@drunk-pulumi/azure 0.0.19

package/AzAd/Group.d.ts

@@ -0,0 +1,29 @@
+import * as azuread from '@pulumi/azuread';
+import { Input, Output } from '@pulumi/pulumi';
+export interface GroupPermissionProps {
+    /** The name of the roles would like to assign to this group*/
+    roleName: string;
+    /**The scopes pf role if not provided the scope will be subscription level*/
+    scope?: Input<string>;
+}
+interface AdGroupProps {
+    name: string;
+    members?: Input<string>[];
+    owners?: Input<Input<string>[]>;
+    permissions?: Array<GroupPermissionProps>;
+}
+declare const _default: ({ name, permissions, members, owners }: AdGroupProps) => Promise<import("@pulumi/azuread/group").Group>;
+export default _default;
+export declare const getAdGroup: (displayName: string) => Output<import("@pulumi/pulumi").UnwrappedObject<azuread.GetGroupResult>>;
+export declare const addUserToGroup: ({ name, userName, objectId, groupObjectId, }: {
+    name: string;
+    userName?: string | undefined;
+    objectId?: Input<string> | undefined;
+    groupObjectId: Input<string>;
+}) => import("@pulumi/azuread/groupMember").GroupMember;
+export declare const addGroupToGroup: (groupMemberName: string, groupObjectId: Output<string>) => Output<import("@pulumi/azuread/groupMember").GroupMember>;
+export declare const assignRolesToGroup: ({ roles, groupName, scope, }: {
+    groupName: string;
+    roles: Array<string>;
+    scope?: Input<string> | undefined;
+}) => Output<() => Promise<import("@pulumi/azure-native/authorization/roleAssignment").RoleAssignment[]>>;

package/AzAd/Group.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assignRolesToGroup = exports.addGroupToGroup = exports.addUserToGroup = exports.getAdGroup = void 0;
+const azuread = require("@pulumi/azuread");
+const pulumi_1 = require("@pulumi/pulumi");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const RoleAssignment_1 = require("./RoleAssignment");
+exports.default = async ({ name, permissions, members, owners }) => {
+    const group = new azuread.Group(name, {
+        displayName: name,
+        externalSendersAllowed: false,
+        //hideFromAddressLists: true,
+        //hideFromOutlookClients: true,
+        mailEnabled: false,
+        securityEnabled: true,
+        owners,
+    });
+    if (members) {
+        members.map((u, i) => new azuread.GroupMember(`${name}-member-${i}`, {
+            groupObjectId: group.id,
+            memberObjectId: u,
+        }));
+    }
+    if (permissions) {
+        await Promise.all(permissions.map((p) => (0, RoleAssignment_1.roleAssignment)({
+            name,
+            principalId: group.objectId,
+            principalType: 'Group',
+            roleName: p.roleName,
+            scope: p.scope || AzureEnv_1.defaultScope,
+        })));
+    }
+    return group;
+};
+const getAdGroup = (displayName) => (0, pulumi_1.output)(azuread.getGroup({ displayName }));
+exports.getAdGroup = getAdGroup;
+const addUserToGroup = ({ name, userName, objectId, groupObjectId, }) => {
+    if (userName && !userName.includes('@'))
+        throw new Error('UserName must include suffix @domain.name');
+    else if (!objectId)
+        throw new Error('Either UserName or ObjectId must be defined.');
+    const user = userName
+        ? (0, pulumi_1.output)(azuread.getUser({ userPrincipalName: userName }))
+        : { objectId: objectId };
+    return new azuread.GroupMember(name, {
+        groupObjectId,
+        memberObjectId: user.objectId,
+    });
+};
+exports.addUserToGroup = addUserToGroup;
+const addGroupToGroup = (groupMemberName, groupObjectId) => {
+    const group = (0, exports.getAdGroup)(groupMemberName);
+    return groupObjectId.apply((g) => new azuread.GroupMember(`${g}-${groupMemberName}`, {
+        groupObjectId: g,
+        memberObjectId: group.objectId,
+    }));
+};
+exports.addGroupToGroup = addGroupToGroup;
+const assignRolesToGroup = ({ roles, groupName, scope, }) => (0, pulumi_1.output)(async () => {
+    const group = (0, exports.getAdGroup)(groupName);
+    return await Promise.all(roles.map((p) => (0, RoleAssignment_1.roleAssignment)({
+        name: groupName,
+        principalId: group.objectId,
+        principalType: 'Group',
+        roleName: p,
+        scope: scope ?? AzureEnv_1.defaultScope,
+    })));
+});
+exports.assignRolesToGroup = assignRolesToGroup;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiR3JvdXAuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvQXpBZC9Hcm91cC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyQ0FBMkM7QUFDM0MsMkNBQXVEO0FBQ3ZELGlEQUFrRDtBQUNsRCxxREFBa0Q7QUFpQmxELGtCQUFlLEtBQUssRUFBRSxFQUFFLElBQUksRUFBRSxXQUFXLEVBQUUsT0FBTyxFQUFFLE1BQU0sRUFBZ0IsRUFBRSxFQUFFO0lBQzVFLE1BQU0sS0FBSyxHQUFHLElBQUksT0FBTyxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUU7UUFDcEMsV0FBVyxFQUFFLElBQUk7UUFDakIsc0JBQXNCLEVBQUUsS0FBSztRQUM3Qiw2QkFBNkI7UUFDN0IsK0JBQStCO1FBQy9CLFdBQVcsRUFBRSxLQUFLO1FBQ2xCLGVBQWUsRUFBRSxJQUFJO1FBQ3JCLE1BQU07S0FDUCxDQUFDLENBQUM7SUFFSCxJQUFJLE9BQU8sRUFBRSxDQUFDO1FBQ1osT0FBTyxDQUFDLEdBQUcsQ0FDVCxDQUFDLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUNQLElBQUksT0FBTyxDQUFDLFdBQVcsQ0FBQyxHQUFHLElBQUksV0FBVyxDQUFDLEVBQUUsRUFBRTtZQUM3QyxhQUFhLEVBQUUsS0FBSyxDQUFDLEVBQUU7WUFDdkIsY0FBYyxFQUFFLENBQUM7U0FDbEIsQ0FBQyxDQUNMLENBQUM7SUFDSixDQUFDO0lBRUQsSUFBSSxXQUFXLEVBQUUsQ0FBQztRQUNoQixNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQ2YsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQ3BCLElBQUEsK0JBQWMsRUFBQztZQUNiLElBQUk7WUFDSixXQUFXLEVBQUUsS0FBSyxDQUFDLFFBQVE7WUFDM0IsYUFBYSxFQUFFLE9BQU87WUFDdEIsUUFBUSxFQUFFLENBQUMsQ0FBQyxRQUFRO1lBQ3BCLEtBQUssRUFBRSxDQUFDLENBQUMsS0FBSyxJQUFJLHVCQUFZO1NBQy9CLENBQUMsQ0FDSCxDQUNGLENBQUM7SUFDSixDQUFDO0lBRUQsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDLENBQUM7QUFFSyxNQUFNLFVBQVUsR0FBRyxDQUFDLFdBQW1CLEVBQUUsRUFBRSxDQUNoRCxJQUFBLGVBQU0sRUFBRSxPQUFPLENBQUMsUUFBUSxDQUFDLEVBQUUsV0FBVyxFQUFFLENBQUMsQ0FBQyxDQUFDO0FBRGhDLFFBQUEsVUFBVSxjQUNzQjtBQUV0QyxNQUFNLGNBQWMsR0FBRyxDQUFDLEVBQzdCLElBQUksRUFDSixRQUFRLEVBQ1IsUUFBUSxFQUNSLGFBQWEsR0FNZCxFQUFFLEVBQUU7SUFDSCxJQUFJLFFBQVEsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDO1FBQ3JDLE1BQU0sSUFBSSxLQUFLLENBQUMsMkNBQTJDLENBQUMsQ0FBQztTQUMxRCxJQUFJLENBQUMsUUFBUTtRQUNoQixNQUFNLElBQUksS0FBSyxDQUFDLDhDQUE4QyxDQUFDLENBQUM7SUFFbEUsTUFBTSxJQUFJLEdBQUcsUUFBUTtRQUNuQixDQUFDLENBQUMsSUFBQSxlQUFNLEVBQUUsT0FBTyxDQUFDLE9BQU8sQ0FBQyxFQUFFLGlCQUFpQixFQUFFLFFBQVEsRUFBRSxDQUFDLENBQUM7UUFDM0QsQ0FBQyxDQUFDLEVBQUUsUUFBUSxFQUFFLFFBQVEsRUFBRSxDQUFDO0lBRTNCLE9BQU8sSUFBSSxPQUFPLENBQUMsV0FBVyxDQUFDLElBQUksRUFBRTtRQUNuQyxhQUFhO1FBQ2IsY0FBYyxFQUFFLElBQUksQ0FBQyxRQUFRO0tBQzlCLENBQUMsQ0FBQztBQUNMLENBQUMsQ0FBQztBQXhCVyxRQUFBLGNBQWMsa0JBd0J6QjtBQUVLLE1BQU0sZUFBZSxHQUFHLENBQzdCLGVBQXVCLEVBQ3ZCLGFBQTZCLEVBQzdCLEVBQUU7SUFDRixNQUFNLEtBQUssR0FBRyxJQUFBLGtCQUFVLEVBQUMsZUFBZSxDQUFDLENBQUM7SUFFMUMsT0FBTyxhQUFhLENBQUMsS0FBSyxDQUN4QixDQUFDLENBQUMsRUFBRSxFQUFFLENBQ0osSUFBSSxPQUFPLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxJQUFJLGVBQWUsRUFBRSxFQUFFO1FBQ2pELGFBQWEsRUFBRSxDQUFDO1FBQ2hCLGNBQWMsRUFBRSxLQUFLLENBQUMsUUFBUTtLQUMvQixDQUFDLENBQ0wsQ0FBQztBQUNKLENBQUMsQ0FBQztBQWJXLFFBQUEsZUFBZSxtQkFhMUI7QUFFSyxNQUFNLGtCQUFrQixHQUFHLENBQUMsRUFDakMsS0FBSyxFQUNMLFNBQVMsRUFDVCxLQUFLLEdBS04sRUFBRSxFQUFFLENBQ0gsSUFBQSxlQUFNLEVBQUMsS0FBSyxJQUFJLEVBQUU7SUFDaEIsTUFBTSxLQUFLLEdBQUcsSUFBQSxrQkFBVSxFQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQ3BDLE9BQU8sTUFBTSxPQUFPLENBQUMsR0FBRyxDQUN0QixLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FDZCxJQUFBLCtCQUFjLEVBQUM7UUFDYixJQUFJLEVBQUUsU0FBUztRQUNmLFdBQVcsRUFBRSxLQUFLLENBQUMsUUFBUTtRQUMzQixhQUFhLEVBQUUsT0FBTztRQUN0QixRQUFRLEVBQUUsQ0FBQztRQUNYLEtBQUssRUFBRSxLQUFLLElBQUksdUJBQVk7S0FDN0IsQ0FBQyxDQUNILENBQ0YsQ0FBQztBQUNKLENBQUMsQ0FBQyxDQUFDO0FBdEJRLFFBQUEsa0JBQWtCLHNCQXNCMUIifQ==

package/AzAd/Helper.d.ts

@@ -0,0 +1,18 @@
+import { KeyVaultInfo } from '../types';
+import * as azureAD from '@pulumi/azuread';
+interface Props {
+    name: string;
+    includePrincipalSecret?: boolean;
+    vaultInfo: KeyVaultInfo;
+}
+export declare const getIdentitySecrets: ({ name, vaultInfo, includePrincipalSecret, }: Props) => Promise<{
+    clientId: import("@azure/keyvault-secrets").KeyVaultSecret | undefined;
+    clientSecret: import("@azure/keyvault-secrets").KeyVaultSecret | undefined;
+    principalId: import("@azure/keyvault-secrets").KeyVaultSecret | undefined;
+    principalSecret: import("@azure/keyvault-secrets").KeyVaultSecret | undefined;
+}>;
+export declare const getIdentity: (name: string, isGlobal?: boolean) => Promise<{
+    app: azureAD.GetApplicationResult;
+    principal: azureAD.GetServicePrincipalResult;
+}>;
+export {};

package/AzAd/Helper.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIdentity = exports.getIdentitySecrets = void 0;
+const Naming_1 = require("../Common/Naming");
+const Helper_1 = require("../KeyVault/Helper");
+const azureAD = require("@pulumi/azuread");
+const getIdentitySecrets = async ({ name, vaultInfo, includePrincipalSecret, }) => {
+    name = (0, Naming_1.getIdentityName)(name);
+    const clientIdKeyName = (0, Naming_1.getSecretName)(`${name}-client-id`);
+    const clientSecretKeyName = (0, Naming_1.getSecretName)(`${name}-client-secret`);
+    const principalIdKeyName = (0, Naming_1.getSecretName)(`${name}-principal-id`);
+    const principalSecretKeyName = (0, Naming_1.getSecretName)(`${name}-principal-secret`);
+    const [clientId, clientSecret] = await Promise.all([
+        (0, Helper_1.getSecret)({ name: clientIdKeyName, vaultInfo }),
+        (0, Helper_1.getSecret)({ name: clientSecretKeyName, vaultInfo }),
+    ]);
+    const [principalId, principalSecret] = includePrincipalSecret
+        ? await Promise.all([
+            (0, Helper_1.getSecret)({ name: principalIdKeyName, vaultInfo }),
+            (0, Helper_1.getSecret)({ name: principalSecretKeyName, vaultInfo }),
+        ])
+        : [undefined, undefined];
+    return { clientId, clientSecret, principalId, principalSecret };
+};
+exports.getIdentitySecrets = getIdentitySecrets;
+const getIdentity = async (name, isGlobal = false) => {
+    const displayName = isGlobal ? `global-${name}` : (0, Naming_1.getIdentityName)(name);
+    const app = await azureAD.getApplication({
+        displayName,
+    });
+    const principal = await azureAD.getServicePrincipal({
+        displayName,
+    });
+    return { app, principal };
+};
+exports.getIdentity = getIdentity;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL0F6QWQvSGVscGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDZDQUFrRTtBQUNsRSwrQ0FBK0M7QUFFL0MsMkNBQTJDO0FBUXBDLE1BQU0sa0JBQWtCLEdBQUcsS0FBSyxFQUFFLEVBQ3ZDLElBQUksRUFDSixTQUFTLEVBQ1Qsc0JBQXNCLEdBQ2hCLEVBQUUsRUFBRTtJQUNWLElBQUksR0FBRyxJQUFBLHdCQUFlLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFN0IsTUFBTSxlQUFlLEdBQUcsSUFBQSxzQkFBYSxFQUFDLEdBQUcsSUFBSSxZQUFZLENBQUMsQ0FBQztJQUMzRCxNQUFNLG1CQUFtQixHQUFHLElBQUEsc0JBQWEsRUFBQyxHQUFHLElBQUksZ0JBQWdCLENBQUMsQ0FBQztJQUNuRSxNQUFNLGtCQUFrQixHQUFHLElBQUEsc0JBQWEsRUFBQyxHQUFHLElBQUksZUFBZSxDQUFDLENBQUM7SUFDakUsTUFBTSxzQkFBc0IsR0FBRyxJQUFBLHNCQUFhLEVBQUMsR0FBRyxJQUFJLG1CQUFtQixDQUFDLENBQUM7SUFFekUsTUFBTSxDQUFDLFFBQVEsRUFBRSxZQUFZLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7UUFDakQsSUFBQSxrQkFBUyxFQUFDLEVBQUUsSUFBSSxFQUFFLGVBQWUsRUFBRSxTQUFTLEVBQUUsQ0FBQztRQUMvQyxJQUFBLGtCQUFTLEVBQUMsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsU0FBUyxFQUFFLENBQUM7S0FDcEQsQ0FBQyxDQUFDO0lBRUgsTUFBTSxDQUFDLFdBQVcsRUFBRSxlQUFlLENBQUMsR0FBRyxzQkFBc0I7UUFDM0QsQ0FBQyxDQUFDLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztZQUNoQixJQUFBLGtCQUFTLEVBQUMsRUFBRSxJQUFJLEVBQUUsa0JBQWtCLEVBQUUsU0FBUyxFQUFFLENBQUM7WUFDbEQsSUFBQSxrQkFBUyxFQUFDLEVBQUUsSUFBSSxFQUFFLHNCQUFzQixFQUFFLFNBQVMsRUFBRSxDQUFDO1NBQ3ZELENBQUM7UUFDSixDQUFDLENBQUMsQ0FBQyxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFFM0IsT0FBTyxFQUFFLFFBQVEsRUFBRSxZQUFZLEVBQUUsV0FBVyxFQUFFLGVBQWUsRUFBRSxDQUFDO0FBQ2xFLENBQUMsQ0FBQztBQXpCVyxRQUFBLGtCQUFrQixzQkF5QjdCO0FBRUssTUFBTSxXQUFXLEdBQUcsS0FBSyxFQUFFLElBQVksRUFBRSxRQUFRLEdBQUcsS0FBSyxFQUFFLEVBQUU7SUFDbEUsTUFBTSxXQUFXLEdBQUcsUUFBUSxDQUFDLENBQUMsQ0FBQyxVQUFVLElBQUksRUFBRSxDQUFDLENBQUMsQ0FBQyxJQUFBLHdCQUFlLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFeEUsTUFBTSxHQUFHLEdBQUcsTUFBTSxPQUFPLENBQUMsY0FBYyxDQUFDO1FBQ3ZDLFdBQVc7S0FDWixDQUFDLENBQUM7SUFDSCxNQUFNLFNBQVMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxtQkFBbUIsQ0FBQztRQUNsRCxXQUFXO0tBQ1osQ0FBQyxDQUFDO0lBRUgsT0FBTyxFQUFFLEdBQUcsRUFBRSxTQUFTLEVBQUUsQ0FBQztBQUM1QixDQUFDLENBQUM7QUFYVyxRQUFBLFdBQVcsZUFXdEIifQ==

package/AzAd/Identities/AzDevOps.d.ts

@@ -0,0 +1,23 @@
+import { KeyVaultInfo } from '../../types';
+export declare const defaultName = "azure-devops";
+interface Props {
+    name?: string;
+    enableOwner?: boolean;
+    vaultInfo?: KeyVaultInfo;
+    allowAccessPolicy?: boolean;
+}
+/** Get Global  ADO Identity */
+export declare const getAdoIdentity: () => import("@pulumi/pulumi").Output<import("@pulumi/pulumi").UnwrappedObject<{
+    app: import("@pulumi/azuread").GetApplicationResult;
+    principal: import("@pulumi/azuread").GetServicePrincipalResult;
+}>>;
+/** Create Global ADO Identity */
+declare const _default: ({ name, enableOwner, vaultInfo, allowAccessPolicy, ...others }: Props) => import("../Identity").IdentityResult & {
+    vaultNames: {
+        clientIdKeyName: string;
+        clientSecretKeyName: string;
+        principalIdKeyName: string;
+        principalSecretKeyName: string;
+    };
+};
+export default _default;

package/AzAd/Identities/AzDevOps.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAdoIdentity = exports.defaultName = void 0;
+const Identity_1 = require("../Identity");
+const Helper_1 = require("../Helper");
+const GraphDefinition_1 = require("../GraphDefinition");
+const pulumi_1 = require("@pulumi/pulumi");
+exports.defaultName = 'azure-devops';
+/** Get Global  ADO Identity */
+const getAdoIdentity = () => (0, pulumi_1.output)((0, Helper_1.getIdentity)(exports.defaultName, true));
+exports.getAdoIdentity = getAdoIdentity;
+/** Create Global ADO Identity */
+exports.default = ({ name = exports.defaultName, enableOwner, vaultInfo, allowAccessPolicy, ...others }) => {
+    const graphAccess = (0, GraphDefinition_1.getGraphPermissions)({ name: 'User.Read', type: 'Scope' });
+    const principalRoles = enableOwner
+        ? [{ roleName: 'Owner' }]
+        : [
+            { roleName: 'Contributor' },
+            { roleName: 'Network Contributor' },
+            { roleName: 'Storage Account Contributor' },
+            { roleName: 'Storage Blob Data Contributor' },
+            { roleName: 'Storage File Data SMB Share Contributor' },
+            { roleName: 'Storage Queue Data Contributor' },
+            { roleName: 'Storage Table Data Contributor' },
+            { roleName: 'Log Analytics Contributor' },
+            { roleName: 'Key Vault Administrator' },
+            { roleName: 'Key Vault Certificates Officer' },
+            { roleName: 'Key Vault Contributor' },
+            { roleName: 'Key Vault Crypto Officer' },
+            { roleName: 'Key Vault Crypto Service Encryption User' },
+            { roleName: 'Key Vault Crypto User' },
+            { roleName: 'Key Vault Secrets Officer' },
+            { roleName: 'Key Vault Secrets User' },
+            { roleName: 'User Access Administrator' },
+            { roleName: 'AcrPush' },
+            { roleName: 'AcrPull' },
+            { roleName: 'Data Factory Contributor' },
+        ];
+    const ado = (0, Identity_1.default)({
+        name,
+        appType: 'web',
+        createClientSecret: true,
+        createPrincipal: true,
+        requiredResourceAccesses: [graphAccess],
+        principalRoles,
+        vaultInfo,
+        ...others,
+    });
+    //Grant key vault permission to ADO
+    // if (allowAccessPolicy && vaultInfo) {
+    //   grantVaultAccessPolicy({
+    //     vaultInfo,
+    //     name: 'azure-devops-vault-permission',
+    //     permission: 'ReadWrite',
+    //     objectId: ado.objectId,
+    //   });
+    // }
+    console.log(`Add this principal ${name} to [User administrator, Application administrator, Cloud application administrator and Global Reader] of Azure AD to allow to Add/Update and Delete Groups, Users`);
+    return ado;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQXpEZXZPcHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvQXpBZC9JZGVudGl0aWVzL0F6RGV2T3BzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUNBLDBDQUFtQztBQUNuQyxzQ0FBd0M7QUFDeEMsd0RBQXlEO0FBQ3pELDJDQUFzQztBQUV6QixRQUFBLFdBQVcsR0FBRyxjQUFjLENBQUM7QUFTMUMsK0JBQStCO0FBQ3hCLE1BQU0sY0FBYyxHQUFHLEdBQUcsRUFBRSxDQUFDLElBQUEsZUFBTSxFQUFDLElBQUEsb0JBQVcsRUFBQyxtQkFBVyxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUM7QUFBOUQsUUFBQSxjQUFjLGtCQUFnRDtBQUUzRSxpQ0FBaUM7QUFDakMsa0JBQWUsQ0FBQyxFQUNkLElBQUksR0FBRyxtQkFBVyxFQUNsQixXQUFXLEVBQ1gsU0FBUyxFQUNULGlCQUFpQixFQUNqQixHQUFHLE1BQU0sRUFDSCxFQUFFLEVBQUU7SUFDVixNQUFNLFdBQVcsR0FBRyxJQUFBLHFDQUFtQixFQUFDLEVBQUUsSUFBSSxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLENBQUMsQ0FBQztJQUU5RSxNQUFNLGNBQWMsR0FBRyxXQUFXO1FBQ2hDLENBQUMsQ0FBQyxDQUFDLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSxDQUFDO1FBQ3pCLENBQUMsQ0FBQztZQUNFLEVBQUUsUUFBUSxFQUFFLGFBQWEsRUFBRTtZQUMzQixFQUFFLFFBQVEsRUFBRSxxQkFBcUIsRUFBRTtZQUNuQyxFQUFFLFFBQVEsRUFBRSw2QkFBNkIsRUFBRTtZQUMzQyxFQUFFLFFBQVEsRUFBRSwrQkFBK0IsRUFBRTtZQUM3QyxFQUFFLFFBQVEsRUFBRSx5Q0FBeUMsRUFBRTtZQUN2RCxFQUFFLFFBQVEsRUFBRSxnQ0FBZ0MsRUFBRTtZQUM5QyxFQUFFLFFBQVEsRUFBRSxnQ0FBZ0MsRUFBRTtZQUM5QyxFQUFFLFFBQVEsRUFBRSwyQkFBMkIsRUFBRTtZQUN6QyxFQUFFLFFBQVEsRUFBRSx5QkFBeUIsRUFBRTtZQUN2QyxFQUFFLFFBQVEsRUFBRSxnQ0FBZ0MsRUFBRTtZQUM5QyxFQUFFLFFBQVEsRUFBRSx1QkFBdUIsRUFBRTtZQUNyQyxFQUFFLFFBQVEsRUFBRSwwQkFBMEIsRUFBRTtZQUN4QyxFQUFFLFFBQVEsRUFBRSwwQ0FBMEMsRUFBRTtZQUN4RCxFQUFFLFFBQVEsRUFBRSx1QkFBdUIsRUFBRTtZQUNyQyxFQUFFLFFBQVEsRUFBRSwyQkFBMkIsRUFBRTtZQUN6QyxFQUFFLFFBQVEsRUFBRSx3QkFBd0IsRUFBRTtZQUN0QyxFQUFFLFFBQVEsRUFBRSwyQkFBMkIsRUFBRTtZQUN6QyxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUU7WUFDdkIsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFO1lBQ3ZCLEVBQUUsUUFBUSxFQUFFLDBCQUEwQixFQUFFO1NBQ3pDLENBQUM7SUFFTixNQUFNLEdBQUcsR0FBRyxJQUFBLGtCQUFRLEVBQUM7UUFDbkIsSUFBSTtRQUNKLE9BQU8sRUFBRSxLQUFLO1FBQ2Qsa0JBQWtCLEVBQUUsSUFBSTtRQUN4QixlQUFlLEVBQUUsSUFBSTtRQUNyQix3QkFBd0IsRUFBRSxDQUFDLFdBQVcsQ0FBQztRQUN2QyxjQUFjO1FBQ2QsU0FBUztRQUNULEdBQUcsTUFBTTtLQUNWLENBQUMsQ0FBQztJQUVILG1DQUFtQztJQUNuQyx3Q0FBd0M7SUFDeEMsNkJBQTZCO0lBQzdCLGlCQUFpQjtJQUNqQiw2Q0FBNkM7SUFDN0MsK0JBQStCO0lBQy9CLDhCQUE4QjtJQUM5QixRQUFRO0lBQ1IsSUFBSTtJQUVKLE9BQU8sQ0FBQyxHQUFHLENBQ1Qsc0JBQXNCLElBQUksb0tBQW9LLENBQy9MLENBQUM7SUFFRixPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUMsQ0FBQyJ9

package/AzAd/Identities/AzUserAdRevertSync.d.ts

@@ -0,0 +1,14 @@
+import { KeyVaultInfo } from '../../types';
+interface Props {
+    name: string;
+    vaultInfo: KeyVaultInfo;
+}
+declare const _default: ({ name, ...others }: Props) => import("../Identity").IdentityResult & {
+    vaultNames: {
+        clientIdKeyName: string;
+        clientSecretKeyName: string;
+        principalIdKeyName: string;
+        principalSecretKeyName: string;
+    };
+};
+export default _default;

package/AzAd/Identities/AzUserAdRevertSync.js

@@ -0,0 +1,18 @@
+"use strict";
+//This will create a App Registration with enough permission for Application to read users from Azure AD and sync back to AD DS on-premise.
+Object.defineProperty(exports, "__esModule", { value: true });
+const Identity_1 = require("../Identity");
+const GraphDefinition_1 = require("../GraphDefinition");
+exports.default = ({ name, ...others }) => {
+    const graphAccess = (0, GraphDefinition_1.getGraphPermissions)({ name: 'User.Read.All', type: 'Role' }, { name: 'Group.Read.All', type: 'Role' });
+    const identity = (0, Identity_1.default)({
+        name,
+        appType: 'api',
+        createClientSecret: true,
+        createPrincipal: true,
+        requiredResourceAccesses: [graphAccess],
+        ...others,
+    });
+    return identity;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQXpVc2VyQWRSZXZlcnRTeW5jLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL0F6QWQvSWRlbnRpdGllcy9BelVzZXJBZFJldmVydFN5bmMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLDJJQUEySTs7QUFHM0ksMENBQW1DO0FBQ25DLHdEQUF5RDtBQU96RCxrQkFBZSxDQUFDLEVBQUUsSUFBSSxFQUFFLEdBQUcsTUFBTSxFQUFTLEVBQUUsRUFBRTtJQUM1QyxNQUFNLFdBQVcsR0FBRyxJQUFBLHFDQUFtQixFQUNyQyxFQUFFLElBQUksRUFBRSxlQUFlLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxFQUN2QyxFQUFFLElBQUksRUFBRSxnQkFBZ0IsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLENBQ3pDLENBQUM7SUFFRixNQUFNLFFBQVEsR0FBRyxJQUFBLGtCQUFRLEVBQUM7UUFDeEIsSUFBSTtRQUNKLE9BQU8sRUFBRSxLQUFLO1FBQ2Qsa0JBQWtCLEVBQUUsSUFBSTtRQUN4QixlQUFlLEVBQUUsSUFBSTtRQUNyQix3QkFBd0IsRUFBRSxDQUFDLFdBQVcsQ0FBQztRQUN2QyxHQUFHLE1BQU07S0FDVixDQUFDLENBQUM7SUFFSCxPQUFPLFFBQVEsQ0FBQztBQUNsQixDQUFDLENBQUMifQ==

package/AzAd/Identity.d.ts

@@ -0,0 +1,51 @@
+import * as azureAD from '@pulumi/azuread';
+import * as pulumi from '@pulumi/pulumi';
+import { Input, Output } from '@pulumi/pulumi';
+import { ApplicationApiOauth2PermissionScope, ApplicationAppRole, ApplicationRequiredResourceAccess, ApplicationOptionalClaims } from '@pulumi/azuread/types/input';
+import { KeyVaultInfo } from '../types';
+type PreAuthApplicationProps = {
+    appId: string;
+    oauth2PermissionNames: string[];
+};
+type IdentityProps = {
+    name: string;
+    owners?: pulumi.Input<pulumi.Input<string>[]>;
+    createClientSecret?: boolean;
+    /** if UI app set public client is true */
+    homepage?: pulumi.Input<string>;
+    publicClient?: boolean;
+    createPrincipal?: boolean;
+    replyUrls?: pulumi.Input<pulumi.Input<string>[]>;
+    appType?: 'spa' | 'web' | 'api';
+    allowMultiOrg?: boolean;
+    appRoles?: pulumi.Input<pulumi.Input<ApplicationAppRole>[]>;
+    oauth2Permissions?: pulumi.Input<pulumi.Input<ApplicationApiOauth2PermissionScope>[]>;
+    appRoleAssignmentRequired?: boolean;
+    preAuthApplications?: PreAuthApplicationProps[];
+    requiredResourceAccesses?: pulumi.Input<pulumi.Input<ApplicationRequiredResourceAccess>[]>;
+    /**The Role Assignment of principal. If scope is not defined the default scope will be at subscription level*/
+    principalRoles?: Array<{
+        roleName: string;
+        scope?: Input<string>;
+    }>;
+    optionalClaims?: pulumi.Input<ApplicationOptionalClaims>;
+    vaultInfo?: KeyVaultInfo;
+};
+export type IdentityResult = {
+    name: string;
+    objectId: Output<string>;
+    clientId: Output<string>;
+    clientSecret: Output<string> | undefined;
+    principalId: Output<string> | undefined;
+    principalSecret: Output<string> | undefined;
+    resource: azureAD.Application;
+};
+declare const _default: ({ name, owners, createClientSecret, createPrincipal, replyUrls, appType, allowMultiOrg, appRoles, appRoleAssignmentRequired, requiredResourceAccesses, oauth2Permissions, publicClient, principalRoles, optionalClaims, vaultInfo, }: IdentityProps) => IdentityResult & {
+    vaultNames: {
+        clientIdKeyName: string;
+        clientSecretKeyName: string;
+        principalIdKeyName: string;
+        principalSecretKeyName: string;
+    };
+};
+export default _default;

package/AzAd/Identity.js

@@ -0,0 +1,133 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const azureAD = require("@pulumi/azuread");
+const pulumi = require("@pulumi/pulumi");
+const Naming_1 = require("../Common/Naming");
+const RoleAssignment_1 = require("./RoleAssignment");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const CustomHelper_1 = require("../KeyVault/CustomHelper");
+exports.default = ({ name, owners, createClientSecret = false, createPrincipal = false, replyUrls, appType = 'spa', allowMultiOrg = false, appRoles, appRoleAssignmentRequired, requiredResourceAccesses = [], oauth2Permissions, publicClient = false, principalRoles, optionalClaims, vaultInfo, }) => {
+    // Azure AD Application no need suffix
+    name = (0, Naming_1.getIdentityName)(name);
+    const clientIdKeyName = `${name}-client-id`;
+    const clientSecretKeyName = `${name}-client-secret`;
+    const principalIdKeyName = `${name}-principal-id`;
+    const principalSecretKeyName = `${name}-principal-secret`;
+    const identifierUris = publicClient
+        ? undefined
+        : [`api://${name.toLowerCase()}`];
+    const app = new azureAD.Application(name, {
+        displayName: name,
+        description: name,
+        owners,
+        appRoles,
+        signInAudience: allowMultiOrg ? 'AzureADMultipleOrgs' : 'AzureADMyOrg',
+        groupMembershipClaims: ['SecurityGroup'],
+        identifierUris,
+        publicClient: publicClient ? { redirectUris: replyUrls } : undefined,
+        singlePageApplication: appType === 'spa'
+            ? {
+                redirectUris: replyUrls,
+            }
+            : undefined,
+        web: appType === 'web'
+            ? {
+                redirectUris: replyUrls,
+                implicitGrant: {
+                    accessTokenIssuanceEnabled: true,
+                    idTokenIssuanceEnabled: true,
+                },
+            }
+            : undefined,
+        api: appType === 'api'
+            ? {
+                oauth2PermissionScopes: oauth2Permissions,
+                mappedClaimsEnabled: true,
+                requestedAccessTokenVersion: 2,
+            }
+            : undefined,
+        fallbackPublicClientEnabled: false,
+        preventDuplicateNames: true,
+        requiredResourceAccesses: requiredResourceAccesses
+            ? pulumi.output(requiredResourceAccesses).apply((r) => [...r])
+            : undefined,
+        optionalClaims,
+    });
+    if (vaultInfo)
+        (0, CustomHelper_1.addCustomSecret)({
+            name: clientIdKeyName,
+            value: app.clientId,
+            vaultInfo,
+            contentType: 'Identity',
+        });
+    let clientSecret = undefined;
+    if (createClientSecret) {
+        clientSecret = new azureAD.ApplicationPassword(name, {
+            displayName: name,
+            applicationId: app.id,
+            endDateRelative: '43800h',
+            //value: randomPassword({ name: `${name}-clientSecret` }).result,
+        }, { ignoreChanges: ['applicationId', 'applicationObjectId'] }).value;
+        if (vaultInfo)
+            (0, CustomHelper_1.addCustomSecret)({
+                name: clientSecretKeyName,
+                value: clientSecret,
+                vaultInfo,
+                contentType: 'Identity',
+            });
+    }
+    let principal;
+    let principalSecret = undefined;
+    if (createPrincipal || appRoleAssignmentRequired) {
+        principal = new azureAD.ServicePrincipal(name, {
+            //Allow to access to application as the permission is manage by Group assignment.
+            appRoleAssignmentRequired,
+            clientId: app.clientId,
+        }, { ignoreChanges: ['clientId', 'applicationId'] });
+        principalSecret = new azureAD.ServicePrincipalPassword(name, {
+            displayName: name,
+            servicePrincipalId: principal.objectId,
+            endDateRelative: '43800h',
+            //value: randomPassword({ name: `${name}-principalSecret` }).result,
+        }).value;
+        if (principalRoles) {
+            principalRoles.map((r) => (0, RoleAssignment_1.roleAssignment)({
+                name,
+                roleName: r.roleName,
+                principalId: principal.id,
+                principalType: 'ServicePrincipal',
+                scope: r.scope || AzureEnv_1.defaultScope,
+            }));
+        }
+        if (vaultInfo) {
+            (0, CustomHelper_1.addCustomSecret)({
+                name: principalIdKeyName,
+                value: principal.objectId,
+                vaultInfo,
+                contentType: 'Identity',
+            });
+            (0, CustomHelper_1.addCustomSecret)({
+                name: principalSecretKeyName,
+                value: principalSecret,
+                vaultInfo,
+                contentType: 'Identity',
+            });
+        }
+    }
+    return {
+        name,
+        objectId: app.objectId,
+        clientId: app.applicationId ?? app.clientId,
+        clientSecret,
+        principalId: principal?.objectId,
+        principalSecret,
+        resource: app,
+        vaultNames: {
+            clientIdKeyName,
+            clientSecretKeyName,
+            principalIdKeyName,
+            principalSecretKeyName,
+        },
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSWRlbnRpdHkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvQXpBZC9JZGVudGl0eS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLDJDQUEyQztBQUUzQyx5Q0FBeUM7QUFFekMsNkNBQW1EO0FBU25ELHFEQUFrRDtBQUNsRCxpREFBa0Q7QUFDbEQsMkRBQTJEO0FBOEMzRCxrQkFBZSxDQUFDLEVBQ2QsSUFBSSxFQUNKLE1BQU0sRUFDTixrQkFBa0IsR0FBRyxLQUFLLEVBQzFCLGVBQWUsR0FBRyxLQUFLLEVBQ3ZCLFNBQVMsRUFDVCxPQUFPLEdBQUcsS0FBSyxFQUNmLGFBQWEsR0FBRyxLQUFLLEVBQ3JCLFFBQVEsRUFDUix5QkFBeUIsRUFDekIsd0JBQXdCLEdBQUcsRUFBRSxFQUM3QixpQkFBaUIsRUFDakIsWUFBWSxHQUFHLEtBQUssRUFDcEIsY0FBYyxFQUNkLGNBQWMsRUFDZCxTQUFTLEdBQ0ssRUFPZCxFQUFFO0lBQ0Ysc0NBQXNDO0lBQ3RDLElBQUksR0FBRyxJQUFBLHdCQUFlLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFN0IsTUFBTSxlQUFlLEdBQUcsR0FBRyxJQUFJLFlBQVksQ0FBQztJQUM1QyxNQUFNLG1CQUFtQixHQUFHLEdBQUcsSUFBSSxnQkFBZ0IsQ0FBQztJQUNwRCxNQUFNLGtCQUFrQixHQUFHLEdBQUcsSUFBSSxlQUFlLENBQUM7SUFDbEQsTUFBTSxzQkFBc0IsR0FBRyxHQUFHLElBQUksbUJBQW1CLENBQUM7SUFFMUQsTUFBTSxjQUFjLEdBQUcsWUFBWTtRQUNqQyxDQUFDLENBQUMsU0FBUztRQUNYLENBQUMsQ0FBQyxDQUFDLFNBQVMsSUFBSSxDQUFDLFdBQVcsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUVwQyxNQUFNLEdBQUcsR0FBRyxJQUFJLE9BQU8sQ0FBQyxXQUFXLENBQUMsSUFBSSxFQUFFO1FBQ3hDLFdBQVcsRUFBRSxJQUFJO1FBQ2pCLFdBQVcsRUFBRSxJQUFJO1FBRWpCLE1BQU07UUFDTixRQUFRO1FBQ1IsY0FBYyxFQUFFLGFBQWEsQ0FBQyxDQUFDLENBQUMscUJBQXFCLENBQUMsQ0FBQyxDQUFDLGNBQWM7UUFDdEUscUJBQXFCLEVBQUUsQ0FBQyxlQUFlLENBQUM7UUFDeEMsY0FBYztRQUVkLFlBQVksRUFBRSxZQUFZLENBQUMsQ0FBQyxDQUFDLEVBQUUsWUFBWSxFQUFFLFNBQVMsRUFBRSxDQUFDLENBQUMsQ0FBQyxTQUFTO1FBRXBFLHFCQUFxQixFQUNuQixPQUFPLEtBQUssS0FBSztZQUNmLENBQUMsQ0FBQztnQkFDRSxZQUFZLEVBQUUsU0FBUzthQUN4QjtZQUNILENBQUMsQ0FBQyxTQUFTO1FBRWYsR0FBRyxFQUNELE9BQU8sS0FBSyxLQUFLO1lBQ2YsQ0FBQyxDQUFDO2dCQUNFLFlBQVksRUFBRSxTQUFTO2dCQUN2QixhQUFhLEVBQUU7b0JBQ2IsMEJBQTBCLEVBQUUsSUFBSTtvQkFDaEMsc0JBQXNCLEVBQUUsSUFBSTtpQkFDN0I7YUFDRjtZQUNILENBQUMsQ0FBQyxTQUFTO1FBRWYsR0FBRyxFQUNELE9BQU8sS0FBSyxLQUFLO1lBQ2YsQ0FBQyxDQUFDO2dCQUNFLHNCQUFzQixFQUFFLGlCQUFpQjtnQkFDekMsbUJBQW1CLEVBQUUsSUFBSTtnQkFDekIsMkJBQTJCLEVBQUUsQ0FBQzthQUMvQjtZQUNILENBQUMsQ0FBQyxTQUFTO1FBRWYsMkJBQTJCLEVBQUUsS0FBSztRQUNsQyxxQkFBcUIsRUFBRSxJQUFJO1FBQzNCLHdCQUF3QixFQUFFLHdCQUF3QjtZQUNoRCxDQUFDLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyx3QkFBd0IsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1lBQzlELENBQUMsQ0FBQyxTQUFTO1FBRWIsY0FBYztLQUNmLENBQUMsQ0FBQztJQUVILElBQUksU0FBUztRQUNYLElBQUEsOEJBQWUsRUFBQztZQUNkLElBQUksRUFBRSxlQUFlO1lBQ3JCLEtBQUssRUFBRSxHQUFHLENBQUMsUUFBUTtZQUNuQixTQUFTO1lBQ1QsV0FBVyxFQUFFLFVBQVU7U0FDeEIsQ0FBQyxDQUFDO0lBRUwsSUFBSSxZQUFZLEdBQStCLFNBQVMsQ0FBQztJQUN6RCxJQUFJLGtCQUFrQixFQUFFLENBQUM7UUFDdkIsWUFBWSxHQUFHLElBQUksT0FBTyxDQUFDLG1CQUFtQixDQUM1QyxJQUFJLEVBQ0o7WUFDRSxXQUFXLEVBQUUsSUFBSTtZQUNqQixhQUFhLEVBQUUsR0FBRyxDQUFDLEVBQUU7WUFDckIsZUFBZSxFQUFFLFFBQVE7WUFDekIsaUVBQWlFO1NBQ2xFLEVBQ0QsRUFBRSxhQUFhLEVBQUUsQ0FBQyxlQUFlLEVBQUUscUJBQXFCLENBQUMsRUFBRSxDQUM1RCxDQUFDLEtBQUssQ0FBQztRQUVSLElBQUksU0FBUztZQUNYLElBQUEsOEJBQWUsRUFBQztnQkFDZCxJQUFJLEVBQUUsbUJBQW1CO2dCQUN6QixLQUFLLEVBQUUsWUFBWTtnQkFDbkIsU0FBUztnQkFDVCxXQUFXLEVBQUUsVUFBVTthQUN4QixDQUFDLENBQUM7SUFDUCxDQUFDO0lBRUQsSUFBSSxTQUF1QyxDQUFDO0lBQzVDLElBQUksZUFBZSxHQUErQixTQUFTLENBQUM7SUFFNUQsSUFBSSxlQUFlLElBQUkseUJBQXlCLEVBQUUsQ0FBQztRQUNqRCxTQUFTLEdBQUcsSUFBSSxPQUFPLENBQUMsZ0JBQWdCLENBQ3RDLElBQUksRUFDSjtZQUNFLGlGQUFpRjtZQUNqRix5QkFBeUI7WUFDekIsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO1NBQ3ZCLEVBQ0QsRUFBRSxhQUFhLEVBQUUsQ0FBQyxVQUFVLEVBQUUsZUFBZSxDQUFDLEVBQUUsQ0FDakQsQ0FBQztRQUVGLGVBQWUsR0FBRyxJQUFJLE9BQU8sQ0FBQyx3QkFBd0IsQ0FBQyxJQUFJLEVBQUU7WUFDM0QsV0FBVyxFQUFFLElBQUk7WUFDakIsa0JBQWtCLEVBQUUsU0FBUyxDQUFDLFFBQVE7WUFDdEMsZUFBZSxFQUFFLFFBQVE7WUFDekIsb0VBQW9FO1NBQ3JFLENBQUMsQ0FBQyxLQUFLLENBQUM7UUFFVCxJQUFJLGNBQWMsRUFBRSxDQUFDO1lBQ25CLGNBQWMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUN2QixJQUFBLCtCQUFjLEVBQUM7Z0JBQ2IsSUFBSTtnQkFDSixRQUFRLEVBQUUsQ0FBQyxDQUFDLFFBQVE7Z0JBQ3BCLFdBQVcsRUFBRSxTQUFVLENBQUMsRUFBRTtnQkFDMUIsYUFBYSxFQUFFLGtCQUFrQjtnQkFDakMsS0FBSyxFQUFFLENBQUMsQ0FBQyxLQUFLLElBQUksdUJBQVk7YUFDL0IsQ0FBQyxDQUNILENBQUM7UUFDSixDQUFDO1FBRUQsSUFBSSxTQUFTLEVBQUUsQ0FBQztZQUNkLElBQUEsOEJBQWUsRUFBQztnQkFDZCxJQUFJLEVBQUUsa0JBQWtCO2dCQUN4QixLQUFLLEVBQUUsU0FBUyxDQUFDLFFBQVE7Z0JBQ3pCLFNBQVM7Z0JBQ1QsV0FBVyxFQUFFLFVBQVU7YUFDeEIsQ0FBQyxDQUFDO1lBRUgsSUFBQSw4QkFBZSxFQUFDO2dCQUNkLElBQUksRUFBRSxzQkFBc0I7Z0JBQzVCLEtBQUssRUFBRSxlQUFlO2dCQUN0QixTQUFTO2dCQUNULFdBQVcsRUFBRSxVQUFVO2FBQ3hCLENBQUMsQ0FBQztRQUNMLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTztRQUNMLElBQUk7UUFDSixRQUFRLEVBQUUsR0FBRyxDQUFDLFFBQVE7UUFDdEIsUUFBUSxFQUFFLEdBQUcsQ0FBQyxhQUFhLElBQUksR0FBRyxDQUFDLFFBQVE7UUFDM0MsWUFBWTtRQUNaLFdBQVcsRUFBRSxTQUFTLEVBQUUsUUFBUTtRQUNoQyxlQUFlO1FBQ2YsUUFBUSxFQUFFLEdBQUc7UUFDYixVQUFVLEVBQUU7WUFDVixlQUFlO1lBQ2YsbUJBQW1CO1lBQ25CLGtCQUFrQjtZQUNsQixzQkFBc0I7U0FDdkI7S0FDRixDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/AzAd/ManagedIdentity.d.ts

@@ -0,0 +1,6 @@
+import { BasicResourceArgs } from "../types";
+interface Props extends BasicResourceArgs {
+    lock?: boolean;
+}
+declare const _default: ({ name, group, lock }: Props) => import("@pulumi/azure-native/managedidentity/userAssignedIdentity").UserAssignedIdentity;
+export default _default;

package/AzAd/ManagedIdentity.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const azure = require("@pulumi/azure-native");
+const Naming_1 = require("../Common/Naming");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const Locker_1 = require("../Core/Locker");
+exports.default = ({ name, group, lock }) => {
+    const n = (0, Naming_1.getManagedIdentityName)(name);
+    const managedIdentity = new azure.managedidentity.UserAssignedIdentity(n, {
+        resourceName: n,
+        ...group,
+        tags: AzureEnv_1.defaultTags,
+    });
+    if (lock) {
+        (0, Locker_1.default)({
+            name: n,
+            resourceId: managedIdentity.id,
+            dependsOn: managedIdentity,
+        });
+    }
+    return managedIdentity;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiTWFuYWdlZElkZW50aXR5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL0F6QWQvTWFuYWdlZElkZW50aXR5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQ0EsOENBQThDO0FBQzlDLDZDQUEwRDtBQUMxRCxpREFBaUQ7QUFDakQsMkNBQW9DO0FBTXBDLGtCQUFlLENBQUMsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLElBQUksRUFBUyxFQUFFLEVBQUU7SUFDOUMsTUFBTSxDQUFDLEdBQUcsSUFBQSwrQkFBc0IsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUN2QyxNQUFNLGVBQWUsR0FBRyxJQUFJLEtBQUssQ0FBQyxlQUFlLENBQUMsb0JBQW9CLENBQUMsQ0FBQyxFQUFFO1FBQ3hFLFlBQVksRUFBRSxDQUFDO1FBQ2YsR0FBRyxLQUFLO1FBQ1IsSUFBSSxFQUFFLHNCQUFXO0tBQ2xCLENBQUMsQ0FBQztJQUVILElBQUksSUFBSSxFQUFFLENBQUM7UUFDVCxJQUFBLGdCQUFNLEVBQUM7WUFDTCxJQUFJLEVBQUUsQ0FBQztZQUNQLFVBQVUsRUFBRSxlQUFlLENBQUMsRUFBRTtZQUM5QixTQUFTLEVBQUUsZUFBZTtTQUMzQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsT0FBTyxlQUFlLENBQUM7QUFDekIsQ0FBQyxDQUFDIn0=

package/AzAd/Role.d.ts

@@ -0,0 +1,19 @@
+import { GroupPermissionProps } from './Group';
+import { Environments } from '../Common/AzureEnv';
+import { Input } from '@pulumi/pulumi';
+interface RoleProps {
+    env: Environments;
+    /** The country code or GLB for Global*/
+    location?: string;
+    appName: string;
+    moduleName?: string;
+    roleName: string;
+    members?: Input<string>[];
+    owners?: Input<Input<string>[]>;
+    permissions?: Array<GroupPermissionProps>;
+    includeOrganization?: boolean;
+}
+export type RoleNameType = Pick<RoleProps, 'env' | 'location' | 'appName' | 'moduleName' | 'roleName' | 'includeOrganization'>;
+export declare const getRoleName: ({ env, location, appName, moduleName, roleName, includeOrganization, }: RoleNameType) => string;
+declare const _default: ({ members, owners, permissions, ...others }: RoleProps) => import("@pulumi/pulumi").Output<import("@pulumi/azuread/group").Group>;
+export default _default;

package/AzAd/Role.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRoleName = void 0;
+const Group_1 = require("./Group");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const pulumi_1 = require("@pulumi/pulumi");
+const StackEnv_1 = require("../Common/StackEnv");
+const getRoleName = ({ env, location = 'GLB', appName, moduleName, roleName, includeOrganization = true, }) => {
+    const prefix = includeOrganization ? `${StackEnv_1.organization} ROL` : 'ROL';
+    const e = env === AzureEnv_1.Environments.Prd ? 'prod' : 'staging';
+    return moduleName
+        ? `${prefix} ${e} ${location} ${appName}.${moduleName} ${roleName}`.toUpperCase()
+        : `${prefix} ${e} ${location} ${appName} ${roleName}`.toUpperCase();
+};
+exports.getRoleName = getRoleName;
+exports.default = ({ members, owners, permissions, ...others }) => {
+    const name = (0, exports.getRoleName)(others);
+    return (0, pulumi_1.output)((0, Group_1.default)({
+        name,
+        members,
+        owners,
+        permissions,
+    }));
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUm9sZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9BekFkL1JvbGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsbUNBQStEO0FBQy9ELGlEQUFrRDtBQUNsRCwyQ0FBK0M7QUFDL0MsaURBQWtEO0FBMEIzQyxNQUFNLFdBQVcsR0FBRyxDQUFDLEVBQzFCLEdBQUcsRUFDSCxRQUFRLEdBQUcsS0FBSyxFQUNoQixPQUFPLEVBQ1AsVUFBVSxFQUNWLFFBQVEsRUFDUixtQkFBbUIsR0FBRyxJQUFJLEdBQ2IsRUFBRSxFQUFFO0lBQ2pCLE1BQU0sTUFBTSxHQUFHLG1CQUFtQixDQUFDLENBQUMsQ0FBQyxHQUFHLHVCQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDO0lBRW5FLE1BQU0sQ0FBQyxHQUFHLEdBQUcsS0FBSyx1QkFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7SUFFeEQsT0FBTyxVQUFVO1FBQ2YsQ0FBQyxDQUFDLEdBQUcsTUFBTSxJQUFJLENBQUMsSUFBSSxRQUFRLElBQUksT0FBTyxJQUFJLFVBQVUsSUFBSSxRQUFRLEVBQUUsQ0FBQyxXQUFXLEVBQUU7UUFDakYsQ0FBQyxDQUFDLEdBQUcsTUFBTSxJQUFJLENBQUMsSUFBSSxRQUFRLElBQUksT0FBTyxJQUFJLFFBQVEsRUFBRSxDQUFDLFdBQVcsRUFBRSxDQUFDO0FBQ3hFLENBQUMsQ0FBQztBQWZXLFFBQUEsV0FBVyxlQWV0QjtBQUVGLGtCQUFlLENBQUMsRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLFdBQVcsRUFBRSxHQUFHLE1BQU0sRUFBYSxFQUFFLEVBQUU7SUFDeEUsTUFBTSxJQUFJLEdBQUcsSUFBQSxtQkFBVyxFQUFDLE1BQU0sQ0FBQyxDQUFDO0lBRWpDLE9BQU8sSUFBQSxlQUFNLEVBQ1gsSUFBQSxlQUFjLEVBQUM7UUFDYixJQUFJO1FBQ0osT0FBTztRQUNQLE1BQU07UUFDTixXQUFXO0tBQ1osQ0FBQyxDQUNILENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/AzAd/RoleAssignment.d.ts

@@ -0,0 +1,79 @@
+import * as native from '@pulumi/azure-native';
+import * as pulumi from '@pulumi/pulumi';
+import { Input, Resource } from '@pulumi/pulumi';
+type GetRoleProps = {
+    roleName: string;
+};
+/** The result must be single item if not will return undefined. */
+export declare const getRoleDefinitionByName: ({ roleName }: GetRoleProps) => {
+    properties: {
+        roleName: string;
+        type: string;
+        description: string;
+        assignableScopes: string[];
+        permissions: {
+            actions: string[];
+            notActions: never[];
+            dataActions: never[];
+            notDataActions: never[];
+        }[];
+        createdOn: string;
+        updatedOn: string;
+        createdBy: null;
+        updatedBy: string;
+    };
+    id: string;
+    type: string;
+    name: string;
+} | {
+    properties: {
+        roleName: string;
+        type: string;
+        description: string;
+        assignableScopes: string[];
+        permissions: {
+            actions: string[];
+            notActions: never[];
+            dataActions: string[];
+            notDataActions: string[];
+        }[];
+        createdOn: string;
+        updatedOn: string;
+        createdBy: null;
+        updatedBy: null;
+    };
+    id: string;
+    type: string;
+    name: string;
+} | {
+    properties: {
+        roleName: string;
+        type: string;
+        description: string;
+        assignableScopes: string[];
+        permissions: {
+            actions: string[];
+            notActions: string[];
+            dataActions: string[];
+            notDataActions: never[];
+        }[];
+        createdOn: string;
+        updatedOn: string;
+        createdBy: null;
+        updatedBy: null;
+    };
+    id: string;
+    type: string;
+    name: string;
+};
+type Props = {
+    name: string;
+    roleName: string;
+    scope?: pulumi.Input<string>;
+    principalId: pulumi.Input<string>;
+    /**The type of principal Id default is User*/
+    principalType?: native.authorization.PrincipalType;
+    dependsOn?: Input<Resource> | Input<Input<Resource>[]>;
+};
+export declare const roleAssignment: ({ name, roleName, scope, principalId, principalType, dependsOn, }: Props) => import("@pulumi/azure-native/authorization/roleAssignment").RoleAssignment;
+export {};