@microsoft/terraform-cdk-constructs 1.2.0 → 1.3.0

package/lib/azure-roleassignment/lib/role-assignment-schemas.d.ts

@@ -0,0 +1,25 @@
+/**
+ * API schemas for Azure Role Assignment across all supported versions
+ *
+ * This file defines the complete API schemas for Microsoft.Authorization/roleAssignments
+ * across all supported API versions. The schemas are used by the VersionedAzapiResource
+ * framework for validation, transformation, and version management.
+ */
+import { ApiSchema, VersionConfig } from "../../core-azure/lib/version-manager/interfaces/version-interfaces";
+/**
+ * API Schema for Role Assignment version 2022-04-01
+ * This is the latest stable API version for role assignments
+ */
+export declare const ROLE_ASSIGNMENT_SCHEMA_2022_04_01: ApiSchema;
+/**
+ * Version configuration for Role Assignment 2022-04-01
+ */
+export declare const ROLE_ASSIGNMENT_VERSION_2022_04_01: VersionConfig;
+/**
+ * All supported Role Assignment versions for registration
+ */
+export declare const ALL_ROLE_ASSIGNMENT_VERSIONS: VersionConfig[];
+/**
+ * Resource type constant
+ */
+export declare const ROLE_ASSIGNMENT_TYPE = "Microsoft.Authorization/roleAssignments";

package/lib/azure-roleassignment/lib/role-assignment-schemas.js

@@ -0,0 +1,238 @@
+"use strict";
+/**
+ * API schemas for Azure Role Assignment across all supported versions
+ *
+ * This file defines the complete API schemas for Microsoft.Authorization/roleAssignments
+ * across all supported API versions. The schemas are used by the VersionedAzapiResource
+ * framework for validation, transformation, and version management.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ROLE_ASSIGNMENT_TYPE = exports.ALL_ROLE_ASSIGNMENT_VERSIONS = exports.ROLE_ASSIGNMENT_VERSION_2022_04_01 = exports.ROLE_ASSIGNMENT_SCHEMA_2022_04_01 = void 0;
+const version_interfaces_1 = require("../../core-azure/lib/version-manager/interfaces/version-interfaces");
+// =============================================================================
+// COMMON PROPERTY DEFINITIONS
+// =============================================================================
+/**
+ * Common property definitions shared across all Role Assignment versions
+ */
+const COMMON_PROPERTIES = {
+    name: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "The name of the role assignment resource. Automatically generated as a GUID by Terraform's guid() function",
+        validation: [
+        // Note: No pattern validation here because the name will be a Terraform function
+        // guid() that gets evaluated at apply time, not synthesis time.
+        // Azure will validate the final GUID format when the resource is created.
+        ],
+    },
+    roleDefinitionId: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: true,
+        description: "The role definition ID to assign. This can be a built-in or custom role definition",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                message: "Role definition ID is required for role assignments",
+            },
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.STRING,
+                message: "Role definition ID must be a string",
+            },
+        ],
+    },
+    principalId: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: true,
+        description: "The principal ID (object ID) to which the role is assigned. This can be a user, group, service principal, or managed identity",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                message: "Principal ID is required for role assignments",
+            },
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.STRING,
+                message: "Principal ID must be a string",
+            },
+        ],
+    },
+    scope: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: true,
+        description: "The scope at which the role assignment is applied (subscription, resource group, or resource)",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                message: "Scope is required for role assignments",
+            },
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.STRING,
+                message: "Scope must be a string",
+            },
+        ],
+    },
+    principalType: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "The type of principal. Valid values: User, Group, ServicePrincipal, ForeignGroup, Device",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.PATTERN_MATCH,
+                value: "^(User|Group|ServicePrincipal|ForeignGroup|Device)$",
+                message: "Principal type must be one of: User, Group, ServicePrincipal, ForeignGroup, Device",
+            },
+        ],
+    },
+    description: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "The role assignment description. Provides detailed information about the assignment",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.VALUE_RANGE,
+                value: { minLength: 0, maxLength: 512 },
+                message: "Description must not exceed 512 characters",
+            },
+        ],
+    },
+    condition: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "The conditions on the role assignment. This limits the resources it applies to using ABAC expressions",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.STRING,
+                message: "Condition must be a string",
+            },
+        ],
+    },
+    conditionVersion: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "Version of the condition syntax. Current supported version is 2.0",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.PATTERN_MATCH,
+                value: "^2\\.0$",
+                message: "Condition version must be 2.0",
+            },
+        ],
+    },
+    delegatedManagedIdentityResourceId: {
+        dataType: version_interfaces_1.PropertyType.STRING,
+        required: false,
+        description: "The delegated Azure Resource Id which contains a Managed Identity. Applicable only when the principalType is Group",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.STRING,
+                message: "Delegated managed identity resource ID must be a string",
+            },
+        ],
+    },
+    ignoreChanges: {
+        dataType: version_interfaces_1.PropertyType.ARRAY,
+        required: false,
+        description: "Array of property names to ignore during updates",
+        validation: [
+            {
+                ruleType: version_interfaces_1.ValidationRuleType.TYPE_CHECK,
+                value: version_interfaces_1.PropertyType.ARRAY,
+                message: "IgnoreChanges must be an array of strings",
+            },
+        ],
+    },
+};
+// =============================================================================
+// VERSION-SPECIFIC SCHEMAS
+// =============================================================================
+/**
+ * API Schema for Role Assignment version 2022-04-01
+ * This is the latest stable API version for role assignments
+ */
+exports.ROLE_ASSIGNMENT_SCHEMA_2022_04_01 = {
+    resourceType: "Microsoft.Authorization/roleAssignments",
+    version: "2022-04-01",
+    properties: {
+        ...COMMON_PROPERTIES,
+    },
+    required: ["roleDefinitionId", "principalId", "scope"],
+    optional: [
+        "name",
+        "principalType",
+        "description",
+        "condition",
+        "conditionVersion",
+        "delegatedManagedIdentityResourceId",
+        "ignoreChanges",
+    ],
+    deprecated: [],
+    transformationRules: {},
+    validationRules: [
+        {
+            property: "roleDefinitionId",
+            rules: [
+                {
+                    ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                    message: "Role definition ID is required for role assignments",
+                },
+            ],
+        },
+        {
+            property: "principalId",
+            rules: [
+                {
+                    ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                    message: "Principal ID is required for role assignments",
+                },
+            ],
+        },
+        {
+            property: "scope",
+            rules: [
+                {
+                    ruleType: version_interfaces_1.ValidationRuleType.REQUIRED,
+                    message: "Scope is required for role assignments",
+                },
+            ],
+        },
+    ],
+};
+// =============================================================================
+// VERSION CONFIGURATIONS
+// =============================================================================
+/**
+ * Version configuration for Role Assignment 2022-04-01
+ */
+exports.ROLE_ASSIGNMENT_VERSION_2022_04_01 = {
+    version: "2022-04-01",
+    schema: exports.ROLE_ASSIGNMENT_SCHEMA_2022_04_01,
+    supportLevel: version_interfaces_1.VersionSupportLevel.ACTIVE,
+    releaseDate: "2022-04-01",
+    deprecationDate: undefined,
+    sunsetDate: undefined,
+    breakingChanges: [],
+    migrationGuide: "/docs/role-assignment/migration-2022-04-01",
+    changeLog: [
+        {
+            changeType: "added",
+            description: "Stable release of Role Assignment API with full support for RBAC role assignments, conditional assignments (ABAC), and delegated managed identities",
+            breaking: false,
+        },
+    ],
+};
+/**
+ * All supported Role Assignment versions for registration
+ */
+exports.ALL_ROLE_ASSIGNMENT_VERSIONS = [
+    exports.ROLE_ASSIGNMENT_VERSION_2022_04_01,
+];
+/**
+ * Resource type constant
+ */
+exports.ROLE_ASSIGNMENT_TYPE = "Microsoft.Authorization/roleAssignments";
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicm9sZS1hc3NpZ25tZW50LXNjaGVtYXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYXp1cmUtcm9sZWFzc2lnbm1lbnQvbGliL3JvbGUtYXNzaWdubWVudC1zY2hlbWFzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQTs7Ozs7O0dBTUc7OztBQUVILDJHQU80RTtBQUU1RSxnRkFBZ0Y7QUFDaEYsOEJBQThCO0FBQzlCLGdGQUFnRjtBQUVoRjs7R0FFRztBQUNILE1BQU0saUJBQWlCLEdBQTBDO0lBQy9ELElBQUksRUFBRTtRQUNKLFFBQVEsRUFBRSxpQ0FBWSxDQUFDLE1BQU07UUFDN0IsUUFBUSxFQUFFLEtBQUs7UUFDZixXQUFXLEVBQ1QsNEdBQTRHO1FBQzlHLFVBQVUsRUFBRTtRQUNWLGlGQUFpRjtRQUNqRixnRUFBZ0U7UUFDaEUsMEVBQTBFO1NBQzNFO0tBQ0Y7SUFDRCxnQkFBZ0IsRUFBRTtRQUNoQixRQUFRLEVBQUUsaUNBQVksQ0FBQyxNQUFNO1FBQzdCLFFBQVEsRUFBRSxJQUFJO1FBQ2QsV0FBVyxFQUNULG9GQUFvRjtRQUN0RixVQUFVLEVBQUU7WUFDVjtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsUUFBUTtnQkFDckMsT0FBTyxFQUFFLHFEQUFxRDthQUMvRDtZQUNEO2dCQUNFLFFBQVEsRUFBRSx1Q0FBa0IsQ0FBQyxVQUFVO2dCQUN2QyxLQUFLLEVBQUUsaUNBQVksQ0FBQyxNQUFNO2dCQUMxQixPQUFPLEVBQUUscUNBQXFDO2FBQy9DO1NBQ0Y7S0FDRjtJQUNELFdBQVcsRUFBRTtRQUNYLFFBQVEsRUFBRSxpQ0FBWSxDQUFDLE1BQU07UUFDN0IsUUFBUSxFQUFFLElBQUk7UUFDZCxXQUFXLEVBQ1QsK0hBQStIO1FBQ2pJLFVBQVUsRUFBRTtZQUNWO2dCQUNFLFFBQVEsRUFBRSx1Q0FBa0IsQ0FBQyxRQUFRO2dCQUNyQyxPQUFPLEVBQUUsK0NBQStDO2FBQ3pEO1lBQ0Q7Z0JBQ0UsUUFBUSxFQUFFLHVDQUFrQixDQUFDLFVBQVU7Z0JBQ3ZDLEtBQUssRUFBRSxpQ0FBWSxDQUFDLE1BQU07Z0JBQzFCLE9BQU8sRUFBRSwrQkFBK0I7YUFDekM7U0FDRjtLQUNGO0lBQ0QsS0FBSyxFQUFFO1FBQ0wsUUFBUSxFQUFFLGlDQUFZLENBQUMsTUFBTTtRQUM3QixRQUFRLEVBQUUsSUFBSTtRQUNkLFdBQVcsRUFDVCwrRkFBK0Y7UUFDakcsVUFBVSxFQUFFO1lBQ1Y7Z0JBQ0UsUUFBUSxFQUFFLHVDQUFrQixDQUFDLFFBQVE7Z0JBQ3JDLE9BQU8sRUFBRSx3Q0FBd0M7YUFDbEQ7WUFDRDtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsVUFBVTtnQkFDdkMsS0FBSyxFQUFFLGlDQUFZLENBQUMsTUFBTTtnQkFDMUIsT0FBTyxFQUFFLHdCQUF3QjthQUNsQztTQUNGO0tBQ0Y7SUFDRCxhQUFhLEVBQUU7UUFDYixRQUFRLEVBQUUsaUNBQVksQ0FBQyxNQUFNO1FBQzdCLFFBQVEsRUFBRSxLQUFLO1FBQ2YsV0FBVyxFQUNULDBGQUEwRjtRQUM1RixVQUFVLEVBQUU7WUFDVjtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsYUFBYTtnQkFDMUMsS0FBSyxFQUFFLHFEQUFxRDtnQkFDNUQsT0FBTyxFQUNMLG9GQUFvRjthQUN2RjtTQUNGO0tBQ0Y7SUFDRCxXQUFXLEVBQUU7UUFDWCxRQUFRLEVBQUUsaUNBQVksQ0FBQyxNQUFNO1FBQzdCLFFBQVEsRUFBRSxLQUFLO1FBQ2YsV0FBVyxFQUNULHFGQUFxRjtRQUN2RixVQUFVLEVBQUU7WUFDVjtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsV0FBVztnQkFDeEMsS0FBSyxFQUFFLEVBQUUsU0FBUyxFQUFFLENBQUMsRUFBRSxTQUFTLEVBQUUsR0FBRyxFQUFFO2dCQUN2QyxPQUFPLEVBQUUsNENBQTRDO2FBQ3REO1NBQ0Y7S0FDRjtJQUNELFNBQVMsRUFBRTtRQUNULFFBQVEsRUFBRSxpQ0FBWSxDQUFDLE1BQU07UUFDN0IsUUFBUSxFQUFFLEtBQUs7UUFDZixXQUFXLEVBQ1QsdUdBQXVHO1FBQ3pHLFVBQVUsRUFBRTtZQUNWO2dCQUNFLFFBQVEsRUFBRSx1Q0FBa0IsQ0FBQyxVQUFVO2dCQUN2QyxLQUFLLEVBQUUsaUNBQVksQ0FBQyxNQUFNO2dCQUMxQixPQUFPLEVBQUUsNEJBQTRCO2FBQ3RDO1NBQ0Y7S0FDRjtJQUNELGdCQUFnQixFQUFFO1FBQ2hCLFFBQVEsRUFBRSxpQ0FBWSxDQUFDLE1BQU07UUFDN0IsUUFBUSxFQUFFLEtBQUs7UUFDZixXQUFXLEVBQ1QsbUVBQW1FO1FBQ3JFLFVBQVUsRUFBRTtZQUNWO2dCQUNFLFFBQVEsRUFBRSx1Q0FBa0IsQ0FBQyxhQUFhO2dCQUMxQyxLQUFLLEVBQUUsU0FBUztnQkFDaEIsT0FBTyxFQUFFLCtCQUErQjthQUN6QztTQUNGO0tBQ0Y7SUFDRCxrQ0FBa0MsRUFBRTtRQUNsQyxRQUFRLEVBQUUsaUNBQVksQ0FBQyxNQUFNO1FBQzdCLFFBQVEsRUFBRSxLQUFLO1FBQ2YsV0FBVyxFQUNULG9IQUFvSDtRQUN0SCxVQUFVLEVBQUU7WUFDVjtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsVUFBVTtnQkFDdkMsS0FBSyxFQUFFLGlDQUFZLENBQUMsTUFBTTtnQkFDMUIsT0FBTyxFQUFFLHlEQUF5RDthQUNuRTtTQUNGO0tBQ0Y7SUFDRCxhQUFhLEVBQUU7UUFDYixRQUFRLEVBQUUsaUNBQVksQ0FBQyxLQUFLO1FBQzVCLFFBQVEsRUFBRSxLQUFLO1FBQ2YsV0FBVyxFQUFFLGtEQUFrRDtRQUMvRCxVQUFVLEVBQUU7WUFDVjtnQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsVUFBVTtnQkFDdkMsS0FBSyxFQUFFLGlDQUFZLENBQUMsS0FBSztnQkFDekIsT0FBTyxFQUFFLDJDQUEyQzthQUNyRDtTQUNGO0tBQ0Y7Q0FDRixDQUFDO0FBRUYsZ0ZBQWdGO0FBQ2hGLDJCQUEyQjtBQUMzQixnRkFBZ0Y7QUFFaEY7OztHQUdHO0FBQ1UsUUFBQSxpQ0FBaUMsR0FBYztJQUMxRCxZQUFZLEVBQUUseUNBQXlDO0lBQ3ZELE9BQU8sRUFBRSxZQUFZO0lBQ3JCLFVBQVUsRUFBRTtRQUNWLEdBQUcsaUJBQWlCO0tBQ3JCO0lBQ0QsUUFBUSxFQUFFLENBQUMsa0JBQWtCLEVBQUUsYUFBYSxFQUFFLE9BQU8sQ0FBQztJQUN0RCxRQUFRLEVBQUU7UUFDUixNQUFNO1FBQ04sZUFBZTtRQUNmLGFBQWE7UUFDYixXQUFXO1FBQ1gsa0JBQWtCO1FBQ2xCLG9DQUFvQztRQUNwQyxlQUFlO0tBQ2hCO0lBQ0QsVUFBVSxFQUFFLEVBQUU7SUFDZCxtQkFBbUIsRUFBRSxFQUFFO0lBQ3ZCLGVBQWUsRUFBRTtRQUNmO1lBQ0UsUUFBUSxFQUFFLGtCQUFrQjtZQUM1QixLQUFLLEVBQUU7Z0JBQ0w7b0JBQ0UsUUFBUSxFQUFFLHVDQUFrQixDQUFDLFFBQVE7b0JBQ3JDLE9BQU8sRUFBRSxxREFBcUQ7aUJBQy9EO2FBQ0Y7U0FDRjtRQUNEO1lBQ0UsUUFBUSxFQUFFLGFBQWE7WUFDdkIsS0FBSyxFQUFFO2dCQUNMO29CQUNFLFFBQVEsRUFBRSx1Q0FBa0IsQ0FBQyxRQUFRO29CQUNyQyxPQUFPLEVBQUUsK0NBQStDO2lCQUN6RDthQUNGO1NBQ0Y7UUFDRDtZQUNFLFFBQVEsRUFBRSxPQUFPO1lBQ2pCLEtBQUssRUFBRTtnQkFDTDtvQkFDRSxRQUFRLEVBQUUsdUNBQWtCLENBQUMsUUFBUTtvQkFDckMsT0FBTyxFQUFFLHdDQUF3QztpQkFDbEQ7YUFDRjtTQUNGO0tBQ0Y7Q0FDRixDQUFDO0FBRUYsZ0ZBQWdGO0FBQ2hGLHlCQUF5QjtBQUN6QixnRkFBZ0Y7QUFFaEY7O0dBRUc7QUFDVSxRQUFBLGtDQUFrQyxHQUFrQjtJQUMvRCxPQUFPLEVBQUUsWUFBWTtJQUNyQixNQUFNLEVBQUUseUNBQWlDO0lBQ3pDLFlBQVksRUFBRSx3Q0FBbUIsQ0FBQyxNQUFNO0lBQ3hDLFdBQVcsRUFBRSxZQUFZO0lBQ3pCLGVBQWUsRUFBRSxTQUFTO0lBQzFCLFVBQVUsRUFBRSxTQUFTO0lBQ3JCLGVBQWUsRUFBRSxFQUFFO0lBQ25CLGNBQWMsRUFBRSw0Q0FBNEM7SUFDNUQsU0FBUyxFQUFFO1FBQ1Q7WUFDRSxVQUFVLEVBQUUsT0FBTztZQUNuQixXQUFXLEVBQ1QscUpBQXFKO1lBQ3ZKLFFBQVEsRUFBRSxLQUFLO1NBQ2hCO0tBQ0Y7Q0FDRixDQUFDO0FBRUY7O0dBRUc7QUFDVSxRQUFBLDRCQUE0QixHQUFvQjtJQUMzRCwwQ0FBa0M7Q0FDbkMsQ0FBQztBQUVGOztHQUVHO0FBQ1UsUUFBQSxvQkFBb0IsR0FBRyx5Q0FBeUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQVBJIHNjaGVtYXMgZm9yIEF6dXJlIFJvbGUgQXNzaWdubWVudCBhY3Jvc3MgYWxsIHN1cHBvcnRlZCB2ZXJzaW9uc1xuICpcbiAqIFRoaXMgZmlsZSBkZWZpbmVzIHRoZSBjb21wbGV0ZSBBUEkgc2NoZW1hcyBmb3IgTWljcm9zb2Z0LkF1dGhvcml6YXRpb24vcm9sZUFzc2lnbm1lbnRzXG4gKiBhY3Jvc3MgYWxsIHN1cHBvcnRlZCBBUEkgdmVyc2lvbnMuIFRoZSBzY2hlbWFzIGFyZSB1c2VkIGJ5IHRoZSBWZXJzaW9uZWRBemFwaVJlc291cmNlXG4gKiBmcmFtZXdvcmsgZm9yIHZhbGlkYXRpb24sIHRyYW5zZm9ybWF0aW9uLCBhbmQgdmVyc2lvbiBtYW5hZ2VtZW50LlxuICovXG5cbmltcG9ydCB7XG4gIEFwaVNjaGVtYSxcbiAgUHJvcGVydHlEZWZpbml0aW9uLFxuICBQcm9wZXJ0eVR5cGUsXG4gIFZhbGlkYXRpb25SdWxlVHlwZSxcbiAgVmVyc2lvbkNvbmZpZyxcbiAgVmVyc2lvblN1cHBvcnRMZXZlbCxcbn0gZnJvbSBcIi4uLy4uL2NvcmUtYXp1cmUvbGliL3ZlcnNpb24tbWFuYWdlci9pbnRlcmZhY2VzL3ZlcnNpb24taW50ZXJmYWNlc1wiO1xuXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gQ09NTU9OIFBST1BFUlRZIERFRklOSVRJT05TXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuXG4vKipcbiAqIENvbW1vbiBwcm9wZXJ0eSBkZWZpbml0aW9ucyBzaGFyZWQgYWNyb3NzIGFsbCBSb2xlIEFzc2lnbm1lbnQgdmVyc2lvbnNcbiAqL1xuY29uc3QgQ09NTU9OX1BST1BFUlRJRVM6IHsgW2tleTogc3RyaW5nXTogUHJvcGVydHlEZWZpbml0aW9uIH0gPSB7XG4gIG5hbWU6IHtcbiAgICBkYXRhVHlwZTogUHJvcGVydHlUeXBlLlNUUklORyxcbiAgICByZXF1aXJlZDogZmFsc2UsXG4gICAgZGVzY3JpcHRpb246XG4gICAgICBcIlRoZSBuYW1lIG9mIHRoZSByb2xlIGFzc2lnbm1lbnQgcmVzb3VyY2UuIEF1dG9tYXRpY2FsbHkgZ2VuZXJhdGVkIGFzIGEgR1VJRCBieSBUZXJyYWZvcm0ncyBndWlkKCkgZnVuY3Rpb25cIixcbiAgICB2YWxpZGF0aW9uOiBbXG4gICAgICAvLyBOb3RlOiBObyBwYXR0ZXJuIHZhbGlkYXRpb24gaGVyZSBiZWNhdXNlIHRoZSBuYW1lIHdpbGwgYmUgYSBUZXJyYWZvcm0gZnVuY3Rpb25cbiAgICAgIC8vIGd1aWQoKSB0aGF0IGdldHMgZXZhbHVhdGVkIGF0IGFwcGx5IHRpbWUsIG5vdCBzeW50aGVzaXMgdGltZS5cbiAgICAgIC8vIEF6dXJlIHdpbGwgdmFsaWRhdGUgdGhlIGZpbmFsIEdVSUQgZm9ybWF0IHdoZW4gdGhlIHJlc291cmNlIGlzIGNyZWF0ZWQuXG4gICAgXSxcbiAgfSxcbiAgcm9sZURlZmluaXRpb25JZDoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiB0cnVlLFxuICAgIGRlc2NyaXB0aW9uOlxuICAgICAgXCJUaGUgcm9sZSBkZWZpbml0aW9uIElEIHRvIGFzc2lnbi4gVGhpcyBjYW4gYmUgYSBidWlsdC1pbiBvciBjdXN0b20gcm9sZSBkZWZpbml0aW9uXCIsXG4gICAgdmFsaWRhdGlvbjogW1xuICAgICAge1xuICAgICAgICBydWxlVHlwZTogVmFsaWRhdGlvblJ1bGVUeXBlLlJFUVVJUkVELFxuICAgICAgICBtZXNzYWdlOiBcIlJvbGUgZGVmaW5pdGlvbiBJRCBpcyByZXF1aXJlZCBmb3Igcm9sZSBhc3NpZ25tZW50c1wiLFxuICAgICAgfSxcbiAgICAgIHtcbiAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5UWVBFX0NIRUNLLFxuICAgICAgICB2YWx1ZTogUHJvcGVydHlUeXBlLlNUUklORyxcbiAgICAgICAgbWVzc2FnZTogXCJSb2xlIGRlZmluaXRpb24gSUQgbXVzdCBiZSBhIHN0cmluZ1wiLFxuICAgICAgfSxcbiAgICBdLFxuICB9LFxuICBwcmluY2lwYWxJZDoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiB0cnVlLFxuICAgIGRlc2NyaXB0aW9uOlxuICAgICAgXCJUaGUgcHJpbmNpcGFsIElEIChvYmplY3QgSUQpIHRvIHdoaWNoIHRoZSByb2xlIGlzIGFzc2lnbmVkLiBUaGlzIGNhbiBiZSBhIHVzZXIsIGdyb3VwLCBzZXJ2aWNlIHByaW5jaXBhbCwgb3IgbWFuYWdlZCBpZGVudGl0eVwiLFxuICAgIHZhbGlkYXRpb246IFtcbiAgICAgIHtcbiAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5SRVFVSVJFRCxcbiAgICAgICAgbWVzc2FnZTogXCJQcmluY2lwYWwgSUQgaXMgcmVxdWlyZWQgZm9yIHJvbGUgYXNzaWdubWVudHNcIixcbiAgICAgIH0sXG4gICAgICB7XG4gICAgICAgIHJ1bGVUeXBlOiBWYWxpZGF0aW9uUnVsZVR5cGUuVFlQRV9DSEVDSyxcbiAgICAgICAgdmFsdWU6IFByb3BlcnR5VHlwZS5TVFJJTkcsXG4gICAgICAgIG1lc3NhZ2U6IFwiUHJpbmNpcGFsIElEIG11c3QgYmUgYSBzdHJpbmdcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgc2NvcGU6IHtcbiAgICBkYXRhVHlwZTogUHJvcGVydHlUeXBlLlNUUklORyxcbiAgICByZXF1aXJlZDogdHJ1ZSxcbiAgICBkZXNjcmlwdGlvbjpcbiAgICAgIFwiVGhlIHNjb3BlIGF0IHdoaWNoIHRoZSByb2xlIGFzc2lnbm1lbnQgaXMgYXBwbGllZCAoc3Vic2NyaXB0aW9uLCByZXNvdXJjZSBncm91cCwgb3IgcmVzb3VyY2UpXCIsXG4gICAgdmFsaWRhdGlvbjogW1xuICAgICAge1xuICAgICAgICBydWxlVHlwZTogVmFsaWRhdGlvblJ1bGVUeXBlLlJFUVVJUkVELFxuICAgICAgICBtZXNzYWdlOiBcIlNjb3BlIGlzIHJlcXVpcmVkIGZvciByb2xlIGFzc2lnbm1lbnRzXCIsXG4gICAgICB9LFxuICAgICAge1xuICAgICAgICBydWxlVHlwZTogVmFsaWRhdGlvblJ1bGVUeXBlLlRZUEVfQ0hFQ0ssXG4gICAgICAgIHZhbHVlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgICAgICBtZXNzYWdlOiBcIlNjb3BlIG11c3QgYmUgYSBzdHJpbmdcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgcHJpbmNpcGFsVHlwZToge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiBmYWxzZSxcbiAgICBkZXNjcmlwdGlvbjpcbiAgICAgIFwiVGhlIHR5cGUgb2YgcHJpbmNpcGFsLiBWYWxpZCB2YWx1ZXM6IFVzZXIsIEdyb3VwLCBTZXJ2aWNlUHJpbmNpcGFsLCBGb3JlaWduR3JvdXAsIERldmljZVwiLFxuICAgIHZhbGlkYXRpb246IFtcbiAgICAgIHtcbiAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5QQVRURVJOX01BVENILFxuICAgICAgICB2YWx1ZTogXCJeKFVzZXJ8R3JvdXB8U2VydmljZVByaW5jaXBhbHxGb3JlaWduR3JvdXB8RGV2aWNlKSRcIixcbiAgICAgICAgbWVzc2FnZTpcbiAgICAgICAgICBcIlByaW5jaXBhbCB0eXBlIG11c3QgYmUgb25lIG9mOiBVc2VyLCBHcm91cCwgU2VydmljZVByaW5jaXBhbCwgRm9yZWlnbkdyb3VwLCBEZXZpY2VcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgZGVzY3JpcHRpb246IHtcbiAgICBkYXRhVHlwZTogUHJvcGVydHlUeXBlLlNUUklORyxcbiAgICByZXF1aXJlZDogZmFsc2UsXG4gICAgZGVzY3JpcHRpb246XG4gICAgICBcIlRoZSByb2xlIGFzc2lnbm1lbnQgZGVzY3JpcHRpb24uIFByb3ZpZGVzIGRldGFpbGVkIGluZm9ybWF0aW9uIGFib3V0IHRoZSBhc3NpZ25tZW50XCIsXG4gICAgdmFsaWRhdGlvbjogW1xuICAgICAge1xuICAgICAgICBydWxlVHlwZTogVmFsaWRhdGlvblJ1bGVUeXBlLlZBTFVFX1JBTkdFLFxuICAgICAgICB2YWx1ZTogeyBtaW5MZW5ndGg6IDAsIG1heExlbmd0aDogNTEyIH0sXG4gICAgICAgIG1lc3NhZ2U6IFwiRGVzY3JpcHRpb24gbXVzdCBub3QgZXhjZWVkIDUxMiBjaGFyYWN0ZXJzXCIsXG4gICAgICB9LFxuICAgIF0sXG4gIH0sXG4gIGNvbmRpdGlvbjoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiBmYWxzZSxcbiAgICBkZXNjcmlwdGlvbjpcbiAgICAgIFwiVGhlIGNvbmRpdGlvbnMgb24gdGhlIHJvbGUgYXNzaWdubWVudC4gVGhpcyBsaW1pdHMgdGhlIHJlc291cmNlcyBpdCBhcHBsaWVzIHRvIHVzaW5nIEFCQUMgZXhwcmVzc2lvbnNcIixcbiAgICB2YWxpZGF0aW9uOiBbXG4gICAgICB7XG4gICAgICAgIHJ1bGVUeXBlOiBWYWxpZGF0aW9uUnVsZVR5cGUuVFlQRV9DSEVDSyxcbiAgICAgICAgdmFsdWU6IFByb3BlcnR5VHlwZS5TVFJJTkcsXG4gICAgICAgIG1lc3NhZ2U6IFwiQ29uZGl0aW9uIG11c3QgYmUgYSBzdHJpbmdcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgY29uZGl0aW9uVmVyc2lvbjoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiBmYWxzZSxcbiAgICBkZXNjcmlwdGlvbjpcbiAgICAgIFwiVmVyc2lvbiBvZiB0aGUgY29uZGl0aW9uIHN5bnRheC4gQ3VycmVudCBzdXBwb3J0ZWQgdmVyc2lvbiBpcyAyLjBcIixcbiAgICB2YWxpZGF0aW9uOiBbXG4gICAgICB7XG4gICAgICAgIHJ1bGVUeXBlOiBWYWxpZGF0aW9uUnVsZVR5cGUuUEFUVEVSTl9NQVRDSCxcbiAgICAgICAgdmFsdWU6IFwiXjJcXFxcLjAkXCIsXG4gICAgICAgIG1lc3NhZ2U6IFwiQ29uZGl0aW9uIHZlcnNpb24gbXVzdCBiZSAyLjBcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgZGVsZWdhdGVkTWFuYWdlZElkZW50aXR5UmVzb3VyY2VJZDoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgIHJlcXVpcmVkOiBmYWxzZSxcbiAgICBkZXNjcmlwdGlvbjpcbiAgICAgIFwiVGhlIGRlbGVnYXRlZCBBenVyZSBSZXNvdXJjZSBJZCB3aGljaCBjb250YWlucyBhIE1hbmFnZWQgSWRlbnRpdHkuIEFwcGxpY2FibGUgb25seSB3aGVuIHRoZSBwcmluY2lwYWxUeXBlIGlzIEdyb3VwXCIsXG4gICAgdmFsaWRhdGlvbjogW1xuICAgICAge1xuICAgICAgICBydWxlVHlwZTogVmFsaWRhdGlvblJ1bGVUeXBlLlRZUEVfQ0hFQ0ssXG4gICAgICAgIHZhbHVlOiBQcm9wZXJ0eVR5cGUuU1RSSU5HLFxuICAgICAgICBtZXNzYWdlOiBcIkRlbGVnYXRlZCBtYW5hZ2VkIGlkZW50aXR5IHJlc291cmNlIElEIG11c3QgYmUgYSBzdHJpbmdcIixcbiAgICAgIH0sXG4gICAgXSxcbiAgfSxcbiAgaWdub3JlQ2hhbmdlczoge1xuICAgIGRhdGFUeXBlOiBQcm9wZXJ0eVR5cGUuQVJSQVksXG4gICAgcmVxdWlyZWQ6IGZhbHNlLFxuICAgIGRlc2NyaXB0aW9uOiBcIkFycmF5IG9mIHByb3BlcnR5IG5hbWVzIHRvIGlnbm9yZSBkdXJpbmcgdXBkYXRlc1wiLFxuICAgIHZhbGlkYXRpb246IFtcbiAgICAgIHtcbiAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5UWVBFX0NIRUNLLFxuICAgICAgICB2YWx1ZTogUHJvcGVydHlUeXBlLkFSUkFZLFxuICAgICAgICBtZXNzYWdlOiBcIklnbm9yZUNoYW5nZXMgbXVzdCBiZSBhbiBhcnJheSBvZiBzdHJpbmdzXCIsXG4gICAgICB9LFxuICAgIF0sXG4gIH0sXG59O1xuXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gVkVSU0lPTi1TUEVDSUZJQyBTQ0hFTUFTXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuXG4vKipcbiAqIEFQSSBTY2hlbWEgZm9yIFJvbGUgQXNzaWdubWVudCB2ZXJzaW9uIDIwMjItMDQtMDFcbiAqIFRoaXMgaXMgdGhlIGxhdGVzdCBzdGFibGUgQVBJIHZlcnNpb24gZm9yIHJvbGUgYXNzaWdubWVudHNcbiAqL1xuZXhwb3J0IGNvbnN0IFJPTEVfQVNTSUdOTUVOVF9TQ0hFTUFfMjAyMl8wNF8wMTogQXBpU2NoZW1hID0ge1xuICByZXNvdXJjZVR5cGU6IFwiTWljcm9zb2Z0LkF1dGhvcml6YXRpb24vcm9sZUFzc2lnbm1lbnRzXCIsXG4gIHZlcnNpb246IFwiMjAyMi0wNC0wMVwiLFxuICBwcm9wZXJ0aWVzOiB7XG4gICAgLi4uQ09NTU9OX1BST1BFUlRJRVMsXG4gIH0sXG4gIHJlcXVpcmVkOiBbXCJyb2xlRGVmaW5pdGlvbklkXCIsIFwicHJpbmNpcGFsSWRcIiwgXCJzY29wZVwiXSxcbiAgb3B0aW9uYWw6IFtcbiAgICBcIm5hbWVcIixcbiAgICBcInByaW5jaXBhbFR5cGVcIixcbiAgICBcImRlc2NyaXB0aW9uXCIsXG4gICAgXCJjb25kaXRpb25cIixcbiAgICBcImNvbmRpdGlvblZlcnNpb25cIixcbiAgICBcImRlbGVnYXRlZE1hbmFnZWRJZGVudGl0eVJlc291cmNlSWRcIixcbiAgICBcImlnbm9yZUNoYW5nZXNcIixcbiAgXSxcbiAgZGVwcmVjYXRlZDogW10sXG4gIHRyYW5zZm9ybWF0aW9uUnVsZXM6IHt9LFxuICB2YWxpZGF0aW9uUnVsZXM6IFtcbiAgICB7XG4gICAgICBwcm9wZXJ0eTogXCJyb2xlRGVmaW5pdGlvbklkXCIsXG4gICAgICBydWxlczogW1xuICAgICAgICB7XG4gICAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5SRVFVSVJFRCxcbiAgICAgICAgICBtZXNzYWdlOiBcIlJvbGUgZGVmaW5pdGlvbiBJRCBpcyByZXF1aXJlZCBmb3Igcm9sZSBhc3NpZ25tZW50c1wiLFxuICAgICAgICB9LFxuICAgICAgXSxcbiAgICB9LFxuICAgIHtcbiAgICAgIHByb3BlcnR5OiBcInByaW5jaXBhbElkXCIsXG4gICAgICBydWxlczogW1xuICAgICAgICB7XG4gICAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5SRVFVSVJFRCxcbiAgICAgICAgICBtZXNzYWdlOiBcIlByaW5jaXBhbCBJRCBpcyByZXF1aXJlZCBmb3Igcm9sZSBhc3NpZ25tZW50c1wiLFxuICAgICAgICB9LFxuICAgICAgXSxcbiAgICB9LFxuICAgIHtcbiAgICAgIHByb3BlcnR5OiBcInNjb3BlXCIsXG4gICAgICBydWxlczogW1xuICAgICAgICB7XG4gICAgICAgICAgcnVsZVR5cGU6IFZhbGlkYXRpb25SdWxlVHlwZS5SRVFVSVJFRCxcbiAgICAgICAgICBtZXNzYWdlOiBcIlNjb3BlIGlzIHJlcXVpcmVkIGZvciByb2xlIGFzc2lnbm1lbnRzXCIsXG4gICAgICAgIH0sXG4gICAgICBdLFxuICAgIH0sXG4gIF0sXG59O1xuXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gVkVSU0lPTiBDT05GSUdVUkFUSU9OU1xuLy8gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cblxuLyoqXG4gKiBWZXJzaW9uIGNvbmZpZ3VyYXRpb24gZm9yIFJvbGUgQXNzaWdubWVudCAyMDIyLTA0LTAxXG4gKi9cbmV4cG9ydCBjb25zdCBST0xFX0FTU0lHTk1FTlRfVkVSU0lPTl8yMDIyXzA0XzAxOiBWZXJzaW9uQ29uZmlnID0ge1xuICB2ZXJzaW9uOiBcIjIwMjItMDQtMDFcIixcbiAgc2NoZW1hOiBST0xFX0FTU0lHTk1FTlRfU0NIRU1BXzIwMjJfMDRfMDEsXG4gIHN1cHBvcnRMZXZlbDogVmVyc2lvblN1cHBvcnRMZXZlbC5BQ1RJVkUsXG4gIHJlbGVhc2VEYXRlOiBcIjIwMjItMDQtMDFcIixcbiAgZGVwcmVjYXRpb25EYXRlOiB1bmRlZmluZWQsXG4gIHN1bnNldERhdGU6IHVuZGVmaW5lZCxcbiAgYnJlYWtpbmdDaGFuZ2VzOiBbXSxcbiAgbWlncmF0aW9uR3VpZGU6IFwiL2RvY3Mvcm9sZS1hc3NpZ25tZW50L21pZ3JhdGlvbi0yMDIyLTA0LTAxXCIsXG4gIGNoYW5nZUxvZzogW1xuICAgIHtcbiAgICAgIGNoYW5nZVR5cGU6IFwiYWRkZWRcIixcbiAgICAgIGRlc2NyaXB0aW9uOlxuICAgICAgICBcIlN0YWJsZSByZWxlYXNlIG9mIFJvbGUgQXNzaWdubWVudCBBUEkgd2l0aCBmdWxsIHN1cHBvcnQgZm9yIFJCQUMgcm9sZSBhc3NpZ25tZW50cywgY29uZGl0aW9uYWwgYXNzaWdubWVudHMgKEFCQUMpLCBhbmQgZGVsZWdhdGVkIG1hbmFnZWQgaWRlbnRpdGllc1wiLFxuICAgICAgYnJlYWtpbmc6IGZhbHNlLFxuICAgIH0sXG4gIF0sXG59O1xuXG4vKipcbiAqIEFsbCBzdXBwb3J0ZWQgUm9sZSBBc3NpZ25tZW50IHZlcnNpb25zIGZvciByZWdpc3RyYXRpb25cbiAqL1xuZXhwb3J0IGNvbnN0IEFMTF9ST0xFX0FTU0lHTk1FTlRfVkVSU0lPTlM6IFZlcnNpb25Db25maWdbXSA9IFtcbiAgUk9MRV9BU1NJR05NRU5UX1ZFUlNJT05fMjAyMl8wNF8wMSxcbl07XG5cbi8qKlxuICogUmVzb3VyY2UgdHlwZSBjb25zdGFudFxuICovXG5leHBvcnQgY29uc3QgUk9MRV9BU1NJR05NRU5UX1RZUEUgPSBcIk1pY3Jvc29mdC5BdXRob3JpemF0aW9uL3JvbGVBc3NpZ25tZW50c1wiO1xuIl19

package/lib/azure-roleassignment/lib/role-assignment.d.ts

@@ -0,0 +1,294 @@
+/**
+ * Unified Azure Role Assignment implementation using VersionedAzapiResource framework
+ *
+ * This class provides a version-aware implementation for managing Azure Role Assignments
+ * using the AZAPI provider. Role assignments grant specific permissions (roles) to security
+ * principals (users, groups, service principals, managed identities) at a particular scope.
+ *
+ * Supported API Versions:
+ * - 2022-04-01 (Active, Latest)
+ *
+ * Features:
+ * - Automatic latest version resolution when no version is specified
+ * - Explicit version pinning for stability requirements
+ * - Schema-driven validation and transformation
+ * - Support for all principal types (User, Group, ServicePrincipal, ForeignGroup, Device)
+ * - Conditional role assignments using ABAC (Attribute-Based Access Control)
+ * - Delegated managed identity support for group assignments
+ * - Assignment at subscription, resource group, or resource scope
+ * - JSII compliance for multi-language support
+ */
+import * as cdktf from "cdktf";
+import { Construct } from "constructs";
+import { AzapiResource, AzapiResourceProps } from "../../core-azure/lib/azapi/azapi-resource";
+import { ApiSchema } from "../../core-azure/lib/version-manager/interfaces/version-interfaces";
+/**
+ * Properties for the unified Azure Role Assignment
+ *
+ * Extends AzapiResourceProps with Role Assignment specific properties.
+ *
+ * **Note on the `name` property:** While this interface inherits the `name` property
+ * from AzapiResourceProps, it is not used for role assignments. Azure role assignments
+ * require GUID format names, which are automatically generated by the construct.
+ * Any user-provided name value will be ignored in favor of Azure's deterministic
+ * GUID generation based on the deployment context.
+ */
+export interface RoleAssignmentProps extends AzapiResourceProps {
+    /**
+     * The role definition ID to assign
+     * This can be a built-in or custom role definition
+     * Required property
+     *
+     * @example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7" (Reader)
+     * @example "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" (Contributor)
+     */
+    readonly roleDefinitionId: string;
+    /**
+     * The principal ID (object ID) to which the role is assigned
+     * This can be a user, group, service principal, or managed identity
+     * Required property
+     *
+     * @example "00000000-0000-0000-0000-000000000000"
+     */
+    readonly principalId: string;
+    /**
+     * The scope at which the role assignment is applied
+     * Can be a subscription, resource group, or resource
+     * Required property
+     *
+     * @example "/subscriptions/00000000-0000-0000-0000-000000000000"
+     * @example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name"
+     * @example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Storage/storageAccounts/storage-name"
+     */
+    readonly scope: string;
+    /**
+     * The type of principal
+     * Specifies what kind of identity is being assigned the role
+     *
+     * @default undefined (Azure will auto-detect)
+     * @example "User" - An Azure AD user
+     * @example "Group" - An Azure AD group
+     * @example "ServicePrincipal" - A service principal (application)
+     * @example "ForeignGroup" - A group from external directory
+     * @example "Device" - A device identity
+     */
+    readonly principalType?: string;
+    /**
+     * The role assignment description
+     * Provides detailed information about why the assignment was made
+     *
+     * @example "Grants read access to monitoring team for resource diagnostics"
+     */
+    readonly description?: string;
+    /**
+     * The conditions on the role assignment
+     * Limits the resources it applies to using ABAC expressions
+     * Requires conditionVersion to be set when used
+     *
+     * @example "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'"
+     */
+    readonly condition?: string;
+    /**
+     * Version of the condition syntax
+     * Required when condition is specified
+     *
+     * @default undefined
+     * @example "2.0"
+     */
+    readonly conditionVersion?: string;
+    /**
+     * The delegated Azure Resource Id which contains a Managed Identity
+     * Applicable only when the principalType is Group
+     * Used for scenarios where a group assignment should use a specific managed identity
+     *
+     * @example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity"
+     */
+    readonly delegatedManagedIdentityResourceId?: string;
+    /**
+     * The lifecycle rules to ignore changes
+     * @example ["description"]
+     */
+    readonly ignoreChanges?: string[];
+}
+/**
+ * Properties interface for Azure Role Assignment
+ * This is required for JSII compliance to support multi-language code generation
+ */
+export interface RoleAssignmentProperties {
+    /**
+     * The role definition ID
+     */
+    readonly roleDefinitionId: string;
+    /**
+     * The principal ID
+     */
+    readonly principalId: string;
+    /**
+     * The scope of the role assignment
+     */
+    readonly scope: string;
+    /**
+     * The type of principal
+     */
+    readonly principalType?: string;
+    /**
+     * The role assignment description
+     */
+    readonly description?: string;
+    /**
+     * The conditions on the role assignment
+     */
+    readonly condition?: string;
+    /**
+     * Version of the condition syntax
+     */
+    readonly conditionVersion?: string;
+    /**
+     * The delegated managed identity resource ID
+     */
+    readonly delegatedManagedIdentityResourceId?: string;
+}
+/**
+ * The resource body interface for Azure Role Assignment API calls
+ * This matches the Azure REST API schema for role assignments
+ */
+export interface RoleAssignmentBody {
+    /**
+     * The properties of the role assignment
+     */
+    readonly properties: RoleAssignmentProperties;
+}
+/**
+ * Unified Azure Role Assignment implementation
+ *
+ * This class provides a single, version-aware implementation for managing Azure
+ * Role Assignments. It automatically handles version resolution, schema validation,
+ * and property transformation.
+ *
+ * **Important Notes:**
+ * - Role assignments are scoped resources deployed at subscription, resource group,
+ *   or resource level. They do not have a location property as they are not region-specific.
+ * - The `name` property (inherited from AzapiResourceProps) is not used. Azure automatically
+ *   generates a deterministic GUID for role assignment names based on the deployment context.
+ *   This ensures idempotent deployments without duplicate role assignments.
+ *
+ * @example
+ * Basic role assignment - Assign Reader role to a user at subscription scope
+ *
+ * const assignment = new RoleAssignment(this, "reader-assignment", {
+ *   roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
+ *   principalId: "00000000-0000-0000-0000-000000000000",
+ *   scope: "/subscriptions/00000000-0000-0000-0000-000000000000",
+ *   principalType: "User",
+ * });
+ *
+ * @example
+ * Resource group scoped assignment - Assign Contributor to a service principal
+ *
+ * const assignment = new RoleAssignment(this, "contributor-assignment", {
+ *   roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
+ *   principalId: servicePrincipal.objectId,
+ *   scope: resourceGroup.id,
+ *   principalType: "ServicePrincipal",
+ *   description: "Grants contributor access to the deployment service principal",
+ * });
+ *
+ * @example
+ * Conditional assignment with ABAC - Limit access to specific storage containers
+ *
+ * const assignment = new RoleAssignment(this, "conditional-assignment", {
+ *   roleDefinitionId: storageRole.id,
+ *   principalId: user.objectId,
+ *   scope: storageAccount.id,
+ *   principalType: "User",
+ *   condition: "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'",
+ *   conditionVersion: "2.0",
+ *   description: "Grants access only to the logs container",
+ * });
+ *
+ * @stability stable
+ */
+export declare class RoleAssignment extends AzapiResource {
+    /**
+     * The input properties for this Role Assignment instance
+     */
+    readonly props: RoleAssignmentProps;
+    readonly idOutput: cdktf.TerraformOutput;
+    readonly nameOutput: cdktf.TerraformOutput;
+    /**
+     * Creates a new Azure Role Assignment using the VersionedAzapiResource framework
+     *
+     * The constructor automatically handles version resolution, schema registration,
+     * validation, and resource creation.
+     *
+     * @param scope - The scope in which to define this construct
+     * @param id - The unique identifier for this instance
+     * @param props - Configuration properties for the Role Assignment
+     */
+    constructor(scope: Construct, id: string, props: RoleAssignmentProps);
+    /**
+     * Gets the default API version to use when no explicit version is specified
+     * Returns the most recent stable version as the default
+     */
+    protected defaultVersion(): string;
+    /**
+     * Gets the Azure resource type for Role Assignments
+     */
+    protected resourceType(): string;
+    /**
+     * Gets the API schema for the resolved version
+     * Uses the framework's schema resolution to get the appropriate schema
+     */
+    protected apiSchema(): ApiSchema;
+    /**
+     * Creates the resource body for the Azure API call
+     * Transforms the input properties into the JSON format expected by Azure REST API
+     *
+     * Note: Role assignments do not have a location property as they are
+     * scoped resources (subscription, resource group, or resource level).
+     * The scope property is NOT included in the body as it's read-only and
+     * automatically derived from the parentId.
+     */
+    protected createResourceBody(props: any): any;
+    /**
+     * Overrides the name resolution to generate deterministic GUIDs for role assignments
+     *
+     * Role assignments require GUID format IDs. This implementation generates a deterministic
+     * UUID based on the role assignment's key properties to ensure:
+     * - Same GUID is generated on re-deployments with same parameters
+     * - Idempotent deployments (no duplicate role assignments)
+     * - Consistent behavior across deployment runs
+     */
+    protected resolveName(props: AzapiResourceProps): string;
+    /**
+     * Overrides parent ID resolution to use the scope from props
+     * Role assignments are scoped resources where the scope IS the parent
+     */
+    protected resolveParentId(props: any): string;
+    /**
+     * Get the full resource identifier for use in other Azure resources
+     * Alias for the id property
+     */
+    get resourceId(): string;
+    /**
+     * Get the role definition ID this assignment references
+     */
+    get roleDefinitionId(): string;
+    /**
+     * Get the principal ID that was granted this role
+     */
+    get principalId(): string;
+    /**
+     * Get the scope of this role assignment
+     */
+    get assignmentScope(): string;
+    /**
+     * Get the principal type
+     */
+    get principalType(): string | undefined;
+    /**
+     * Applies ignore changes lifecycle rules if specified in props
+     * Always includes body.properties.roleDefinitionId to handle Azure API format normalization
+     */
+    private _applyIgnoreChanges;
+}