResourceSqlRoleDefinitionResource", &cosmosdb.SqlResourceSqlRoleDefinitionArgs{
	AccountName:       pulumi.String("string"),
	ResourceGroupName: pulumi.String("string"),
	AssignableScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Permissions: cosmosdb.PermissionArray{
		&cosmosdb.PermissionArgs{
			DataActions: pulumi.StringArray{
				pulumi.String("string"),
			},
			Id: pulumi.String("string"),
			NotDataActions: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	RoleDefinitionId: pulumi.String("string"),
	RoleName:         pulumi.String("string"),
	Type:             cosmosdb.RoleDefinitionTypeBuiltInRole,
})
var sqlResourceSqlRoleDefinitionResource = new SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", SqlResourceSqlRoleDefinitionArgs.builder()
    .accountName("string")
    .resourceGroupName("string")
    .assignableScopes("string")
    .permissions(PermissionArgs.builder()
        .dataActions("string")
        .id("string")
        .notDataActions("string")
        .build())
    .roleDefinitionId("string")
    .roleName("string")
    .type("BuiltInRole")
    .build());
sql_resource_sql_role_definition_resource = azure_native.cosmosdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource",
    account_name="string",
    resource_group_name="string",
    assignable_scopes=["string"],
    permissions=[{
        "data_actions": ["string"],
        "id": "string",
        "not_data_actions": ["string"],
    }],
    role_definition_id="string",
    role_name="string",
    type=azure_native.cosmosdb.RoleDefinitionType.BUILT_IN_ROLE)
const sqlResourceSqlRoleDefinitionResource = new azure_native.cosmosdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", {
    accountName: "string",
    resourceGroupName: "string",
    assignableScopes: ["string"],
    permissions: [{
        dataActions: ["string"],
        id: "string",
        notDataActions: ["string"],
    }],
    roleDefinitionId: "string",
    roleName: "string",
    type: azure_native.cosmosdb.RoleDefinitionType.BuiltInRole,
});
type: azure-native:cosmosdb:SqlResourceSqlRoleDefinition
properties:
    accountName: string
    assignableScopes:
        - string
    permissions:
        - dataActions:
            - string
          id: string
          notDataActions:
            - string
    resourceGroupName: string
    roleDefinitionId: string
    roleName: string
    type: BuiltInRole
SqlResourceSqlRoleDefinition Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SqlResourceSqlRoleDefinition resource accepts the following input properties:
- AccountName string
- Cosmos DB database account name.
- ResourceGroup stringName 
- The name of the resource group. The name is case insensitive.
- AssignableScopes List<string>
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- Permissions
List<Pulumi.Azure Native. Cosmos DB. Inputs. Permission> 
- The set of operations allowed through this Role Definition.
- RoleDefinition stringId 
- The GUID for the Role Definition.
- RoleName string
- A user-friendly name for the Role Definition. Must be unique for the database account.
- Type
Pulumi.Azure Native. Cosmos DB. Role Definition Type 
- Indicates whether the Role Definition was built-in or user created.
- AccountName string
- Cosmos DB database account name.
- ResourceGroup stringName 
- The name of the resource group. The name is case insensitive.
- AssignableScopes []string
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- Permissions
[]PermissionArgs 
- The set of operations allowed through this Role Definition.
- RoleDefinition stringId 
- The GUID for the Role Definition.
- RoleName string
- A user-friendly name for the Role Definition. Must be unique for the database account.
- Type
RoleDefinition Type 
- Indicates whether the Role Definition was built-in or user created.
- accountName String
- Cosmos DB database account name.
- resourceGroup StringName 
- The name of the resource group. The name is case insensitive.
- assignableScopes List<String>
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- permissions List<Permission>
- The set of operations allowed through this Role Definition.
- roleDefinition StringId 
- The GUID for the Role Definition.
- roleName String
- A user-friendly name for the Role Definition. Must be unique for the database account.
- type
RoleDefinition Type 
- Indicates whether the Role Definition was built-in or user created.
- accountName string
- Cosmos DB database account name.
- resourceGroup stringName 
- The name of the resource group. The name is case insensitive.
- assignableScopes string[]
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- permissions Permission[]
- The set of operations allowed through this Role Definition.
- roleDefinition stringId 
- The GUID for the Role Definition.
- roleName string
- A user-friendly name for the Role Definition. Must be unique for the database account.
- type
RoleDefinition Type 
- Indicates whether the Role Definition was built-in or user created.
- account_name str
- Cosmos DB database account name.
- resource_group_ strname 
- The name of the resource group. The name is case insensitive.
- assignable_scopes Sequence[str]
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- permissions
Sequence[PermissionArgs] 
- The set of operations allowed through this Role Definition.
- role_definition_ strid 
- The GUID for the Role Definition.
- role_name str
- A user-friendly name for the Role Definition. Must be unique for the database account.
- type
RoleDefinition Type 
- Indicates whether the Role Definition was built-in or user created.
- accountName String
- Cosmos DB database account name.
- resourceGroup StringName 
- The name of the resource group. The name is case insensitive.
- assignableScopes List<String>
- A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
- permissions List<Property Map>
- The set of operations allowed through this Role Definition.
- roleDefinition StringId 
- The GUID for the Role Definition.
- roleName String
- A user-friendly name for the Role Definition. Must be unique for the database account.
- type
"BuiltIn Role" | "Custom Role" 
- Indicates whether the Role Definition was built-in or user created.
Outputs
All input properties are implicitly available as output properties. Additionally, the SqlResourceSqlRoleDefinition resource produces the following output properties:
- AzureApi stringVersion 
- The Azure API version of the resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The name of the database account.
- AzureApi stringVersion 
- The Azure API version of the resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The name of the database account.
- azureApi StringVersion 
- The Azure API version of the resource.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The name of the database account.
- azureApi stringVersion 
- The Azure API version of the resource.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The name of the database account.
- azure_api_ strversion 
- The Azure API version of the resource.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The name of the database account.
- azureApi StringVersion 
- The Azure API version of the resource.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The name of the database account.
Supporting Types
Permission, PermissionArgs  
- DataActions List<string>
- An array of data actions that are allowed.
- Id string
- The id for the permission.
- NotData List<string>Actions 
- An array of data actions that are denied.
- DataActions []string
- An array of data actions that are allowed.
- Id string
- The id for the permission.
- NotData []stringActions 
- An array of data actions that are denied.
- dataActions List<String>
- An array of data actions that are allowed.
- id String
- The id for the permission.
- notData List<String>Actions 
- An array of data actions that are denied.
- dataActions string[]
- An array of data actions that are allowed.
- id string
- The id for the permission.
- notData string[]Actions 
- An array of data actions that are denied.
- data_actions Sequence[str]
- An array of data actions that are allowed.
- id str
- The id for the permission.
- not_data_ Sequence[str]actions 
- An array of data actions that are denied.
- dataActions List<String>
- An array of data actions that are allowed.
- id String
- The id for the permission.
- notData List<String>Actions 
- An array of data actions that are denied.
PermissionResponse, PermissionResponseArgs    
- DataActions List<string>
- An array of data actions that are allowed.
- Id string
- The id for the permission.
- NotData List<string>Actions 
- An array of data actions that are denied.
- DataActions []string
- An array of data actions that are allowed.
- Id string
- The id for the permission.
- NotData []stringActions 
- An array of data actions that are denied.
- dataActions List<String>
- An array of data actions that are allowed.
- id String
- The id for the permission.
- notData List<String>Actions 
- An array of data actions that are denied.
- dataActions string[]
- An array of data actions that are allowed.
- id string
- The id for the permission.
- notData string[]Actions 
- An array of data actions that are denied.
- data_actions Sequence[str]
- An array of data actions that are allowed.
- id str
- The id for the permission.
- not_data_ Sequence[str]actions 
- An array of data actions that are denied.
- dataActions List<String>
- An array of data actions that are allowed.
- id String
- The id for the permission.
- notData List<String>Actions 
- An array of data actions that are denied.
RoleDefinitionType, RoleDefinitionTypeArgs      
- BuiltIn Role 
- BuiltInRole
- CustomRole 
- CustomRole
- RoleDefinition Type Built In Role 
- BuiltInRole
- RoleDefinition Type Custom Role 
- CustomRole
- BuiltIn Role 
- BuiltInRole
- CustomRole 
- CustomRole
- BuiltIn Role 
- BuiltInRole
- CustomRole 
- CustomRole
- BUILT_IN_ROLE
- BuiltInRole
- CUSTOM_ROLE
- CustomRole
- "BuiltIn Role" 
- BuiltInRole
- "CustomRole" 
- CustomRole
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:cosmosdb:SqlResourceSqlRoleDefinition myRoleDefinitionId /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlRoleDefinitions/{roleDefinitionId} 
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Native pulumi/pulumi-azure-native
- License
- Apache-2.0