@microsoft/terraform-cdk-constructs 1.6.0 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/.jsii +354 -264
  2. package/API.md +104 -76
  3. package/LICENSE +1 -1
  4. package/lib/azure-actiongroup/lib/action-group.js +1 -1
  5. package/lib/azure-activitylogalert/lib/activity-log-alert.js +1 -1
  6. package/lib/azure-aks/lib/aks-cluster.js +1 -1
  7. package/lib/azure-diagnosticsettings/lib/diagnostic-settings.js +1 -1
  8. package/lib/azure-dnsforwardingruleset/lib/dns-forwarding-ruleset.js +1 -1
  9. package/lib/azure-dnsforwardingruleset/lib/forwarding-rule.js +1 -1
  10. package/lib/azure-dnsforwardingruleset/lib/virtual-network-link.js +1 -1
  11. package/lib/azure-dnsresolver/lib/dns-resolver.js +1 -1
  12. package/lib/azure-dnsresolver/lib/inbound-endpoint.js +1 -1
  13. package/lib/azure-dnsresolver/lib/outbound-endpoint.js +1 -1
  14. package/lib/azure-dnszone/lib/dns-zone.js +1 -1
  15. package/lib/azure-metricalert/lib/metric-alert.js +1 -1
  16. package/lib/azure-networkinterface/lib/network-interface.js +1 -1
  17. package/lib/azure-networksecuritygroup/lib/network-security-group.js +1 -1
  18. package/lib/azure-policyassignment/lib/policy-assignment-schemas.js +2 -2
  19. package/lib/azure-policyassignment/lib/policy-assignment.d.ts +17 -5
  20. package/lib/azure-policyassignment/lib/policy-assignment.js +19 -13
  21. package/lib/azure-policyassignment/test/policy-assignment.spec.js +9 -6
  22. package/lib/azure-policydefinition/lib/policy-definition.d.ts +33 -0
  23. package/lib/azure-policydefinition/lib/policy-definition.js +33 -2
  24. package/lib/azure-policydefinition/test/policy-definition.spec.js +69 -1
  25. package/lib/azure-privatednszone/lib/private-dns-zone.js +1 -1
  26. package/lib/azure-privatednszonelink/lib/private-dns-zone-link.js +1 -1
  27. package/lib/azure-publicipaddress/lib/public-ip-address.js +1 -1
  28. package/lib/azure-resourcegroup/lib/resource-group.js +1 -1
  29. package/lib/azure-roleassignment/lib/role-assignment-schemas.js +2 -2
  30. package/lib/azure-roleassignment/lib/role-assignment.d.ts +18 -5
  31. package/lib/azure-roleassignment/lib/role-assignment.js +18 -6
  32. package/lib/azure-roleassignment/test/role-assignment.spec.js +11 -1
  33. package/lib/azure-roledefinition/lib/role-definition.d.ts +1 -0
  34. package/lib/azure-roledefinition/lib/role-definition.js +2 -2
  35. package/lib/azure-storageaccount/lib/storage-account.js +1 -1
  36. package/lib/azure-subnet/lib/subnet.js +1 -1
  37. package/lib/azure-virtualmachine/lib/virtual-machine.js +1 -1
  38. package/lib/azure-virtualnetwork/lib/virtual-network.js +1 -1
  39. package/lib/azure-virtualnetworkgateway/lib/virtual-network-gateway.js +1 -1
  40. package/lib/azure-virtualnetworkgatewayconnection/lib/virtual-network-gateway-connection.js +1 -1
  41. package/lib/azure-virtualnetworkmanager/lib/connectivity-configuration.js +1 -1
  42. package/lib/azure-virtualnetworkmanager/lib/ipam-pool-static-cidr.js +1 -1
  43. package/lib/azure-virtualnetworkmanager/lib/ipam-pool.js +1 -1
  44. package/lib/azure-virtualnetworkmanager/lib/network-group-static-member.js +1 -1
  45. package/lib/azure-virtualnetworkmanager/lib/network-group.js +1 -1
  46. package/lib/azure-virtualnetworkmanager/lib/security-admin-configuration.js +1 -1
  47. package/lib/azure-virtualnetworkmanager/lib/security-admin-rule-collection.js +1 -1
  48. package/lib/azure-virtualnetworkmanager/lib/security-admin-rule.js +1 -1
  49. package/lib/azure-virtualnetworkmanager/lib/virtual-network-manager.js +1 -1
  50. package/lib/azure-vmss/lib/virtual-machine-scale-set.js +1 -1
  51. package/lib/core-azure/lib/azapi/azapi-resource.js +2 -2
  52. package/lib/core-azure/lib/azapi/providers-azapi/data-azapi-client-config/index.js +2 -2
  53. package/lib/core-azure/lib/azapi/providers-azapi/data-azapi-resource/index.js +5 -5
  54. package/lib/core-azure/lib/azapi/providers-azapi/provider/index.js +1 -1
  55. package/lib/core-azure/lib/azapi/providers-azapi/resource/index.js +5 -5
  56. package/lib/core-azure/lib/azapi/providers-azapi/resource-action/index.js +3 -3
  57. package/lib/core-azure/lib/azapi/providers-azapi/update-resource/index.js +3 -3
  58. package/lib/core-azure/lib/azapi/schema-mapper/schema-mapper.js +3 -2
  59. package/lib/core-azure/lib/version-manager/api-version-manager.js +1 -1
  60. package/lib/core-azure/lib/version-manager/interfaces/version-interfaces.js +7 -7
  61. package/lib/testing/index.js +2 -2
  62. package/lib/testing/lib/cleanup.js +1 -1
  63. package/lib/testing/lib/metadata.js +1 -1
  64. package/package.json +1 -1
package/.jsii CHANGED
@@ -211,7 +211,7 @@
211
211
  "line": 46
212
212
  },
213
213
  "readme": {
214
- "markdown": "# Azure Policy Assignment Construct\n\nThis module provides a unified, version-aware implementation for managing Azure Policy Assignments using the AZAPI provider and CDK for Terraform.\n\n## Overview\n\nAzure Policy Assignments apply policy definitions to specific scopes (subscription, resource group, or resource) and provide parameter values for policy enforcement. Policy assignments can configure enforcement modes, managed identities for remediation, and custom non-compliance messages.\n\n## Key Features\n\n- **AZAPI Provider Integration**: Direct ARM API access for reliable deployments\n- **Version-Aware**: Automatically uses the latest stable API version (2022-06-01)\n- **Schema-Driven Validation**: Built-in validation based on Azure API schemas\n- **Type-Safe**: Full TypeScript support with comprehensive interfaces\n- **JSII Compatible**: Can be used from multiple programming languages\n- **Flexible Scoping**: Support for subscription, resource group, and resource-level assignments\n- **Enforcement Modes**: Control whether policies are enforced or audited\n- **Managed Identity Support**: Enable remediation for deployIfNotExists and modify policies\n- **Scope Exclusions**: Exclude specific scopes from policy evaluation\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n1. **Direct ARM API Access**: Communicates directly with Azure Resource Manager APIs\n2. **Faster Updates**: New Azure features are available immediately without provider updates\n3. **Consistent Behavior**: Matches Azure's native behavior exactly\n4. **Better Error Messages**: Detailed error messages directly from Azure\n5. **Version Flexibility**: Easily pin to specific API versions for stability\n\n## Installation\n\nThis package is part of the `@microsoft/terraform-cdk-constructs` library.\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Simple Policy Assignment\n\n```typescript\nimport { App, TerraformStack } from \"cdktf\";\nimport { AzapiProvider } from \"@microsoft/terraform-cdk-constructs/core-azure\";\nimport { PolicyDefinition } from \"@microsoft/terraform-cdk-constructs/azure-policydefinition\";\nimport { PolicyAssignment } from \"@microsoft/terraform-cdk-constructs/azure-policyassignment\";\n\nclass MyStack extends TerraformStack {\n constructor(scope: App, name: string) {\n super(scope, name);\n\n // Configure the AZAPI provider\n new AzapiProvider(this, \"azapi\", {});\n\n // First create or reference a policy definition\n const policyDef = new PolicyDefinition(this, \"require-tags\", {\n name: \"require-environment-tag\",\n policyRule: {\n if: {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n });\n\n // Then assign the policy to a scope\n const assignment = new PolicyAssignment(this, \"tag-assignment\", {\n name: \"require-tags-on-rg\",\n displayName: \"Require Environment Tag on Resources\",\n description: \"Ensures all resources in this resource group have an Environment tag\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg\",\n });\n\n console.log(\"Assignment ID:\", assignment.id);\n }\n}\n\nconst app = new App();\nnew MyStack(app, \"my-stack\");\napp.synth();\n```\n\n### Assignment with Parameters\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"tag-assignment\", {\n name: \"require-environment-tag\",\n displayName: \"Require Environment Tag\",\n policyDefinitionId: parameterizedPolicyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n parameters: {\n tagName: {\n value: \"Environment\",\n },\n allowedValues: {\n value: [\"Development\", \"Staging\", \"Production\"],\n },\n effect: {\n value: \"deny\",\n },\n },\n});\n```\n\n### Assignment with Built-in Policy\n\n```typescript\n// Reference a built-in Azure policy\nconst assignment = new PolicyAssignment(this, \"builtin-assignment\", {\n name: \"audit-vm-managed-disks\",\n displayName: \"Audit VMs without Managed Disks\",\n policyDefinitionId:\n \"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d\",\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"Default\",\n});\n```\n\n## Advanced Features\n\n### Enforcement Modes\n\nControl whether the policy is enforced or only audited:\n\n```typescript\n// Audit mode - policy is evaluated but not enforced\nconst auditAssignment = new PolicyAssignment(this, \"audit-assignment\", {\n name: \"audit-policy\",\n displayName: \"Audit Policy (DoNotEnforce)\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"DoNotEnforce\", // Audit only\n});\n\n// Enforcement mode - policy is actively enforced (default)\nconst enforceAssignment = new PolicyAssignment(this, \"enforce-assignment\", {\n name: \"enforce-policy\",\n displayName: \"Enforce Policy (Default)\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"Default\", // Actively enforced\n});\n```\n\n### Managed Identity for Remediation\n\nFor policies with deployIfNotExists or modify effects, add a managed identity:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"remediation-assignment\", {\n name: \"deploy-vm-monitoring\",\n displayName: \"Deploy VM Monitoring Extension\",\n policyDefinitionId: deployPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\",\n },\n});\n\n// Or use a user-assigned identity\nconst userIdentityAssignment = new PolicyAssignment(\n this,\n \"user-identity-assignment\",\n {\n name: \"deploy-with-user-identity\",\n policyDefinitionId: deployPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"UserAssigned\",\n userAssignedIdentities: {\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity\":\n {},\n },\n },\n },\n);\n```\n\n### Scope Exclusions\n\nExclude specific scopes from policy evaluation:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"with-exclusions\", {\n name: \"subscription-policy-with-exclusions\",\n displayName: \"Subscription Policy with Exclusions\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n notScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/excluded-rg\",\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg\",\n ],\n});\n```\n\n### Custom Non-Compliance Messages\n\nProvide helpful messages when resources are non-compliant:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"with-messages\", {\n name: \"tag-policy\",\n displayName: \"Require Resource Tags\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n nonComplianceMessages: [\n {\n message:\n \"All resources must have the required tags. Please add the Environment tag with an appropriate value.\",\n },\n ],\n});\n```\n\n### Explicit API Version\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"pinned-version\", {\n name: \"my-assignment\",\n apiVersion: \"2022-06-01\", // Pin to specific version for stability\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n});\n```\n\n### Using Outputs\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"my-assignment\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n});\n\n// Use the assignment ID in other resources\nnew TerraformOutput(this, \"assignment-id\", {\n value: assignment.id,\n});\n\n// Access assignment properties\nconsole.log(\"Policy Definition ID:\", assignment.policyDefinitionId);\nconsole.log(\"Assignment Scope:\", assignment.assignmentScope);\nconsole.log(\"Enforcement Mode:\", assignment.enforcementMode);\n```\n\n## Complete Properties Documentation\n\n### PolicyAssignmentProps\n\n| Property | Type | Required | Default | Description |\n| ------------------------ | -------- | -------- | --------- | ----------------------------------------------------- |\n| `name` | string | No\\* | Construct | Name of the policy assignment |\n| `policyDefinitionId` | string | **Yes** | - | ID of the policy definition to assign |\n| `scope` | string | **Yes** | - | Scope where the policy is assigned |\n| `displayName` | string | No | - | Display name for the assignment |\n| `description` | string | No | - | Description of the assignment |\n| `enforcementMode` | string | No | \"Default\" | Default or DoNotEnforce |\n| `parameters` | object | No | - | Parameter values for the policy |\n| `metadata` | object | No | - | Additional metadata |\n| `identity` | object | No | - | Managed identity configuration |\n| `notScopes` | string[] | No | - | Scopes to exclude from policy evaluation |\n| `nonComplianceMessages` | array | No | - | Custom non-compliance messages |\n| `apiVersion` | string | No | latest | Specific API version to use |\n| `ignoreChanges` | string[] | No | - | Properties to ignore during Terraform updates |\n| `enableValidation` | boolean | No | true | Enable schema validation |\n| `enableMigrationAnalysis`| boolean | No | false | Enable migration analysis between versions |\n| `enableTransformation` | boolean | No | true | Enable property transformation |\n\n\\*If `name` is not provided, the construct ID will be used as the assignment name.\n\n## Supported API Versions\n\n| Version | Support Level | Release Date | Notes |\n| ---------- | ------------- | ------------ | ----------------------------------- |\n| 2022-06-01 | Active | 2022-06-01 | Latest stable version (recommended) |\n\n## Policy Assignment Concepts\n\n### Scoping Levels\n\nPolicy assignments can be applied at different organizational levels:\n\n#### Subscription Scope\n\n```typescript\nscope: \"/subscriptions/00000000-0000-0000-0000-000000000000\";\n```\n\nApplies to all resources in the subscription (unless excluded via notScopes)\n\n#### Resource Group Scope\n\n```typescript\nscope:\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg\";\n```\n\nApplies to all resources in the resource group\n\n#### Resource Scope\n\n```typescript\nscope:\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage\";\n```\n\nApplies to a specific resource\n\n### Enforcement Modes\n\n- **Default**: Policy effect is enforced during resource creation/update (deny, modify, deployIfNotExists)\n- **DoNotEnforce**: Policy is evaluated but the effect is not enforced (audit only mode)\n\nUse DoNotEnforce to test policies without impacting resources, then switch to Default when ready.\n\n### Identity Types\n\nManaged identities are required for policy assignments that use deployIfNotExists or modify effects:\n\n- **SystemAssigned**: Azure automatically creates and manages an identity for the assignment\n- **UserAssigned**: You provide an existing managed identity\n- **None**: No identity (use for audit and deny policies)\n\nThe identity needs appropriate RBAC permissions (typically Contributor or specific resource permissions) to perform remediation actions.\n\n## Available Outputs\n\nPolicy Assignment constructs expose the following outputs:\n\n- `id`: The Azure resource ID of the policy assignment\n- `name`: The name of the policy assignment\n- `resourceId`: Alias for the ID (for consistency with other constructs)\n- `policyDefinitionId`: The ID of the assigned policy definition\n- `assignmentScope`: The scope where the policy is assigned\n- `enforcementMode`: The enforcement mode of the assignment\n\n## Best Practices\n\n1. **Start with DoNotEnforce Mode**\n\n - Test new assignments in audit mode first\n - Monitor compliance reports before enforcing\n - Gradually roll out enforcement after validation\n\n2. **Use Descriptive Names**\n\n - Make assignment purpose clear from the name\n - Include scope information in display name\n - Document the assignment's intent\n\n3. **Provide Non-Compliance Messages**\n\n - Help users understand why resources are non-compliant\n - Include remediation steps in messages\n - Be specific and actionable\n\n4. **Scope Appropriately**\n\n - Apply policies at the right organizational level\n - Use subscription scope for organization-wide policies\n - Use resource group scope for environment-specific policies\n\n5. **Use Parameters Effectively**\n\n - Reuse policy definitions with different parameter values\n - Provide appropriate defaults in policy definitions\n - Document parameter requirements\n\n6. **Configure Identity Correctly**\n\n - Add managed identity for deployIfNotExists and modify policies\n - Grant minimum required permissions (least privilege)\n - Use user-assigned identities for shared remediation scenarios\n\n7. **Monitor and Review**\n\n - Regularly review compliance reports\n - Address non-compliant resources\n - Update policies and assignments as requirements change\n\n8. **Document Exclusions**\n - Clearly document why scopes are excluded\n - Regularly review exclusions for continued validity\n - Minimize the use of exclusions\n\n## Examples\n\n### Assign Tag Policy at Subscription Level\n\n```typescript\nconst tagPolicy = new PolicyDefinition(this, \"tag-policy\", {\n name: \"require-cost-center\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n\nconst tagAssignment = new PolicyAssignment(this, \"sub-tag-assignment\", {\n name: \"require-cost-center-sub\",\n displayName: \"Require CostCenter Tag on All Resources\",\n description: \"Denies resource creation without CostCenter tag\",\n policyDefinitionId: tagPolicy.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n nonComplianceMessages: [\n {\n message:\n \"Resources must have a CostCenter tag for billing purposes. Contact your team lead for the appropriate cost center code.\",\n },\n ],\n});\n```\n\n### Audit Mode Testing\n\n```typescript\n// Test a policy in audit mode before enforcing\nconst testAssignment = new PolicyAssignment(this, \"test-assignment\", {\n name: \"test-location-policy\",\n displayName: \"Test Location Restriction (Audit Only)\",\n description: \"Testing location policy in audit mode\",\n policyDefinitionId: locationPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg\",\n enforcementMode: \"DoNotEnforce\", // Audit only\n metadata: {\n testPhase: \"audit\",\n plannedEnforcement: \"2024-02-01\",\n },\n});\n```\n\n### Remediation with Managed Identity\n\n```typescript\nconst remediationPolicy = new PolicyDefinition(this, \"deploy-backup\", {\n name: \"deploy-vm-backup\",\n policyRule: {\n if: {\n field: \"type\",\n equals: \"Microsoft.Compute/virtualMachines\",\n },\n then: {\n effect: \"deployIfNotExists\",\n details: {\n type: \"Microsoft.RecoveryServices/backupprotecteditems\",\n deploymentScope: \"subscription\",\n // ... deployment template\n },\n },\n },\n});\n\nconst remediationAssignment = new PolicyAssignment(\n this,\n \"backup-assignment\",\n {\n name: \"deploy-vm-backup-assignment\",\n displayName: \"Deploy VM Backup Configuration\",\n description:\n \"Automatically deploys backup configuration for virtual machines\",\n policyDefinitionId: remediationPolicy.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\",\n },\n },\n);\n\n// Note: You would also need to create a role assignment to grant\n// the managed identity permissions to deploy backup configurations\n```\n\n### Multiple Assignments for Different Environments\n\n```typescript\nconst environments = [\"dev\", \"staging\", \"prod\"];\n\nenvironments.forEach((env) => {\n const rgScope = `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${env}-rg`;\n\n new PolicyAssignment(this, `${env}-assignment`, {\n name: `require-tags-${env}`,\n displayName: `Require Tags in ${env.toUpperCase()} Environment`,\n policyDefinitionId: tagPolicyId,\n scope: rgScope,\n parameters: {\n environmentTag: {\n value: env,\n },\n },\n metadata: {\n environment: env,\n assignedBy: \"terraform-cdk\",\n },\n });\n});\n```\n\n## Relationship with Policy Definitions\n\nPolicy Assignments apply Policy Definitions to specific scopes. The typical workflow is:\n\n1. **Create or Reference a Policy Definition**: Define the rules and conditions\n2. **Create a Policy Assignment**: Apply the definition to a scope with specific parameters\n3. **Monitor Compliance**: Review compliance reports and take remediation actions\n\n```typescript\n// Step 1: Create a policy definition\nconst policyDef = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n policyRule: {\n /* ... */\n },\n});\n\n// Step 2: Assign the policy to a scope\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"my-assignment\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/...\",\n});\n\n// Step 3: Monitor compliance via Azure Portal or API\n```\n\n## Related Constructs\n\n- **Policy Definitions**: Define the rules and effects to enforce\n- **Role Assignments**: Grant permissions for managed identities to perform remediation\n- **Resource Groups**: Common scope for policy assignments\n- **Management Groups**: Higher-level scope for organization-wide policies\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Policy Not Taking Effect**\n\n - Allow time for policy evaluation (15-30 minutes)\n - Check enforcement mode (DoNotEnforce vs Default)\n - Verify scope is correct\n - Check for exclusions in notScopes\n\n2. **Remediation Failures**\n\n - Verify managed identity is configured\n - Check RBAC permissions for the identity\n - Review deployment template in policy definition\n - Check Azure Activity Log for detailed errors\n\n3. **Compliance Not Showing**\n\n - Wait for compliance evaluation cycle\n - Trigger manual compliance scan\n - Verify assignment is deployed successfully\n - Check assignment scope matches resources\n\n4. **Parameter Errors**\n - Ensure parameter types match policy definition\n - Check parameter names are correct\n - Verify values are in allowed ranges\n - Review parameter schema in policy definition\n\n## Contributing\n\nContributions are welcome! Please refer to the main project's contributing guidelines.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details."
214
+ "markdown": "# Azure Policy Assignment Construct\n\nThis module provides a unified, version-aware implementation for managing Azure Policy Assignments using the AZAPI provider and CDK for Terraform.\n\n## Overview\n\nAzure Policy Assignments apply policy definitions to specific scopes (management group, subscription, resource group, or resource) and provide parameter values for policy enforcement. Policy assignments can configure enforcement modes, managed identities for remediation, and custom non-compliance messages.\n\n## Key Features\n\n- **AZAPI Provider Integration**: Direct ARM API access for reliable deployments\n- **Version-Aware**: Automatically uses the latest stable API version (2022-06-01)\n- **Schema-Driven Validation**: Built-in validation based on Azure API schemas\n- **Type-Safe**: Full TypeScript support with comprehensive interfaces\n- **JSII Compatible**: Can be used from multiple programming languages\n- **Flexible Scoping**: Support for management group, subscription, resource group, and resource-level assignments\n- **Enforcement Modes**: Control whether policies are enforced or audited\n- **Managed Identity Support**: Enable remediation for deployIfNotExists and modify policies\n- **Scope Exclusions**: Exclude specific scopes from policy evaluation\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n1. **Direct ARM API Access**: Communicates directly with Azure Resource Manager APIs\n2. **Faster Updates**: New Azure features are available immediately without provider updates\n3. **Consistent Behavior**: Matches Azure's native behavior exactly\n4. **Better Error Messages**: Detailed error messages directly from Azure\n5. **Version Flexibility**: Easily pin to specific API versions for stability\n\n## Installation\n\nThis package is part of the `@microsoft/terraform-cdk-constructs` library.\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Simple Policy Assignment\n\n```typescript\nimport { App, TerraformStack } from \"cdktf\";\nimport { AzapiProvider } from \"@microsoft/terraform-cdk-constructs/core-azure\";\nimport { PolicyDefinition } from \"@microsoft/terraform-cdk-constructs/azure-policydefinition\";\nimport { PolicyAssignment } from \"@microsoft/terraform-cdk-constructs/azure-policyassignment\";\n\nclass MyStack extends TerraformStack {\n constructor(scope: App, name: string) {\n super(scope, name);\n\n // Configure the AZAPI provider\n new AzapiProvider(this, \"azapi\", {});\n\n // First create or reference a policy definition\n const policyDef = new PolicyDefinition(this, \"require-tags\", {\n name: \"require-environment-tag\",\n policyRule: {\n if: {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n });\n\n // Then assign the policy to a scope\n const assignment = new PolicyAssignment(this, \"tag-assignment\", {\n name: \"require-tags-on-rg\",\n displayName: \"Require Environment Tag on Resources\",\n description: \"Ensures all resources in this resource group have an Environment tag\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg\",\n });\n\n console.log(\"Assignment ID:\", assignment.id);\n }\n}\n\nconst app = new App();\nnew MyStack(app, \"my-stack\");\napp.synth();\n```\n\n### Assignment with Parameters\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"tag-assignment\", {\n name: \"require-environment-tag\",\n displayName: \"Require Environment Tag\",\n policyDefinitionId: parameterizedPolicyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n parameters: {\n tagName: {\n value: \"Environment\",\n },\n allowedValues: {\n value: [\"Development\", \"Staging\", \"Production\"],\n },\n effect: {\n value: \"deny\",\n },\n },\n});\n```\n\n### Assignment with Built-in Policy\n\n```typescript\n// Reference a built-in Azure policy\nconst assignment = new PolicyAssignment(this, \"builtin-assignment\", {\n name: \"audit-vm-managed-disks\",\n displayName: \"Audit VMs without Managed Disks\",\n policyDefinitionId:\n \"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d\",\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"Default\",\n});\n```\n\n## Advanced Features\n\n### Enforcement Modes\n\nControl whether the policy is enforced or only audited:\n\n```typescript\n// Audit mode - policy is evaluated but not enforced\nconst auditAssignment = new PolicyAssignment(this, \"audit-assignment\", {\n name: \"audit-policy\",\n displayName: \"Audit Policy (DoNotEnforce)\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"DoNotEnforce\", // Audit only\n});\n\n// Enforcement mode - policy is actively enforced (default)\nconst enforceAssignment = new PolicyAssignment(this, \"enforce-assignment\", {\n name: \"enforce-policy\",\n displayName: \"Enforce Policy (Default)\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n enforcementMode: \"Default\", // Actively enforced\n});\n```\n\n### Managed Identity for Remediation\n\nFor policies with deployIfNotExists or modify effects, add a managed identity:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"remediation-assignment\", {\n name: \"deploy-vm-monitoring\",\n displayName: \"Deploy VM Monitoring Extension\",\n policyDefinitionId: deployPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\",\n },\n});\n\n// Or use a user-assigned identity\nconst userIdentityAssignment = new PolicyAssignment(\n this,\n \"user-identity-assignment\",\n {\n name: \"deploy-with-user-identity\",\n policyDefinitionId: deployPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"UserAssigned\",\n userAssignedIdentities: {\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity\":\n {},\n },\n },\n },\n);\n```\n\n### Scope Exclusions\n\nExclude specific scopes from policy evaluation:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"with-exclusions\", {\n name: \"subscription-policy-with-exclusions\",\n displayName: \"Subscription Policy with Exclusions\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n notScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/excluded-rg\",\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg\",\n ],\n});\n```\n\n### Custom Non-Compliance Messages\n\nProvide helpful messages when resources are non-compliant:\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"with-messages\", {\n name: \"tag-policy\",\n displayName: \"Require Resource Tags\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n nonComplianceMessages: [\n {\n message:\n \"All resources must have the required tags. Please add the Environment tag with an appropriate value.\",\n },\n ],\n});\n```\n\n### Explicit API Version\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"pinned-version\", {\n name: \"my-assignment\",\n apiVersion: \"2022-06-01\", // Pin to specific version for stability\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n});\n```\n\n### Using Outputs\n\n```typescript\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"my-assignment\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n});\n\n// Use the assignment ID in other resources\nnew TerraformOutput(this, \"assignment-id\", {\n value: assignment.id,\n});\n\n// Access assignment properties\nconsole.log(\"Policy Definition ID:\", assignment.policyDefinitionId);\nconsole.log(\"Assignment Scope:\", assignment.assignmentScope);\nconsole.log(\"Enforcement Mode:\", assignment.enforcementMode);\n```\n\n## Complete Properties Documentation\n\n### PolicyAssignmentProps\n\n| Property | Type | Required | Default | Description |\n| ------------------------ | -------- | -------- | --------- | ----------------------------------------------------- |\n| `name` | string | No\\* | Construct | Name of the policy assignment |\n| `policyDefinitionId` | string | **Yes** | - | ID of the policy definition to assign |\n| `scope` | string | **Yes** | - | Scope where the policy is assigned |\n| `displayName` | string | No | - | Display name for the assignment |\n| `description` | string | No | - | Description of the assignment |\n| `enforcementMode` | string | No | \"Default\" | Default or DoNotEnforce |\n| `parameters` | object | No | - | Parameter values for the policy |\n| `metadata` | object | No | - | Additional metadata |\n| `identity` | object | No | - | Managed identity configuration |\n| `notScopes` | string[] | No | - | Scopes to exclude from policy evaluation |\n| `nonComplianceMessages` | array | No | - | Custom non-compliance messages |\n| `apiVersion` | string | No | latest | Specific API version to use |\n| `ignoreChanges` | string[] | No | - | Properties to ignore during Terraform updates |\n| `enableValidation` | boolean | No | true | Enable schema validation |\n| `enableMigrationAnalysis`| boolean | No | false | Enable migration analysis between versions |\n| `enableTransformation` | boolean | No | true | Enable property transformation |\n\n\\*If `name` is not provided, the construct ID will be used as the assignment name.\n\n## Supported API Versions\n\n| Version | Support Level | Release Date | Notes |\n| ---------- | ------------- | ------------ | ----------------------------------- |\n| 2022-06-01 | Active | 2022-06-01 | Latest stable version (recommended) |\n\n## Policy Assignment Concepts\n\n### Scoping Levels\n\nPolicy assignments can be applied at different organizational levels:\n\n#### Management Group Scope\n\n```typescript\nscope: \"/providers/Microsoft.Management/managementGroups/my-mg\";\n```\n\nApplies to all subscriptions and resources within the management group hierarchy. This is the highest level scope and is ideal for organization-wide policies.\n\n#### Subscription Scope\n\n```typescript\nscope: \"/subscriptions/00000000-0000-0000-0000-000000000000\";\n```\n\nApplies to all resources in the subscription (unless excluded via notScopes)\n\n#### Resource Group Scope\n\n```typescript\nscope:\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg\";\n```\n\nApplies to all resources in the resource group\n\n#### Resource Scope\n\n```typescript\nscope:\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage\";\n```\n\nApplies to a specific resource\n\n### Enforcement Modes\n\n- **Default**: Policy effect is enforced during resource creation/update (deny, modify, deployIfNotExists)\n- **DoNotEnforce**: Policy is evaluated but the effect is not enforced (audit only mode)\n\nUse DoNotEnforce to test policies without impacting resources, then switch to Default when ready.\n\n### Identity Types\n\nManaged identities are required for policy assignments that use deployIfNotExists or modify effects:\n\n- **SystemAssigned**: Azure automatically creates and manages an identity for the assignment\n- **UserAssigned**: You provide an existing managed identity\n- **None**: No identity (use for audit and deny policies)\n\nThe identity needs appropriate RBAC permissions (typically Contributor or specific resource permissions) to perform remediation actions.\n\n## Available Outputs\n\nPolicy Assignment constructs expose the following outputs:\n\n- `id`: The Azure resource ID of the policy assignment\n- `name`: The name of the policy assignment\n- `resourceId`: Alias for the ID (for consistency with other constructs)\n- `policyDefinitionId`: The ID of the assigned policy definition\n- `assignmentScope`: The scope where the policy is assigned\n- `enforcementMode`: The enforcement mode of the assignment\n\n## Best Practices\n\n1. **Start with DoNotEnforce Mode**\n\n - Test new assignments in audit mode first\n - Monitor compliance reports before enforcing\n - Gradually roll out enforcement after validation\n\n2. **Use Descriptive Names**\n\n - Make assignment purpose clear from the name\n - Include scope information in display name\n - Document the assignment's intent\n\n3. **Provide Non-Compliance Messages**\n\n - Help users understand why resources are non-compliant\n - Include remediation steps in messages\n - Be specific and actionable\n\n4. **Scope Appropriately**\n\n - Apply policies at the right organizational level\n - Use subscription scope for organization-wide policies\n - Use resource group scope for environment-specific policies\n\n5. **Use Parameters Effectively**\n\n - Reuse policy definitions with different parameter values\n - Provide appropriate defaults in policy definitions\n - Document parameter requirements\n\n6. **Configure Identity Correctly**\n\n - Add managed identity for deployIfNotExists and modify policies\n - Grant minimum required permissions (least privilege)\n - Use user-assigned identities for shared remediation scenarios\n\n7. **Monitor and Review**\n\n - Regularly review compliance reports\n - Address non-compliant resources\n - Update policies and assignments as requirements change\n\n8. **Document Exclusions**\n - Clearly document why scopes are excluded\n - Regularly review exclusions for continued validity\n - Minimize the use of exclusions\n\n## Examples\n\n### Assign Policy at Management Group Level\n\n```typescript\n// Apply an organization-wide policy at management group scope\nconst mgPolicyDefinition = new PolicyDefinition(this, \"org-policy\", {\n name: \"require-resource-tags\",\n parentId: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Require Resource Tags\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n\nconst mgAssignment = new PolicyAssignment(this, \"mg-tag-assignment\", {\n name: \"require-tags-org-wide\",\n displayName: \"Require Tags Across Organization\",\n description: \"Enforces required tags across all subscriptions in the management group\",\n policyDefinitionId: mgPolicyDefinition.id,\n scope: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n nonComplianceMessages: [\n {\n message:\n \"All resources must have a CostCenter tag for billing and cost allocation purposes.\",\n },\n ],\n});\n```\n\n### Assign Tag Policy at Subscription Level\n\n```typescript\nconst tagPolicy = new PolicyDefinition(this, \"tag-policy\", {\n name: \"require-cost-center\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n\nconst tagAssignment = new PolicyAssignment(this, \"sub-tag-assignment\", {\n name: \"require-cost-center-sub\",\n displayName: \"Require CostCenter Tag on All Resources\",\n description: \"Denies resource creation without CostCenter tag\",\n policyDefinitionId: tagPolicy.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n nonComplianceMessages: [\n {\n message:\n \"Resources must have a CostCenter tag for billing purposes. Contact your team lead for the appropriate cost center code.\",\n },\n ],\n});\n```\n\n### Audit Mode Testing\n\n```typescript\n// Test a policy in audit mode before enforcing\nconst testAssignment = new PolicyAssignment(this, \"test-assignment\", {\n name: \"test-location-policy\",\n displayName: \"Test Location Restriction (Audit Only)\",\n description: \"Testing location policy in audit mode\",\n policyDefinitionId: locationPolicyId,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg\",\n enforcementMode: \"DoNotEnforce\", // Audit only\n metadata: {\n testPhase: \"audit\",\n plannedEnforcement: \"2024-02-01\",\n },\n});\n```\n\n### Remediation with Managed Identity\n\n```typescript\nconst remediationPolicy = new PolicyDefinition(this, \"deploy-backup\", {\n name: \"deploy-vm-backup\",\n policyRule: {\n if: {\n field: \"type\",\n equals: \"Microsoft.Compute/virtualMachines\",\n },\n then: {\n effect: \"deployIfNotExists\",\n details: {\n type: \"Microsoft.RecoveryServices/backupprotecteditems\",\n deploymentScope: \"subscription\",\n // ... deployment template\n },\n },\n },\n});\n\nconst remediationAssignment = new PolicyAssignment(\n this,\n \"backup-assignment\",\n {\n name: \"deploy-vm-backup-assignment\",\n displayName: \"Deploy VM Backup Configuration\",\n description:\n \"Automatically deploys backup configuration for virtual machines\",\n policyDefinitionId: remediationPolicy.id,\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\",\n },\n },\n);\n\n// Note: You would also need to create a role assignment to grant\n// the managed identity permissions to deploy backup configurations\n```\n\n### Multiple Assignments for Different Environments\n\n```typescript\nconst environments = [\"dev\", \"staging\", \"prod\"];\n\nenvironments.forEach((env) => {\n const rgScope = `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${env}-rg`;\n\n new PolicyAssignment(this, `${env}-assignment`, {\n name: `require-tags-${env}`,\n displayName: `Require Tags in ${env.toUpperCase()} Environment`,\n policyDefinitionId: tagPolicyId,\n scope: rgScope,\n parameters: {\n environmentTag: {\n value: env,\n },\n },\n metadata: {\n environment: env,\n assignedBy: \"terraform-cdk\",\n },\n });\n});\n```\n\n## Relationship with Policy Definitions\n\nPolicy Assignments apply Policy Definitions to specific scopes. The typical workflow is:\n\n1. **Create or Reference a Policy Definition**: Define the rules and conditions\n2. **Create a Policy Assignment**: Apply the definition to a scope with specific parameters\n3. **Monitor Compliance**: Review compliance reports and take remediation actions\n\n```typescript\n// Step 1: Create a policy definition\nconst policyDef = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n policyRule: {\n /* ... */\n },\n});\n\n// Step 2: Assign the policy to a scope\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"my-assignment\",\n policyDefinitionId: policyDef.id,\n scope: \"/subscriptions/...\",\n});\n\n// Step 3: Monitor compliance via Azure Portal or API\n```\n\n## Related Constructs\n\n- **Policy Definitions**: Define the rules and effects to enforce\n- **Role Assignments**: Grant permissions for managed identities to perform remediation\n- **Resource Groups**: Common scope for policy assignments\n- **Management Groups**: Higher-level scope for organization-wide policies\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Policy Not Taking Effect**\n\n - Allow time for policy evaluation (15-30 minutes)\n - Check enforcement mode (DoNotEnforce vs Default)\n - Verify scope is correct\n - Check for exclusions in notScopes\n\n2. **Remediation Failures**\n\n - Verify managed identity is configured\n - Check RBAC permissions for the identity\n - Review deployment template in policy definition\n - Check Azure Activity Log for detailed errors\n\n3. **Compliance Not Showing**\n\n - Wait for compliance evaluation cycle\n - Trigger manual compliance scan\n - Verify assignment is deployed successfully\n - Check assignment scope matches resources\n\n4. **Parameter Errors**\n - Ensure parameter types match policy definition\n - Check parameter names are correct\n - Verify values are in allowed ranges\n - Review parameter schema in policy definition\n\n## Contributing\n\nContributions are welcome! Please refer to the main project's contributing guidelines.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details."
215
215
  },
216
216
  "symbolId": "src/azure-policyassignment/index:"
217
217
  },
@@ -221,7 +221,7 @@
221
221
  "line": 47
222
222
  },
223
223
  "readme": {
224
- "markdown": "# Azure Policy Definition Construct\n\nThis module provides a unified, version-aware implementation for managing Azure Policy Definitions using the AZAPI provider and CDK for Terraform.\n\n## Overview\n\nAzure Policy Definitions are rules that enforce specific conditions and effects on Azure resources. They are deployed at subscription or management group scope and can be used to ensure compliance with organizational standards.\n\n## Key Features\n\n- **AZAPI Provider Integration**: Direct ARM API access for reliable deployments\n- **Version-Aware**: Automatically uses the latest stable API version (2021-06-01)\n- **Schema-Driven Validation**: Built-in validation based on Azure API schemas\n- **Type-Safe**: Full TypeScript support with comprehensive interfaces\n- **JSII Compatible**: Can be used from multiple programming languages\n- **Flexible Policy Rules**: Support for simple and complex policy logic\n- **Parameterized Policies**: Create reusable policies with parameters\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n1. **Direct ARM API Access**: Communicates directly with Azure Resource Manager APIs\n2. **Faster Updates**: New Azure features are available immediately without provider updates\n3. **Consistent Behavior**: Matches Azure's native behavior exactly\n4. **Better Error Messages**: Detailed error messages directly from Azure\n5. **Version Flexibility**: Easily pin to specific API versions for stability\n\n## Installation\n\nThis package is part of the `@microsoft/terraform-cdk-constructs` library.\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Simple Policy Definition\n\n```typescript\nimport { App, TerraformStack } from \"cdktf\";\nimport { AzapiProvider } from \"@microsoft/terraform-cdk-constructs/core-azure\";\nimport { PolicyDefinition } from \"@microsoft/terraform-cdk-constructs/azure-policydefinition\";\n\nclass MyStack extends TerraformStack {\n constructor(scope: App, name: string) {\n super(scope, name);\n\n // Configure the AZAPI provider\n new AzapiProvider(this, \"azapi\", {});\n\n // Create a simple policy definition\n const policyDefinition = new PolicyDefinition(this, \"require-tags\", {\n name: \"require-environment-tag\",\n displayName: \"Require Environment Tag\",\n description: \"Ensures all resources have an Environment tag\",\n policyType: \"Custom\",\n mode: \"Indexed\",\n policyRule: {\n if: {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n metadata: {\n category: \"Tags\",\n version: \"1.0.0\",\n },\n });\n\n console.log(\"Policy ID:\", policyDefinition.id);\n }\n}\n\nconst app = new App();\nnew MyStack(app, \"my-stack\");\napp.synth();\n```\n\n### Policy Definition with Parameters\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"tag-policy\", {\n name: \"require-tag-with-values\",\n displayName: \"Require Tag with Specific Values\",\n description: \"Ensures resources have a tag with an allowed value\",\n policyRule: {\n if: {\n allOf: [\n {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n exists: \"true\",\n },\n {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n notIn: \"[parameters('allowedValues')]\",\n },\n ],\n },\n then: {\n effect: \"[parameters('effect')]\",\n },\n },\n parameters: {\n tagName: {\n type: \"String\",\n metadata: {\n displayName: \"Tag Name\",\n description: \"Name of the tag to check\",\n },\n defaultValue: \"CostCenter\",\n },\n allowedValues: {\n type: \"Array\",\n metadata: {\n displayName: \"Allowed Values\",\n description: \"List of allowed tag values\",\n },\n defaultValue: [\"Engineering\", \"Marketing\", \"Operations\"],\n },\n effect: {\n type: \"String\",\n metadata: {\n displayName: \"Effect\",\n description: \"The effect of the policy (audit or deny)\",\n },\n allowedValues: [\"audit\", \"deny\"],\n defaultValue: \"audit\",\n },\n },\n metadata: {\n category: \"Tags\",\n version: \"1.0.0\",\n },\n});\n```\n\n## Advanced Features\n\n### Complex Policy Rules\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"storage-policy\", {\n name: \"require-https-storage\",\n displayName: \"Require HTTPS for Storage Accounts\",\n description: \"Denies storage accounts that don't enforce HTTPS\",\n mode: \"Indexed\",\n policyRule: {\n if: {\n allOf: [\n {\n field: \"type\",\n equals: \"Microsoft.Storage/storageAccounts\",\n },\n {\n field: \"Microsoft.Storage/storageAccounts/enableHttpsTrafficOnly\",\n notEquals: \"true\",\n },\n ],\n },\n then: {\n effect: \"deny\",\n },\n },\n metadata: {\n category: \"Storage\",\n version: \"1.0.0\",\n },\n});\n```\n\n### Explicit API Version\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n apiVersion: \"2021-06-01\", // Pin to specific version for stability\n policyRule: {\n if: {\n field: \"location\",\n notIn: [\"eastus\", \"westus\"],\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Using Outputs\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n policyRule: {\n /* ... */\n },\n});\n\n// Use the policy definition ID in other resources\nnew TerraformOutput(this, \"policy-id\", {\n value: policyDefinition.id,\n});\n\n// Access policy properties\nconsole.log(\"Policy Type:\", policyDefinition.policyType);\nconsole.log(\"Policy Mode:\", policyDefinition.policyMode);\n```\n\n## Complete Properties Documentation\n\n### PolicyDefinitionProps\n\n| Property | Type | Required | Default | Description |\n| -------- | ---- | -------- | ------- | ----------- |\n| `name` | string | No* | Construct ID | Name of the policy definition |\n| `policyRule` | object | **Yes** | - | The policy rule JSON object defining if/then logic |\n| `displayName` | string | No | - | Display name for the policy in Azure Portal |\n| `description` | string | No | - | Description of what the policy enforces |\n| `policyType` | string | No | \"Custom\" | Type of policy: Custom, BuiltIn, Static, NotSpecified |\n| `mode` | string | No | \"All\" | Policy mode: All, Indexed, or resource provider modes |\n| `parameters` | object | No | - | Parameters that can be passed to policy assignments |\n| `metadata` | object | No | - | Additional metadata (category, version, etc.) |\n| `apiVersion` | string | No | \"2021-06-01\" | Specific API version to use |\n| `ignoreChanges` | string[] | No | - | Properties to ignore during Terraform updates |\n| `enableValidation` | boolean | No | true | Enable schema validation |\n| `enableMigrationAnalysis` | boolean | No | false | Enable migration analysis between versions |\n| `enableTransformation` | boolean | No | true | Enable property transformation |\n\n*If `name` is not provided, the construct ID will be used as the policy definition name.\n\n## Supported API Versions\n\n| Version | Support Level | Release Date | Notes |\n| ---------- | ------------- | ------------ | --------------------------------------- |\n| 2021-06-01 | Active | 2021-06-01 | Latest stable version (recommended) |\n\n## Policy Definition Concepts\n\n### Policy Types\n\n- **Custom**: User-defined policies (default) - Used for organization-specific requirements\n- **BuiltIn**: Azure-provided policies - Pre-defined policies from Microsoft\n- **Static**: Static policy definitions - Policies that don't change\n- **NotSpecified**: Type not specified\n\n### Policy Modes\n\n- **All**: Evaluates all resource types (default) - Most common mode\n- **Indexed**: Only evaluates resource types that support tags and location\n- **Resource Provider Modes**: Specific modes like `Microsoft.KeyVault.Data` for data plane operations\n\n### Policy Effects\n\nCommon effects used in the `then` clause of policy rules:\n\n- **deny**: Blocks the resource request\n- **audit**: Logs a warning but allows the request (useful for testing)\n- **append**: Adds additional properties to the resource\n- **modify**: Modifies the resource properties\n- **deployIfNotExists**: Deploys resources if they don't exist\n- **auditIfNotExists**: Audits if resources don't exist\n- **disabled**: Disables the policy\n\n### Policy Rule Structure\n\nA policy rule consists of two main parts:\n\n```typescript\n{\n if: {\n // Condition(s) to evaluate\n field: \"type\",\n equals: \"Microsoft.Storage/storageAccounts\"\n },\n then: {\n // Action to take if condition is true\n effect: \"deny\"\n }\n}\n```\n\nConditions can use:\n- `field`: Resource property to evaluate\n- `equals`, `notEquals`: Exact matching\n- `in`, `notIn`: Array matching\n- `contains`, `notContains`: Substring matching\n- `exists`: Check if property exists\n- `allOf`, `anyOf`: Logical operators for multiple conditions\n\n## Available Outputs\n\nPolicy Definition constructs expose the following outputs:\n\n- `id`: The Azure resource ID of the policy definition\n- `name`: The name of the policy definition\n- `resourceId`: Alias for the ID (for consistency with other constructs)\n- `policyType`: The type of policy definition (Custom, BuiltIn, etc.)\n- `policyMode`: The mode of the policy definition (All, Indexed, etc.)\n\n## Best Practices\n\n1. **Use Descriptive Names and Display Names**\n - Make policy purpose clear from the name\n - Include version information in metadata\n\n2. **Start with Audit Effect**\n - Test new policies with `audit` effect first\n - Monitor audit logs before switching to `deny`\n\n3. **Add Comprehensive Metadata**\n - Include category for organization\n - Add version for tracking changes\n - Document purpose and scope\n\n4. **Make Policies Reusable**\n - Use parameters for flexibility\n - Provide sensible default values\n - Document parameter usage\n\n5. **Test Thoroughly**\n - Use integration tests before production\n - Test with various resource types\n - Verify parameter combinations\n\n6. **Document Policy Logic**\n - Provide clear descriptions\n - Document any exceptions or special cases\n - Include examples in metadata\n\n7. **Use Appropriate Policy Modes**\n - Use `Indexed` for resource-level policies\n - Use `All` when location/tags don't apply\n - Use resource provider modes for data plane policies\n\n8. **Version Control**\n - Store policy definitions in source control\n - Use semantic versioning in metadata\n - Document breaking changes\n\n## Examples\n\n### Require Specific Resource Locations\n\n```typescript\nnew PolicyDefinition(this, \"allowed-locations\", {\n name: \"allowed-resource-locations\",\n displayName: \"Allowed Resource Locations\",\n description: \"Restricts resources to approved Azure regions\",\n policyRule: {\n if: {\n field: \"location\",\n notIn: [\"eastus\", \"westus\", \"centralus\"],\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Enforce Naming Conventions\n\n```typescript\nnew PolicyDefinition(this, \"naming-convention\", {\n name: \"enforce-naming-convention\",\n displayName: \"Enforce Resource Naming Convention\",\n policyRule: {\n if: {\n field: \"name\",\n notMatch: \"^[a-z0-9-]+$\",\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Audit Missing Tags\n\n```typescript\nnew PolicyDefinition(this, \"audit-tags\", {\n name: \"audit-required-tags\",\n displayName: \"Audit Resources Missing Required Tags\",\n policyRule: {\n if: {\n anyOf: [\n {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n ],\n },\n then: {\n effect: \"audit\",\n },\n },\n});\n```\n\n## Related Constructs\n\n- **Policy Assignments**: Use policy definitions by assigning them to scopes (subscriptions, resource groups)\n- **Role Definitions**: Define custom RBAC roles for Azure resources\n- **Role Assignments**: Assign roles to identities for access control\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Policy Not Taking Effect**\n - Check policy assignment scope\n - Verify policy mode matches resource type\n - Allow time for policy evaluation (can take 15-30 minutes)\n\n2. **Validation Errors**\n - Ensure policyRule is valid JSON\n - Check parameter types and values\n - Verify field names match Azure resource properties\n\n3. **Scope Issues**\n - Policy definitions are subscription-scoped\n - Ensure proper RBAC permissions\n - Check management group hierarchy if applicable\n\n## Contributing\n\nContributions are welcome! Please refer to the main project's contributing guidelines.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details."
224
+ "markdown": "# Azure Policy Definition Construct\n\nThis module provides a unified, version-aware implementation for managing Azure Policy Definitions using the AZAPI provider and CDK for Terraform.\n\n## Overview\n\nAzure Policy Definitions are rules that enforce specific conditions and effects on Azure resources. They are deployed at subscription or management group scope and can be used to ensure compliance with organizational standards.\n\n## Key Features\n\n- **AZAPI Provider Integration**: Direct ARM API access for reliable deployments\n- **Version-Aware**: Automatically uses the latest stable API version (2021-06-01)\n- **Schema-Driven Validation**: Built-in validation based on Azure API schemas\n- **Type-Safe**: Full TypeScript support with comprehensive interfaces\n- **JSII Compatible**: Can be used from multiple programming languages\n- **Flexible Policy Rules**: Support for simple and complex policy logic\n- **Parameterized Policies**: Create reusable policies with parameters\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n1. **Direct ARM API Access**: Communicates directly with Azure Resource Manager APIs\n2. **Faster Updates**: New Azure features are available immediately without provider updates\n3. **Consistent Behavior**: Matches Azure's native behavior exactly\n4. **Better Error Messages**: Detailed error messages directly from Azure\n5. **Version Flexibility**: Easily pin to specific API versions for stability\n\n## Installation\n\nThis package is part of the `@microsoft/terraform-cdk-constructs` library.\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Simple Policy Definition\n\n```typescript\nimport { App, TerraformStack } from \"cdktf\";\nimport { AzapiProvider } from \"@microsoft/terraform-cdk-constructs/core-azure\";\nimport { PolicyDefinition } from \"@microsoft/terraform-cdk-constructs/azure-policydefinition\";\n\nclass MyStack extends TerraformStack {\n constructor(scope: App, name: string) {\n super(scope, name);\n\n // Configure the AZAPI provider\n new AzapiProvider(this, \"azapi\", {});\n\n // Create a simple policy definition\n const policyDefinition = new PolicyDefinition(this, \"require-tags\", {\n name: \"require-environment-tag\",\n displayName: \"Require Environment Tag\",\n description: \"Ensures all resources have an Environment tag\",\n policyType: \"Custom\",\n mode: \"Indexed\",\n policyRule: {\n if: {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n metadata: {\n category: \"Tags\",\n version: \"1.0.0\",\n },\n });\n\n console.log(\"Policy ID:\", policyDefinition.id);\n }\n}\n\nconst app = new App();\nnew MyStack(app, \"my-stack\");\napp.synth();\n```\n\n### Policy Definition with Parameters\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"tag-policy\", {\n name: \"require-tag-with-values\",\n displayName: \"Require Tag with Specific Values\",\n description: \"Ensures resources have a tag with an allowed value\",\n policyRule: {\n if: {\n allOf: [\n {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n exists: \"true\",\n },\n {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n notIn: \"[parameters('allowedValues')]\",\n },\n ],\n },\n then: {\n effect: \"[parameters('effect')]\",\n },\n },\n parameters: {\n tagName: {\n type: \"String\",\n metadata: {\n displayName: \"Tag Name\",\n description: \"Name of the tag to check\",\n },\n defaultValue: \"CostCenter\",\n },\n allowedValues: {\n type: \"Array\",\n metadata: {\n displayName: \"Allowed Values\",\n description: \"List of allowed tag values\",\n },\n defaultValue: [\"Engineering\", \"Marketing\", \"Operations\"],\n },\n effect: {\n type: \"String\",\n metadata: {\n displayName: \"Effect\",\n description: \"The effect of the policy (audit or deny)\",\n },\n allowedValues: [\"audit\", \"deny\"],\n defaultValue: \"audit\",\n },\n },\n metadata: {\n category: \"Tags\",\n version: \"1.0.0\",\n },\n});\n```\n\n## Advanced Features\n\n### Complex Policy Rules\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"storage-policy\", {\n name: \"require-https-storage\",\n displayName: \"Require HTTPS for Storage Accounts\",\n description: \"Denies storage accounts that don't enforce HTTPS\",\n mode: \"Indexed\",\n policyRule: {\n if: {\n allOf: [\n {\n field: \"type\",\n equals: \"Microsoft.Storage/storageAccounts\",\n },\n {\n field: \"Microsoft.Storage/storageAccounts/enableHttpsTrafficOnly\",\n notEquals: \"true\",\n },\n ],\n },\n then: {\n effect: \"deny\",\n },\n },\n metadata: {\n category: \"Storage\",\n version: \"1.0.0\",\n },\n});\n```\n\n### Explicit API Version\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n apiVersion: \"2021-06-01\", // Pin to specific version for stability\n policyRule: {\n if: {\n field: \"location\",\n notIn: [\"eastus\", \"westus\"],\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Using Outputs\n\n```typescript\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"my-policy\",\n policyRule: {\n /* ... */\n },\n});\n\n// Use the policy definition ID in other resources\nnew TerraformOutput(this, \"policy-id\", {\n value: policyDefinition.id,\n});\n\n// Access policy properties\nconsole.log(\"Policy Type:\", policyDefinition.policyType);\nconsole.log(\"Policy Mode:\", policyDefinition.policyMode);\n```\n\n## Complete Properties Documentation\n\n### PolicyDefinitionProps\n\n| Property | Type | Required | Default | Description |\n| -------- | ---- | -------- | ------- | ----------- |\n| `name` | string | No* | Construct ID | Name of the policy definition |\n| `policyRule` | object | **Yes** | - | The policy rule JSON object defining if/then logic |\n| `displayName` | string | No | - | Display name for the policy in Azure Portal |\n| `description` | string | No | - | Description of what the policy enforces |\n| `policyType` | string | No | \"Custom\" | Type of policy: Custom, BuiltIn, Static, NotSpecified |\n| `mode` | string | No | \"All\" | Policy mode: All, Indexed, or resource provider modes |\n| `parameters` | object | No | - | Parameters that can be passed to policy assignments |\n| `metadata` | object | No | - | Additional metadata (category, version, etc.) |\n| `apiVersion` | string | No | \"2021-06-01\" | Specific API version to use |\n| `ignoreChanges` | string[] | No | - | Properties to ignore during Terraform updates |\n| `enableValidation` | boolean | No | true | Enable schema validation |\n| `enableMigrationAnalysis` | boolean | No | false | Enable migration analysis between versions |\n| `enableTransformation` | boolean | No | true | Enable property transformation |\n\n*If `name` is not provided, the construct ID will be used as the policy definition name.\n\n## Supported API Versions\n\n| Version | Support Level | Release Date | Notes |\n| ---------- | ------------- | ------------ | --------------------------------------- |\n| 2021-06-01 | Active | 2021-06-01 | Latest stable version (recommended) |\n\n## Policy Definition Concepts\n\n### Policy Types\n\n- **Custom**: User-defined policies (default) - Used for organization-specific requirements\n- **BuiltIn**: Azure-provided policies - Pre-defined policies from Microsoft\n- **Static**: Static policy definitions - Policies that don't change\n- **NotSpecified**: Type not specified\n\n### Policy Modes\n\n- **All**: Evaluates all resource types (default) - Most common mode\n- **Indexed**: Only evaluates resource types that support tags and location\n- **Resource Provider Modes**: Specific modes like `Microsoft.KeyVault.Data` for data plane operations\n\n### Policy Effects\n\nCommon effects used in the `then` clause of policy rules:\n\n- **deny**: Blocks the resource request\n- **audit**: Logs a warning but allows the request (useful for testing)\n- **append**: Adds additional properties to the resource\n- **modify**: Modifies the resource properties\n- **deployIfNotExists**: Deploys resources if they don't exist\n- **auditIfNotExists**: Audits if resources don't exist\n- **disabled**: Disables the policy\n\n### Policy Rule Structure\n\nA policy rule consists of two main parts:\n\n```typescript\n{\n if: {\n // Condition(s) to evaluate\n field: \"type\",\n equals: \"Microsoft.Storage/storageAccounts\"\n },\n then: {\n // Action to take if condition is true\n effect: \"deny\"\n }\n}\n```\n\nConditions can use:\n- `field`: Resource property to evaluate\n- `equals`, `notEquals`: Exact matching\n- `in`, `notIn`: Array matching\n- `contains`, `notContains`: Substring matching\n- `exists`: Check if property exists\n- `allOf`, `anyOf`: Logical operators for multiple conditions\n\n## Available Outputs\n\nPolicy Definition constructs expose the following outputs:\n\n- `id`: The Azure resource ID of the policy definition\n- `name`: The name of the policy definition\n- `resourceId`: Alias for the ID (for consistency with other constructs)\n- `policyType`: The type of policy definition (Custom, BuiltIn, etc.)\n- `policyMode`: The mode of the policy definition (All, Indexed, etc.)\n\n## Best Practices\n\n1. **Use Descriptive Names and Display Names**\n - Make policy purpose clear from the name\n - Include version information in metadata\n\n2. **Start with Audit Effect**\n - Test new policies with `audit` effect first\n - Monitor audit logs before switching to `deny`\n\n3. **Add Comprehensive Metadata**\n - Include category for organization\n - Add version for tracking changes\n - Document purpose and scope\n\n4. **Make Policies Reusable**\n - Use parameters for flexibility\n - Provide sensible default values\n - Document parameter usage\n\n5. **Test Thoroughly**\n - Use integration tests before production\n - Test with various resource types\n - Verify parameter combinations\n\n6. **Document Policy Logic**\n - Provide clear descriptions\n - Document any exceptions or special cases\n - Include examples in metadata\n\n7. **Use Appropriate Policy Modes**\n - Use `Indexed` for resource-level policies\n - Use `All` when location/tags don't apply\n - Use resource provider modes for data plane policies\n\n8. **Version Control**\n - Store policy definitions in source control\n - Use semantic versioning in metadata\n - Document breaking changes\n\n## Examples\n\n### Policy Definition at Management Group Scope\n\n```typescript\n// Create a policy definition at management group scope\n// This makes the policy available to all subscriptions under the management group\nnew PolicyDefinition(this, \"mg-policy\", {\n name: \"org-wide-tag-policy\",\n parentId: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Organization-Wide Tag Policy\",\n description: \"Enforces required tags across all subscriptions in the organization\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n then: {\n effect: \"deny\",\n },\n },\n metadata: {\n category: \"Tags\",\n version: \"1.0.0\",\n },\n});\n```\n\n### Require Specific Resource Locations\n\n```typescript\nnew PolicyDefinition(this, \"allowed-locations\", {\n name: \"allowed-resource-locations\",\n displayName: \"Allowed Resource Locations\",\n description: \"Restricts resources to approved Azure regions\",\n policyRule: {\n if: {\n field: \"location\",\n notIn: [\"eastus\", \"westus\", \"centralus\"],\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Enforce Naming Conventions\n\n```typescript\nnew PolicyDefinition(this, \"naming-convention\", {\n name: \"enforce-naming-convention\",\n displayName: \"Enforce Resource Naming Convention\",\n policyRule: {\n if: {\n field: \"name\",\n notMatch: \"^[a-z0-9-]+$\",\n },\n then: {\n effect: \"deny\",\n },\n },\n});\n```\n\n### Audit Missing Tags\n\n```typescript\nnew PolicyDefinition(this, \"audit-tags\", {\n name: \"audit-required-tags\",\n displayName: \"Audit Resources Missing Required Tags\",\n policyRule: {\n if: {\n anyOf: [\n {\n field: \"tags['CostCenter']\",\n exists: \"false\",\n },\n {\n field: \"tags['Environment']\",\n exists: \"false\",\n },\n ],\n },\n then: {\n effect: \"audit\",\n },\n },\n});\n```\n\n## Related Constructs\n\n- **Policy Assignments**: Use policy definitions by assigning them to scopes (subscriptions, resource groups)\n- **Role Definitions**: Define custom RBAC roles for Azure resources\n- **Role Assignments**: Assign roles to identities for access control\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Policy Not Taking Effect**\n - Check policy assignment scope\n - Verify policy mode matches resource type\n - Allow time for policy evaluation (can take 15-30 minutes)\n\n2. **Validation Errors**\n - Ensure policyRule is valid JSON\n - Check parameter types and values\n - Verify field names match Azure resource properties\n\n3. **Scope Issues**\n - Policy definitions are subscription-scoped\n - Ensure proper RBAC permissions\n - Check management group hierarchy if applicable\n\n## Contributing\n\nContributions are welcome! Please refer to the main project's contributing guidelines.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details."
225
225
  },
226
226
  "symbolId": "src/azure-policydefinition/index:"
227
227
  },
@@ -261,7 +261,7 @@
261
261
  "line": 51
262
262
  },
263
263
  "readme": {
264
- "markdown": "# Azure Role Assignment Construct\n\nThis module provides a CDK construct for managing Azure Role Assignments using the AZAPI provider. Role assignments grant specific permissions (roles) to security principals (users, groups, service principals, managed identities) at a particular scope (subscription, resource group, or resource).\n\n## Table of Contents\n\n- [Features](#features)\n- [Installation](#installation)\n- [Basic Usage](#basic-usage)\n- [Advanced Usage](#advanced-usage)\n- [Properties](#properties)\n- [Outputs](#outputs)\n- [API Versions](#api-versions)\n- [Principal Types](#principal-types)\n- [Built-in Roles](#built-in-roles)\n- [Best Practices](#best-practices)\n- [Examples](#examples)\n\n## Features\n\n- **Version-Aware Resource Management**: Automatic API version resolution with support for explicit version pinning\n- **Schema-Driven Validation**: Built-in property validation with comprehensive error messages\n- **Principal Types**: Support for User, Group, ServicePrincipal, ForeignGroup, and Device principals\n- **Conditional Access (ABAC)**: Attribute-Based Access Control with condition expressions\n- **Flexible Scoping**: Assign roles at subscription, resource group, or individual resource scope\n- **Delegated Managed Identity**: Support for delegated identity scenarios with group assignments\n- **Built-in and Custom Roles**: Works with both Azure built-in roles and custom role definitions\n- **JSII Compliance**: Full support for multi-language bindings\n\n## Why Use AZAPI Provider?\n\nThe AZAPI provider offers several advantages for managing role assignments:\n\n1. **Latest API Support**: Access to the newest Azure features without waiting for provider updates\n2. **Consistent Interface**: Unified approach across all Azure resources\n3. **Version Flexibility**: Pin to specific API versions or use latest automatically\n4. **Full Feature Coverage**: Support for all Azure properties including preview features\n5. **Type Safety**: Strong typing and validation for all resource properties\n\n## Installation\n\nThis construct is part of the terraform-cdk-constructs library:\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Assign Built-in Reader Role\n\n```typescript\nimport { RoleAssignment } from '@microsoft/terraform-cdk-constructs/azure-roleassignment';\nimport { AzapiProvider } from '@microsoft/terraform-cdk-constructs/core-azure';\n\n// Configure the AZAPI provider\nnew AzapiProvider(this, 'azapi', {});\n\n// Assign Reader role to a user at subscription scope\nconst readerAssignment = new RoleAssignment(this, 'reader-assignment', {\n name: 'reader-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: '00000000-0000-0000-0000-000000000000', // User Object ID from Azure AD\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'User',\n description: 'Grants read access to all resources in the subscription',\n});\n```\n\n### Assign Role to Service Principal\n\n```typescript\nconst contributorAssignment = new RoleAssignment(this, 'sp-contributor', {\n name: 'sp-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', // Contributor\n principalId: servicePrincipal.objectId,\n scope: resourceGroup.id,\n principalType: 'ServicePrincipal',\n description: 'Grants contributor access to the application service principal',\n});\n```\n\n## Advanced Usage\n\n### Conditional Assignment with ABAC\n\nAttribute-Based Access Control (ABAC) allows you to add conditions to role assignments:\n\n```typescript\n// Limit access to specific storage containers\nconst conditionalAssignment = new RoleAssignment(this, 'conditional-access', {\n name: 'conditional-storage-access',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe', // Storage Blob Data Contributor\n principalId: user.objectId,\n scope: storageAccount.id,\n principalType: 'User',\n condition: \"@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'\",\n conditionVersion: '2.0',\n description: 'Grants blob data contributor access only to the logs container',\n});\n```\n\n### Assign Custom Role Definition\n\n```typescript\nimport { RoleDefinition } from '@microsoft/terraform-cdk-constructs/azure-roledefinition';\n\n// Create a custom role definition\nconst customRole = new RoleDefinition(this, 'custom-role', {\n name: 'vm-operator',\n roleName: 'Virtual Machine Operator',\n description: 'Can start, stop, and restart virtual machines',\n permissions: [{\n actions: [\n 'Microsoft.Compute/virtualMachines/start/action',\n 'Microsoft.Compute/virtualMachines/restart/action',\n 'Microsoft.Compute/virtualMachines/powerOff/action',\n 'Microsoft.Compute/virtualMachines/read',\n ],\n notActions: [],\n dataActions: [],\n notDataActions: [],\n }],\n assignableScopes: ['/subscriptions/00000000-0000-0000-0000-000000000000'],\n});\n\n// Assign the custom role\nnew RoleAssignment(this, 'custom-role-assignment', {\n name: 'vm-operator-assignment',\n roleDefinitionId: customRole.id,\n principalId: '00000000-0000-0000-0000-000000000000',\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'User',\n description: 'Assigns custom VM Operator role to user',\n});\n```\n\n### Group Assignment with Delegated Managed Identity\n\n```typescript\n// Assign role to a group using a delegated managed identity\nconst groupAssignment = new RoleAssignment(this, 'group-assignment', {\n name: 'group-with-delegated-identity',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: group.objectId,\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'Group',\n delegatedManagedIdentityResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity',\n description: 'Group assignment using delegated managed identity',\n});\n```\n\n### Resource Group Scoped Assignment\n\n```typescript\nconst rgAssignment = new RoleAssignment(this, 'rg-contributor', {\n name: 'rg-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', // Contributor\n principalId: '00000000-0000-0000-0000-000000000000',\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group',\n principalType: 'User',\n description: 'Grants contributor access only to this resource group',\n});\n```\n\n### Individual Resource Scoped Assignment\n\n```typescript\nconst resourceAssignment = new RoleAssignment(this, 'storage-contributor', {\n name: 'storage-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe', // Storage Blob Data Contributor\n principalId: managedIdentity.principalId,\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount',\n principalType: 'ServicePrincipal',\n description: 'Grants blob data contributor access to this specific storage account',\n});\n```\n\n## Properties\n\n### Required Properties\n\n| Property | Type | Description |\n|----------|------|-------------|\n| `roleDefinitionId` | string | The role definition ID to assign (built-in or custom role) |\n| `principalId` | string | The Object ID of the principal (user, group, service principal, managed identity) |\n| `scope` | string | The scope at which the role is assigned (subscription, resource group, or resource) |\n\n### Optional Properties\n\n| Property | Type | Default | Description |\n|----------|------|---------|-------------|\n| `name` | string | Auto-generated | The name of the role assignment resource |\n| `principalType` | string | undefined | Type of principal: User, Group, ServicePrincipal, ForeignGroup, Device |\n| `description` | string | undefined | Description of why the assignment was made |\n| `condition` | string | undefined | ABAC condition expression to limit access |\n| `conditionVersion` | string | undefined | Version of condition syntax (e.g., \"2.0\") |\n| `delegatedManagedIdentityResourceId` | string | undefined | Resource ID of delegated managed identity (for group assignments) |\n| `apiVersion` | string | \"2022-04-01\" | Explicit API version to use |\n| `tags` | object | {} | Tags to apply to the role assignment |\n| `ignoreChanges` | string[] | [] | Properties to ignore during updates |\n\n## Outputs\n\nThe [`RoleAssignment`](lib/role-assignment.ts:188) construct provides the following outputs:\n\n| Output | Type | Description |\n|--------|------|-------------|\n| `id` | string | The resource ID of the role assignment |\n| `name` | string | The name of the role assignment |\n| `resourceId` | string | Alias for the id property |\n| `roleDefinitionId` | string | The role definition ID that was assigned |\n| `principalId` | string | The principal ID that was granted the role |\n| `assignmentScope` | string | The scope at which the role was assigned |\n| `principalType` | string \\| undefined | The type of principal (if specified) |\n\n## API Versions\n\n### Supported Versions\n\n| Version | Support Level | Release Date | Notes |\n|---------|---------------|--------------|-------|\n| [2022-04-01](lib/role-assignment-schemas.ts:145) | Active (Latest) | 2022-04-01 | Full support for ABAC conditional assignments and delegated managed identities |\n\n### Version Selection\n\n```typescript\n// Use latest version (default)\nnew RoleAssignment(this, 'assignment', {\n roleDefinitionId: '...',\n principalId: '...',\n scope: '...',\n});\n\n// Pin to specific version\nnew RoleAssignment(this, 'assignment', {\n roleDefinitionId: '...',\n principalId: '...',\n scope: '...',\n apiVersion: '2022-04-01',\n});\n```\n\n## Principal Types\n\n### User\nAn Azure AD user account.\n\n```typescript\nprincipalType: 'User'\n```\n\n### Group\nAn Azure AD group. Can be used with delegated managed identity.\n\n```typescript\nprincipalType: 'Group'\n```\n\n### ServicePrincipal\nAn application or service principal (including managed identities).\n\n```typescript\nprincipalType: 'ServicePrincipal'\n```\n\n### ForeignGroup\nA group from an external directory (B2B collaboration).\n\n```typescript\nprincipalType: 'ForeignGroup'\n```\n\n### Device\nA device identity from Azure AD.\n\n```typescript\nprincipalType: 'Device'\n```\n\n## Built-in Roles\n\n### Common Built-in Role Definition IDs\n\n| Role Name | Role ID | Description |\n|-----------|---------|-------------|\n| Owner | `8e3af657-a8ff-443c-a75c-2fe8c4bcb635` | Full access to all resources including the ability to assign roles |\n| Contributor | `b24988ac-6180-42a0-ab88-20f7382dd24c` | Full access to all resources but cannot assign roles |\n| Reader | `acdd72a7-3385-48ef-bd42-f606fba81ae7` | View all resources but cannot make changes |\n| User Access Administrator | `18d7d88d-d35e-4fb5-a5c3-7773c20a72d9` | Manage user access to Azure resources |\n| Storage Blob Data Contributor | `ba92f5b4-2d11-453d-a403-e96b0029c9fe` | Read, write, and delete Azure Storage containers and blobs |\n| Storage Blob Data Reader | `2a2b9908-6ea1-4ae2-8e65-a410df84e7d1` | Read Azure Storage containers and blobs |\n| Key Vault Secrets User | `4633458b-17de-408a-b874-0445c86b69e6` | Read secret contents from Key Vault |\n| Virtual Machine Contributor | `9980e02c-c2be-4d73-94e8-173b1dc7cf3c` | Manage virtual machines but not the virtual network or storage account they're connected to |\n\nFor a complete list, see [Azure Built-in Roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles).\n\n## Best Practices\n\n### 1. Principle of Least Privilege\n\nAlways assign the minimum permissions required:\n\n```typescript\n// ❌ Bad: Overly permissive\nroleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' // Owner\n\n// ✅ Good: Specific permissions\nroleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' // Reader\n```\n\n### 2. Specific Scopes\n\nAssign roles at the narrowest scope possible:\n\n```typescript\n// ❌ Bad: Subscription-wide access when not needed\nscope: '/subscriptions/00000000-0000-0000-0000-000000000000'\n\n// ✅ Good: Resource group or resource-specific\nscope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg'\n```\n\n### 3. Always Specify Principal Type\n\nImproves performance and clarity:\n\n```typescript\n// ✅ Good\nnew RoleAssignment(this, 'assignment', {\n // ...\n principalType: 'ServicePrincipal', // Explicit type\n});\n```\n\n### 4. Use Conditional Access When Appropriate\n\nLimit access further with ABAC conditions:\n\n```typescript\nnew RoleAssignment(this, 'conditional', {\n // ...\n condition: \"@Resource[Microsoft.Storage/storageAccounts:name] StringStartsWith 'prod'\",\n conditionVersion: '2.0',\n});\n```\n\n### 5. Document Assignments\n\nUse descriptions to explain why assignments exist:\n\n```typescript\nnew RoleAssignment(this, 'assignment', {\n // ...\n description: 'Grants read access to monitoring team for incident response. Approved by Security-12345.',\n});\n```\n\n### 6. Prefer Custom Roles\n\nCreate custom roles for specific needs instead of using broad built-in roles:\n\n```typescript\n// Create custom role with exact permissions needed\nconst customRole = new RoleDefinition(this, 'custom', {\n roleName: 'Specific Task Operator',\n permissions: [/* only required actions */],\n assignableScopes: [/* specific scopes */],\n});\n```\n\n### 7. Use Managed Identities\n\nPrefer managed identities over service principals:\n\n```typescript\n// ✅ Good: System-assigned managed identity\nprincipalId: virtualMachine.identity.principalId,\nprincipalType: 'ServicePrincipal',\n```\n\n### 8. Regular Audits\n\nPeriodically review and remove unnecessary role assignments. Use tags to track:\n\n```typescript\nnew RoleAssignment(this, 'assignment', {\n // ...\n tags: {\n owner: 'team-name',\n purpose: 'data-processing',\n reviewDate: '2024-12-31',\n },\n});\n```\n\n## Examples\n\n### Example 1: Multi-Region Monitoring Setup\n\n```typescript\nconst regions = ['eastus', 'westus', 'northeurope'];\n\nregions.forEach(region => {\n new RoleAssignment(this, `monitoring-${region}`, {\n name: `monitoring-reader-${region}`,\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05', // Monitoring Reader\n principalId: monitoringServicePrincipal.objectId,\n scope: `/subscriptions/${subscriptionId}/resourceGroups/rg-${region}`,\n principalType: 'ServicePrincipal',\n description: `Monitoring access for ${region} resources`,\n tags: {\n region,\n purpose: 'monitoring',\n },\n });\n});\n```\n\n### Example 2: Separation of Duties\n\n```typescript\n// Development team: Contributor at resource group level\nnew RoleAssignment(this, 'dev-team-contributor', {\n name: 'dev-team-rg-contributor',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: devTeamGroup.objectId,\n scope: devResourceGroup.id,\n principalType: 'Group',\n description: 'Development team can manage resources in dev environment',\n});\n\n// Operations team: Reader at subscription, Contributor at production RG\nnew RoleAssignment(this, 'ops-team-reader', {\n name: 'ops-team-subscription-reader',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7',\n principalId: opsTeamGroup.objectId,\n scope: `/subscriptions/${subscriptionId}`,\n principalType: 'Group',\n description: 'Operations team can view all resources',\n});\n\nnew RoleAssignment(this, 'ops-team-contributor', {\n name: 'ops-team-prod-contributor',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: opsTeamGroup.objectId,\n scope: prodResourceGroup.id,\n principalType: 'Group',\n description: 'Operations team can manage production resources',\n});\n```\n\n### Example 3: Temporary Access\n\n```typescript\n// Grant temporary elevated access (remember to remove after use)\nnew RoleAssignment(this, 'temp-access', {\n name: 'temp-contributor-access',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: contractor.objectId,\n scope: temporaryResourceGroup.id,\n principalType: 'User',\n description: 'Temporary access for migration project. Remove after 2024-06-30.',\n tags: {\n temporary: 'true',\n expiryDate: '2024-06-30',\n ticketNumber: 'PROJ-12345',\n },\n});\n```\n\n## Relationship with Role Definition\n\nRole assignments and role definitions work together to implement Azure RBAC:\n\n- **Role Definition**: Defines WHAT permissions are granted (actions, dataActions, etc.)\n- **Role Assignment**: Defines WHO gets those permissions and WHERE (scope)\n\n```typescript\nimport { RoleDefinition } from '@microsoft/terraform-cdk-constructs/azure-roledefinition';\nimport { RoleAssignment } from '@microsoft/terraform-cdk-constructs/azure-roleassignment';\n\n// Step 1: Define what permissions are needed\nconst customRole = new RoleDefinition(this, 'data-processor-role', {\n name: 'data-processor',\n roleName: 'Data Processor',\n permissions: [{\n actions: ['Microsoft.Storage/storageAccounts/blobServices/containers/read'],\n dataActions: [\n 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read',\n 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write',\n ],\n }],\n assignableScopes: ['/subscriptions/00000000-0000-0000-0000-000000000000'],\n});\n\n// Step 2: Assign those permissions to a principal\nnew RoleAssignment(this, 'processor-assignment', {\n name: 'data-processor-assignment',\n roleDefinitionId: customRole.id,\n principalId: dataProcessorApp.principalId,\n scope: storageAccount.id,\n principalType: 'ServicePrincipal',\n description: 'Grants data processing application access to storage',\n});\n```\n\n## Additional Resources\n\n- [Azure RBAC Documentation](https://docs.microsoft.com/azure/role-based-access-control/)\n- [Azure Built-in Roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles)\n- [Azure ABAC Conditions](https://docs.microsoft.com/azure/role-based-access-control/conditions-overview)\n- [Best Practices for Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control/best-practices)\n- [Azure Role Assignments REST API](https://docs.microsoft.com/rest/api/authorization/role-assignments)\n- [Managed Identities for Azure Resources](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/)\n\n## License\n\nThis module is part of the terraform-cdk-constructs project and is licensed under the MIT License."
264
+ "markdown": "# Azure Role Assignment Construct\n\nThis module provides a CDK construct for managing Azure Role Assignments using the AZAPI provider. Role assignments grant specific permissions (roles) to security principals (users, groups, service principals, managed identities) at a particular scope (management group, subscription, resource group, or resource).\n\n## Table of Contents\n\n- [Features](#features)\n- [Installation](#installation)\n- [Basic Usage](#basic-usage)\n- [Advanced Usage](#advanced-usage)\n- [Properties](#properties)\n- [Outputs](#outputs)\n- [API Versions](#api-versions)\n- [Principal Types](#principal-types)\n- [Built-in Roles](#built-in-roles)\n- [Best Practices](#best-practices)\n- [Examples](#examples)\n\n## Features\n\n- **Version-Aware Resource Management**: Automatic API version resolution with support for explicit version pinning\n- **Schema-Driven Validation**: Built-in property validation with comprehensive error messages\n- **Principal Types**: Support for User, Group, ServicePrincipal, ForeignGroup, and Device principals\n- **Conditional Access (ABAC)**: Attribute-Based Access Control with condition expressions\n- **Flexible Scoping**: Assign roles at management group, subscription, resource group, or individual resource scope\n- **Delegated Managed Identity**: Support for delegated identity scenarios with group assignments\n- **Built-in and Custom Roles**: Works with both Azure built-in roles and custom role definitions\n- **JSII Compliance**: Full support for multi-language bindings\n\n## Why Use AZAPI Provider?\n\nThe AZAPI provider offers several advantages for managing role assignments:\n\n1. **Latest API Support**: Access to the newest Azure features without waiting for provider updates\n2. **Consistent Interface**: Unified approach across all Azure resources\n3. **Version Flexibility**: Pin to specific API versions or use latest automatically\n4. **Full Feature Coverage**: Support for all Azure properties including preview features\n5. **Type Safety**: Strong typing and validation for all resource properties\n\n## Installation\n\nThis construct is part of the terraform-cdk-constructs library:\n\n```bash\nnpm install @microsoft/terraform-cdk-constructs\n```\n\n## Basic Usage\n\n### Assign Built-in Reader Role\n\n```typescript\nimport { RoleAssignment } from '@microsoft/terraform-cdk-constructs/azure-roleassignment';\nimport { AzapiProvider } from '@microsoft/terraform-cdk-constructs/core-azure';\n\n// Configure the AZAPI provider\nnew AzapiProvider(this, 'azapi', {});\n\n// Assign Reader role to a user at subscription scope\nconst readerAssignment = new RoleAssignment(this, 'reader-assignment', {\n name: 'reader-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: '00000000-0000-0000-0000-000000000000', // User Object ID from Azure AD\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'User',\n description: 'Grants read access to all resources in the subscription',\n});\n```\n\n### Assign Role to Service Principal\n\n```typescript\nconst contributorAssignment = new RoleAssignment(this, 'sp-contributor', {\n name: 'sp-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', // Contributor\n principalId: servicePrincipal.objectId,\n scope: resourceGroup.id,\n principalType: 'ServicePrincipal',\n description: 'Grants contributor access to the application service principal',\n});\n```\n\n## Advanced Usage\n\n### Conditional Assignment with ABAC\n\nAttribute-Based Access Control (ABAC) allows you to add conditions to role assignments:\n\n```typescript\n// Limit access to specific storage containers\nconst conditionalAssignment = new RoleAssignment(this, 'conditional-access', {\n name: 'conditional-storage-access',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe', // Storage Blob Data Contributor\n principalId: user.objectId,\n scope: storageAccount.id,\n principalType: 'User',\n condition: \"@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'\",\n conditionVersion: '2.0',\n description: 'Grants blob data contributor access only to the logs container',\n});\n```\n\n### Assign Custom Role Definition\n\n```typescript\nimport { RoleDefinition } from '@microsoft/terraform-cdk-constructs/azure-roledefinition';\n\n// Create a custom role definition\nconst customRole = new RoleDefinition(this, 'custom-role', {\n name: 'vm-operator',\n roleName: 'Virtual Machine Operator',\n description: 'Can start, stop, and restart virtual machines',\n permissions: [{\n actions: [\n 'Microsoft.Compute/virtualMachines/start/action',\n 'Microsoft.Compute/virtualMachines/restart/action',\n 'Microsoft.Compute/virtualMachines/powerOff/action',\n 'Microsoft.Compute/virtualMachines/read',\n ],\n notActions: [],\n dataActions: [],\n notDataActions: [],\n }],\n assignableScopes: ['/subscriptions/00000000-0000-0000-0000-000000000000'],\n});\n\n// Assign the custom role\nnew RoleAssignment(this, 'custom-role-assignment', {\n name: 'vm-operator-assignment',\n roleDefinitionId: customRole.id,\n principalId: '00000000-0000-0000-0000-000000000000',\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'User',\n description: 'Assigns custom VM Operator role to user',\n});\n```\n\n### Group Assignment with Delegated Managed Identity\n\n```typescript\n// Assign role to a group using a delegated managed identity\nconst groupAssignment = new RoleAssignment(this, 'group-assignment', {\n name: 'group-with-delegated-identity',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: group.objectId,\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000',\n principalType: 'Group',\n delegatedManagedIdentityResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity',\n description: 'Group assignment using delegated managed identity',\n});\n```\n\n### Management Group Scoped Assignment\n\n```typescript\n// Assign a role at management group scope for organization-wide access\nconst mgAssignment = new RoleAssignment(this, 'mg-reader', {\n name: 'mg-reader-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: '00000000-0000-0000-0000-000000000000',\n scope: '/providers/Microsoft.Management/managementGroups/my-mg',\n principalType: 'Group',\n description: 'Grants read access across the entire management group hierarchy',\n});\n```\n\n### Resource Group Scoped Assignment\n\n```typescript\nconst rgAssignment = new RoleAssignment(this, 'rg-contributor', {\n name: 'rg-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', // Contributor\n principalId: '00000000-0000-0000-0000-000000000000',\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group',\n principalType: 'User',\n description: 'Grants contributor access only to this resource group',\n});\n```\n\n### Individual Resource Scoped Assignment\n\n```typescript\nconst resourceAssignment = new RoleAssignment(this, 'storage-contributor', {\n name: 'storage-contributor-assignment',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe', // Storage Blob Data Contributor\n principalId: managedIdentity.principalId,\n scope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount',\n principalType: 'ServicePrincipal',\n description: 'Grants blob data contributor access to this specific storage account',\n});\n```\n\n## Properties\n\n### Required Properties\n\n| Property | Type | Description |\n|----------|------|-------------|\n| `roleDefinitionId` | string | The role definition ID to assign (built-in or custom role) |\n| `principalId` | string | The Object ID of the principal (user, group, service principal, managed identity) |\n| `scope` | string | The scope at which the role is assigned (management group, subscription, resource group, or resource) |\n\n### Optional Properties\n\n| Property | Type | Default | Description |\n|----------|------|---------|-------------|\n| `name` | string | Auto-generated | The name of the role assignment resource |\n| `principalType` | string | undefined | Type of principal: User, Group, ServicePrincipal, ForeignGroup, Device |\n| `description` | string | undefined | Description of why the assignment was made |\n| `condition` | string | undefined | ABAC condition expression to limit access |\n| `conditionVersion` | string | undefined | Version of condition syntax (e.g., \"2.0\") |\n| `delegatedManagedIdentityResourceId` | string | undefined | Resource ID of delegated managed identity (for group assignments) |\n| `apiVersion` | string | \"2022-04-01\" | Explicit API version to use |\n| `tags` | object | {} | Tags to apply to the role assignment |\n| `ignoreChanges` | string[] | [] | Properties to ignore during updates |\n\n## Outputs\n\nThe [`RoleAssignment`](lib/role-assignment.ts:188) construct provides the following outputs:\n\n| Output | Type | Description |\n|--------|------|-------------|\n| `id` | string | The resource ID of the role assignment |\n| `name` | string | The name of the role assignment |\n| `resourceId` | string | Alias for the id property |\n| `roleDefinitionId` | string | The role definition ID that was assigned |\n| `principalId` | string | The principal ID that was granted the role |\n| `assignmentScope` | string | The scope at which the role was assigned |\n| `principalType` | string \\| undefined | The type of principal (if specified) |\n\n## API Versions\n\n### Supported Versions\n\n| Version | Support Level | Release Date | Notes |\n|---------|---------------|--------------|-------|\n| [2022-04-01](lib/role-assignment-schemas.ts:145) | Active (Latest) | 2022-04-01 | Full support for ABAC conditional assignments and delegated managed identities |\n\n### Version Selection\n\n```typescript\n// Use latest version (default)\nnew RoleAssignment(this, 'assignment', {\n roleDefinitionId: '...',\n principalId: '...',\n scope: '...',\n});\n\n// Pin to specific version\nnew RoleAssignment(this, 'assignment', {\n roleDefinitionId: '...',\n principalId: '...',\n scope: '...',\n apiVersion: '2022-04-01',\n});\n```\n\n## Principal Types\n\n### User\nAn Azure AD user account.\n\n```typescript\nprincipalType: 'User'\n```\n\n### Group\nAn Azure AD group. Can be used with delegated managed identity.\n\n```typescript\nprincipalType: 'Group'\n```\n\n### ServicePrincipal\nAn application or service principal (including managed identities).\n\n```typescript\nprincipalType: 'ServicePrincipal'\n```\n\n### ForeignGroup\nA group from an external directory (B2B collaboration).\n\n```typescript\nprincipalType: 'ForeignGroup'\n```\n\n### Device\nA device identity from Azure AD.\n\n```typescript\nprincipalType: 'Device'\n```\n\n## Built-in Roles\n\n### Common Built-in Role Definition IDs\n\n| Role Name | Role ID | Description |\n|-----------|---------|-------------|\n| Owner | `8e3af657-a8ff-443c-a75c-2fe8c4bcb635` | Full access to all resources including the ability to assign roles |\n| Contributor | `b24988ac-6180-42a0-ab88-20f7382dd24c` | Full access to all resources but cannot assign roles |\n| Reader | `acdd72a7-3385-48ef-bd42-f606fba81ae7` | View all resources but cannot make changes |\n| User Access Administrator | `18d7d88d-d35e-4fb5-a5c3-7773c20a72d9` | Manage user access to Azure resources |\n| Storage Blob Data Contributor | `ba92f5b4-2d11-453d-a403-e96b0029c9fe` | Read, write, and delete Azure Storage containers and blobs |\n| Storage Blob Data Reader | `2a2b9908-6ea1-4ae2-8e65-a410df84e7d1` | Read Azure Storage containers and blobs |\n| Key Vault Secrets User | `4633458b-17de-408a-b874-0445c86b69e6` | Read secret contents from Key Vault |\n| Virtual Machine Contributor | `9980e02c-c2be-4d73-94e8-173b1dc7cf3c` | Manage virtual machines but not the virtual network or storage account they're connected to |\n\nFor a complete list, see [Azure Built-in Roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles).\n\n## Best Practices\n\n### 1. Principle of Least Privilege\n\nAlways assign the minimum permissions required:\n\n```typescript\n// ❌ Bad: Overly permissive\nroleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' // Owner\n\n// ✅ Good: Specific permissions\nroleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' // Reader\n```\n\n### 2. Specific Scopes\n\nAssign roles at the narrowest scope possible:\n\n```typescript\n// ❌ Bad: Management group-wide access when subscription scope is sufficient\nscope: '/providers/Microsoft.Management/managementGroups/my-mg'\n\n// ❌ Bad: Subscription-wide access when not needed\nscope: '/subscriptions/00000000-0000-0000-0000-000000000000'\n\n// ✅ Good: Resource group or resource-specific\nscope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg'\n```\n\n### 3. Always Specify Principal Type\n\nImproves performance and clarity:\n\n```typescript\n// ✅ Good\nnew RoleAssignment(this, 'assignment', {\n // ...\n principalType: 'ServicePrincipal', // Explicit type\n});\n```\n\n### 4. Use Conditional Access When Appropriate\n\nLimit access further with ABAC conditions:\n\n```typescript\nnew RoleAssignment(this, 'conditional', {\n // ...\n condition: \"@Resource[Microsoft.Storage/storageAccounts:name] StringStartsWith 'prod'\",\n conditionVersion: '2.0',\n});\n```\n\n### 5. Document Assignments\n\nUse descriptions to explain why assignments exist:\n\n```typescript\nnew RoleAssignment(this, 'assignment', {\n // ...\n description: 'Grants read access to monitoring team for incident response. Approved by Security-12345.',\n});\n```\n\n### 6. Prefer Custom Roles\n\nCreate custom roles for specific needs instead of using broad built-in roles:\n\n```typescript\n// Create custom role with exact permissions needed\nconst customRole = new RoleDefinition(this, 'custom', {\n roleName: 'Specific Task Operator',\n permissions: [/* only required actions */],\n assignableScopes: [/* specific scopes */],\n});\n```\n\n### 7. Use Managed Identities\n\nPrefer managed identities over service principals:\n\n```typescript\n// ✅ Good: System-assigned managed identity\nprincipalId: virtualMachine.identity.principalId,\nprincipalType: 'ServicePrincipal',\n```\n\n### 8. Regular Audits\n\nPeriodically review and remove unnecessary role assignments. Use tags to track:\n\n```typescript\nnew RoleAssignment(this, 'assignment', {\n // ...\n tags: {\n owner: 'team-name',\n purpose: 'data-processing',\n reviewDate: '2024-12-31',\n },\n});\n```\n\n## Examples\n\n### Example 1: Management Group Level Access Control\n\n```typescript\n// Grant organization-wide read access to security team at management group level\nconst securityReaderAssignment = new RoleAssignment(this, 'security-mg-reader', {\n name: 'security-org-reader',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader\n principalId: securityTeamGroup.objectId,\n scope: '/providers/Microsoft.Management/managementGroups/root-mg',\n principalType: 'Group',\n description: 'Grants security team read access across all subscriptions and resources in the organization',\n tags: {\n team: 'security',\n purpose: 'compliance-monitoring',\n },\n});\n\n// Grant User Access Administrator at management group for identity management team\nconst identityMgmtAssignment = new RoleAssignment(this, 'identity-mg-uaa', {\n name: 'identity-user-access-admin',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', // User Access Administrator\n principalId: identityTeamGroup.objectId,\n scope: '/providers/Microsoft.Management/managementGroups/root-mg',\n principalType: 'Group',\n description: 'Grants identity team ability to manage role assignments organization-wide',\n});\n```\n\n### Example 2: Multi-Region Monitoring Setup\n\n```typescript\nconst regions = ['eastus', 'westus', 'northeurope'];\n\nregions.forEach(region => {\n new RoleAssignment(this, `monitoring-${region}`, {\n name: `monitoring-reader-${region}`,\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05', // Monitoring Reader\n principalId: monitoringServicePrincipal.objectId,\n scope: `/subscriptions/${subscriptionId}/resourceGroups/rg-${region}`,\n principalType: 'ServicePrincipal',\n description: `Monitoring access for ${region} resources`,\n tags: {\n region,\n purpose: 'monitoring',\n },\n });\n});\n```\n\n### Example 2: Separation of Duties\n\n```typescript\n// Development team: Contributor at resource group level\nnew RoleAssignment(this, 'dev-team-contributor', {\n name: 'dev-team-rg-contributor',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: devTeamGroup.objectId,\n scope: devResourceGroup.id,\n principalType: 'Group',\n description: 'Development team can manage resources in dev environment',\n});\n\n// Operations team: Reader at subscription, Contributor at production RG\nnew RoleAssignment(this, 'ops-team-reader', {\n name: 'ops-team-subscription-reader',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7',\n principalId: opsTeamGroup.objectId,\n scope: `/subscriptions/${subscriptionId}`,\n principalType: 'Group',\n description: 'Operations team can view all resources',\n});\n\nnew RoleAssignment(this, 'ops-team-contributor', {\n name: 'ops-team-prod-contributor',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: opsTeamGroup.objectId,\n scope: prodResourceGroup.id,\n principalType: 'Group',\n description: 'Operations team can manage production resources',\n});\n```\n\n### Example 3: Temporary Access\n\n```typescript\n// Grant temporary elevated access (remember to remove after use)\nnew RoleAssignment(this, 'temp-access', {\n name: 'temp-contributor-access',\n roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',\n principalId: contractor.objectId,\n scope: temporaryResourceGroup.id,\n principalType: 'User',\n description: 'Temporary access for migration project. Remove after 2024-06-30.',\n tags: {\n temporary: 'true',\n expiryDate: '2024-06-30',\n ticketNumber: 'PROJ-12345',\n },\n});\n```\n\n## Relationship with Role Definition\n\nRole assignments and role definitions work together to implement Azure RBAC:\n\n- **Role Definition**: Defines WHAT permissions are granted (actions, dataActions, etc.)\n- **Role Assignment**: Defines WHO gets those permissions and WHERE (scope)\n\n```typescript\nimport { RoleDefinition } from '@microsoft/terraform-cdk-constructs/azure-roledefinition';\nimport { RoleAssignment } from '@microsoft/terraform-cdk-constructs/azure-roleassignment';\n\n// Step 1: Define what permissions are needed\nconst customRole = new RoleDefinition(this, 'data-processor-role', {\n name: 'data-processor',\n roleName: 'Data Processor',\n permissions: [{\n actions: ['Microsoft.Storage/storageAccounts/blobServices/containers/read'],\n dataActions: [\n 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read',\n 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write',\n ],\n }],\n assignableScopes: ['/subscriptions/00000000-0000-0000-0000-000000000000'],\n});\n\n// Step 2: Assign those permissions to a principal\nnew RoleAssignment(this, 'processor-assignment', {\n name: 'data-processor-assignment',\n roleDefinitionId: customRole.id,\n principalId: dataProcessorApp.principalId,\n scope: storageAccount.id,\n principalType: 'ServicePrincipal',\n description: 'Grants data processing application access to storage',\n});\n```\n\n## Additional Resources\n\n- [Azure RBAC Documentation](https://docs.microsoft.com/azure/role-based-access-control/)\n- [Azure Built-in Roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles)\n- [Azure ABAC Conditions](https://docs.microsoft.com/azure/role-based-access-control/conditions-overview)\n- [Best Practices for Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control/best-practices)\n- [Azure Role Assignments REST API](https://docs.microsoft.com/rest/api/authorization/role-assignments)\n- [Managed Identities for Azure Resources](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/)\n\n## License\n\nThis module is part of the terraform-cdk-constructs project and is licensed under the MIT License."
265
265
  },
266
266
  "symbolId": "src/azure-roleassignment/index:"
267
267
  },
@@ -271,7 +271,7 @@
271
271
  "line": 52
272
272
  },
273
273
  "readme": {
274
- "markdown": "# Azure Role Definition Construct\n\nThis module provides a CDK for Terraform (CDKTF) construct for managing Azure RBAC Role Definitions using the AZAPI provider. Role definitions define custom roles with specific permissions that can be assigned to users, groups, or service principals through role assignments.\n\n## Features\n\n- **Version-Aware Schema Management**: Automatic handling of API version resolution and schema validation\n- **Custom RBAC Roles**: Define custom roles with granular permissions\n- **Control Plane Actions**: Specify allowed and denied management operations\n- **Data Plane Actions**: Define permissions for data operations within resources\n- **Flexible Scoping**: Assign roles at subscription, resource group, or management group level\n- **Type Safety**: Full TypeScript support with comprehensive type definitions\n- **JSII Compliance**: Multi-language support (TypeScript, Python, Java, C#, Go)\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n- **Day-0 Support**: Access to new Azure features immediately upon release\n- **Consistent API**: Direct mapping to Azure REST API structure\n- **Reduced Complexity**: No need to wait for provider updates\n- **Better Compatibility**: Works seamlessly with the latest Azure features\n\n## Installation\n\n```bash\nnpm install @cdktf/terraform-cdk-constructs\n```\n\n## Supported API Versions\n\n| API Version | Support Level | Release Date | Status |\n|-------------|---------------|--------------|--------|\n| 2022-04-01 | Active | 2022-04-01 | Latest |\n\n## Basic Usage\n\n### Create a Simple Read-Only Role\n\n```typescript\nimport { RoleDefinition } from \"@cdktf/terraform-cdk-constructs/azure-roledefinition\";\n\nconst vmReaderRole = new RoleDefinition(this, \"vm-reader\", {\n name: \"vm-reader-role\",\n roleName: \"Virtual Machine Reader\",\n description: \"Can view virtual machines and their properties\",\n permissions: [\n {\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/instanceView/read\",\n \"Microsoft.Network/networkInterfaces/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n## Advanced Features\n\n### Role with Data Plane Permissions\n\nCreate a role with both control plane and data plane permissions for comprehensive access management:\n\n```typescript\nconst storageOperator = new RoleDefinition(this, \"storage-operator\", {\n name: \"storage-operator-role\",\n roleName: \"Storage Operator\",\n description: \"Can manage storage accounts and read/write blob data\",\n permissions: [\n {\n // Control plane actions - manage storage accounts\n actions: [\n \"Microsoft.Storage/storageAccounts/read\",\n \"Microsoft.Storage/storageAccounts/write\",\n \"Microsoft.Storage/storageAccounts/listkeys/action\"\n ],\n // Explicitly deny delete operations\n notActions: [\n \"Microsoft.Storage/storageAccounts/delete\"\n ],\n // Data plane actions - read and write blobs\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\",\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write\"\n ],\n // Explicitly deny delete operations on data plane\n notDataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n### Multiple Assignable Scopes\n\nDefine a role that can be assigned at multiple levels:\n\n```typescript\nconst multiScopeRole = new RoleDefinition(this, \"multi-scope\", {\n name: \"multi-scope-role\",\n roleName: \"Multi-Scope Operator\",\n description: \"Can be assigned at subscription, resource group, or management group level\",\n permissions: [\n {\n actions: [\n \"Microsoft.Resources/subscriptions/read\",\n \"Microsoft.Resources/subscriptions/resourceGroups/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1\",\n \"/providers/Microsoft.Management/managementGroups/mg1\"\n ]\n});\n```\n\n### Complex Permission Combinations\n\nCreate sophisticated roles with multiple permission objects:\n\n```typescript\nconst complexRole = new RoleDefinition(this, \"complex-role\", {\n name: \"complex-role\",\n roleName: \"Complex Operator Role\",\n description: \"Role with multiple permission sets\",\n permissions: [\n {\n // Compute permissions\n actions: [\"Microsoft.Compute/virtualMachines/read\"],\n notActions: []\n },\n {\n // Storage permissions\n actions: [\"Microsoft.Storage/storageAccounts/read\"],\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\"\n ]\n },\n {\n // Network permissions\n actions: [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/networkInterfaces/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n## Properties\n\n### Required Properties\n\n| Property | Type | Description |\n|----------|------|-------------|\n| `roleName` | string | Display name of the role (1-128 characters) |\n| `permissions` | RoleDefinitionPermission[] | Array of permission objects defining role capabilities |\n| `assignableScopes` | string[] | Scopes where the role can be assigned |\n\n### Optional Properties\n\n| Property | Type | Default | Description |\n|----------|------|---------|-------------|\n| `name` | string | Auto-generated | Resource name for the role definition |\n| `description` | string | - | Detailed description of the role (max 1024 characters) |\n| `type` | string | \"CustomRole\" | Role type (CustomRole or BuiltInRole) |\n| `apiVersion` | string | \"2022-04-01\" | Azure API version to use |\n| `ignoreChanges` | string[] | - | Properties to ignore during updates |\n\n### Permission Object Structure\n\n```typescript\ninterface RoleDefinitionPermission {\n actions?: string[]; // Control plane allowed actions\n notActions?: string[]; // Control plane denied actions\n dataActions?: string[]; // Data plane allowed actions\n notDataActions?: string[]; // Data plane denied actions\n}\n```\n\n## Available Outputs\n\nThe RoleDefinition construct exposes these outputs:\n\n- `id`: Full resource ID of the role definition\n- `name`: Name of the role definition\n- `resourceId`: Alias for id (for use in other resources)\n- `roleName`: Display name of the role\n- `roleType`: Type of role (CustomRole or BuiltInRole)\n\n## Common Permission Patterns\n\n### Reader Pattern\n```typescript\npermissions: [{\n actions: [\"Microsoft.Resources/subscriptions/read\"]\n}]\n```\n\n### Contributor Pattern\n```typescript\npermissions: [{\n actions: [\"*\"],\n notActions: [\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\"\n ]\n}]\n```\n\n### Service-Specific Reader\n```typescript\npermissions: [{\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/snapshots/read\"\n ]\n}]\n```\n\n### Data Plane Access\n```typescript\npermissions: [{\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\",\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write\"\n ]\n}]\n```\n\n## Relationship with Role Assignment\n\nAfter creating a Role Definition, use the RoleAssignment service to assign the role to principals:\n\n```typescript\nimport { RoleDefinition } from \"@cdktf/terraform-cdk-constructs/azure-roledefinition\";\nimport { RoleAssignment } from \"@cdktf/terraform-cdk-constructs/azure-roleassignment\";\n\n// Create custom role\nconst customRole = new RoleDefinition(this, \"custom-role\", {\n roleName: \"Custom Operator\",\n permissions: [\n {\n actions: [\"Microsoft.Compute/virtualMachines/read\"]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n\n// Assign the role to a principal (user, group, or service principal)\nconst assignment = new RoleAssignment(this, \"role-assignment\", {\n name: \"custom-role-assignment\",\n roleDefinitionId: customRole.id,\n principalId: \"00000000-0000-0000-0000-000000000000\", // User/Group/SP Object ID\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n});\n```\n\n## Best Practices\n\n### 1. Principle of Least Privilege\nGrant only the minimum permissions required for the role's purpose:\n\n```typescript\n// Good: Specific permissions\npermissions: [{\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/start/action\"\n ]\n}]\n\n// Avoid: Overly broad permissions\npermissions: [{\n actions: [\"*\"]\n}]\n```\n\n### 2. Use NotActions Carefully\nNotActions exclude permissions from a broader grant. Use them to create exceptions:\n\n```typescript\npermissions: [{\n actions: [\"Microsoft.Compute/virtualMachines/*\"],\n notActions: [\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachines/write\"\n ]\n}]\n```\n\n### 3. Document Role Purpose\nProvide clear descriptions:\n\n```typescript\nconst role = new RoleDefinition(this, \"role\", {\n roleName: \"VM Operator\",\n description: \"Can start, stop, and restart VMs. Cannot create, modify, or delete VMs. Intended for operations team.\",\n // ...\n});\n```\n\n### 4. Scope Appropriately\nLimit assignable scopes to only where needed:\n\n```typescript\n// Good: Limited to specific resource group\nassignableScopes: [\n \"/subscriptions/sub-id/resourceGroups/production-vms\"\n]\n\n// Avoid: Too broad if not necessary\nassignableScopes: [\n \"/subscriptions/sub-id\"\n]\n```\n\n### 5. Separate Control and Data Plane\nUnderstand the difference between actions and dataActions:\n\n```typescript\npermissions: [{\n // Control plane: Manage the resource itself\n actions: [\"Microsoft.Storage/storageAccounts/read\"],\n\n // Data plane: Access data within the resource\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\"\n ]\n}]\n```\n\n### 6. Test Permissions\nAlways test that the role grants the intended access and nothing more:\n\n1. Assign the role to a test principal\n2. Verify the principal can perform allowed actions\n3. Verify the principal cannot perform denied actions\n4. Check at all intended assignable scopes\n\n## Understanding Actions\n\n### Wildcard Usage\n- `*`: All actions\n- `Microsoft.Compute/*`: All actions in Compute resource provider\n- `Microsoft.Compute/virtualMachines/*`: All actions on VMs\n\n### Action Format\nActions follow the pattern: `{Provider}/{ResourceType}/{Operation}`\n\nExamples:\n- `Microsoft.Compute/virtualMachines/read`\n- `Microsoft.Network/virtualNetworks/write`\n- `Microsoft.Storage/storageAccounts/listkeys/action`\n\n### Control Plane vs Data Plane\n- **Control Plane (actions)**: Manage Azure resources\n - Example: Create VM, delete storage account\n- **Data Plane (dataActions)**: Access data in resources\n - Example: Read blob, write to queue\n\n## Migration Notes\n\nThis implementation uses the AZAPI provider with version-aware schema management. When migrating from other implementations:\n\n1. Role definitions are subscription or management group scoped (no location property)\n2. Use the `permissions` array to define role capabilities\n3. Specify `assignableScopes` to control where the role can be assigned\n4. The construct automatically resolves to the latest API version unless pinned\n\n## Troubleshooting\n\n### Role Not Appearing in Portal\n- Wait a few minutes for replication\n- Check that you're viewing the correct subscription/scope\n- Verify the role was created successfully via API\n\n### Permission Denied When Using Role\n- Check that the role includes the required actions\n- Verify the assignable scopes include the target scope\n- Ensure the role has been assigned to the principal\n\n### Role Cannot Be Deleted\n- Check if any role assignments reference this role definition\n- Remove all assignments before deleting the definition\n\n## Additional Resources\n\n- [Azure RBAC Documentation](https://docs.microsoft.com/azure/role-based-access-control/)\n- [Azure Resource Provider Operations](https://docs.microsoft.com/azure/role-based-access-control/resource-provider-operations)\n- [AZAPI Provider Documentation](https://registry.terraform.io/providers/Azure/azapi/latest/docs)\n- [Custom Roles in Azure](https://docs.microsoft.com/azure/role-based-access-control/custom-roles)\n"
274
+ "markdown": "# Azure Role Definition Construct\n\nThis module provides a CDK for Terraform (CDKTF) construct for managing Azure RBAC Role Definitions using the AZAPI provider. Role definitions define custom roles with specific permissions that can be assigned to users, groups, or service principals through role assignments.\n\n## Features\n\n- **Version-Aware Schema Management**: Automatic handling of API version resolution and schema validation\n- **Custom RBAC Roles**: Define custom roles with granular permissions\n- **Control Plane Actions**: Specify allowed and denied management operations\n- **Data Plane Actions**: Define permissions for data operations within resources\n- **Flexible Scoping**: Assign roles at subscription, resource group, or management group level\n- **Type Safety**: Full TypeScript support with comprehensive type definitions\n- **JSII Compliance**: Multi-language support (TypeScript, Python, Java, C#, Go)\n\n## AZAPI Provider Benefits\n\nThis construct uses the AZAPI provider, which offers several advantages:\n\n- **Day-0 Support**: Access to new Azure features immediately upon release\n- **Consistent API**: Direct mapping to Azure REST API structure\n- **Reduced Complexity**: No need to wait for provider updates\n- **Better Compatibility**: Works seamlessly with the latest Azure features\n\n## Installation\n\n```bash\nnpm install @cdktf/terraform-cdk-constructs\n```\n\n## Supported API Versions\n\n| API Version | Support Level | Release Date | Status |\n|-------------|---------------|--------------|--------|\n| 2022-04-01 | Active | 2022-04-01 | Latest |\n\n## Basic Usage\n\n### Create a Simple Read-Only Role\n\n```typescript\nimport { RoleDefinition } from \"@cdktf/terraform-cdk-constructs/azure-roledefinition\";\n\nconst vmReaderRole = new RoleDefinition(this, \"vm-reader\", {\n name: \"vm-reader-role\",\n roleName: \"Virtual Machine Reader\",\n description: \"Can view virtual machines and their properties\",\n permissions: [\n {\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/instanceView/read\",\n \"Microsoft.Network/networkInterfaces/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n## Advanced Features\n\n### Role with Data Plane Permissions\n\nCreate a role with both control plane and data plane permissions for comprehensive access management:\n\n```typescript\nconst storageOperator = new RoleDefinition(this, \"storage-operator\", {\n name: \"storage-operator-role\",\n roleName: \"Storage Operator\",\n description: \"Can manage storage accounts and read/write blob data\",\n permissions: [\n {\n // Control plane actions - manage storage accounts\n actions: [\n \"Microsoft.Storage/storageAccounts/read\",\n \"Microsoft.Storage/storageAccounts/write\",\n \"Microsoft.Storage/storageAccounts/listkeys/action\"\n ],\n // Explicitly deny delete operations\n notActions: [\n \"Microsoft.Storage/storageAccounts/delete\"\n ],\n // Data plane actions - read and write blobs\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\",\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write\"\n ],\n // Explicitly deny delete operations on data plane\n notDataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n### Role with Management Group Scope\n\nDefine a role that can be assigned at management group level for organization-wide access:\n\n```typescript\nconst orgRole = new RoleDefinition(this, \"org-role\", {\n name: \"org-wide-role\",\n roleName: \"Organization Reader\",\n description: \"Can view resources across the entire organization hierarchy\",\n permissions: [\n {\n actions: [\n \"Microsoft.Resources/subscriptions/read\",\n \"Microsoft.Resources/subscriptions/resourceGroups/read\",\n \"Microsoft.Management/managementGroups/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/providers/Microsoft.Management/managementGroups/my-mg\"\n ]\n});\n```\n\n### Multiple Assignable Scopes\n\nDefine a role that can be assigned at multiple levels:\n\n```typescript\nconst multiScopeRole = new RoleDefinition(this, \"multi-scope\", {\n name: \"multi-scope-role\",\n roleName: \"Multi-Scope Operator\",\n description: \"Can be assigned at subscription, resource group, or management group level\",\n permissions: [\n {\n actions: [\n \"Microsoft.Resources/subscriptions/read\",\n \"Microsoft.Resources/subscriptions/resourceGroups/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1\",\n \"/providers/Microsoft.Management/managementGroups/mg1\"\n ]\n});\n```\n\n### Complex Permission Combinations\n\nCreate sophisticated roles with multiple permission objects:\n\n```typescript\nconst complexRole = new RoleDefinition(this, \"complex-role\", {\n name: \"complex-role\",\n roleName: \"Complex Operator Role\",\n description: \"Role with multiple permission sets\",\n permissions: [\n {\n // Compute permissions\n actions: [\"Microsoft.Compute/virtualMachines/read\"],\n notActions: []\n },\n {\n // Storage permissions\n actions: [\"Microsoft.Storage/storageAccounts/read\"],\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\"\n ]\n },\n {\n // Network permissions\n actions: [\n \"Microsoft.Network/virtualNetworks/read\",\n \"Microsoft.Network/networkInterfaces/read\"\n ]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n```\n\n## Properties\n\n### Required Properties\n\n| Property | Type | Description |\n|----------|------|-------------|\n| `roleName` | string | Display name of the role (1-128 characters) |\n| `permissions` | RoleDefinitionPermission[] | Array of permission objects defining role capabilities |\n| `assignableScopes` | string[] | Scopes where the role can be assigned |\n\n### Optional Properties\n\n| Property | Type | Default | Description |\n|----------|------|---------|-------------|\n| `name` | string | Auto-generated | Resource name for the role definition |\n| `description` | string | - | Detailed description of the role (max 1024 characters) |\n| `type` | string | \"CustomRole\" | Role type (CustomRole or BuiltInRole) |\n| `apiVersion` | string | \"2022-04-01\" | Azure API version to use |\n| `ignoreChanges` | string[] | - | Properties to ignore during updates |\n\n### Permission Object Structure\n\n```typescript\ninterface RoleDefinitionPermission {\n actions?: string[]; // Control plane allowed actions\n notActions?: string[]; // Control plane denied actions\n dataActions?: string[]; // Data plane allowed actions\n notDataActions?: string[]; // Data plane denied actions\n}\n```\n\n## Available Outputs\n\nThe RoleDefinition construct exposes these outputs:\n\n- `id`: Full resource ID of the role definition\n- `name`: Name of the role definition\n- `resourceId`: Alias for id (for use in other resources)\n- `roleName`: Display name of the role\n- `roleType`: Type of role (CustomRole or BuiltInRole)\n\n## Common Permission Patterns\n\n### Reader Pattern\n```typescript\npermissions: [{\n actions: [\"Microsoft.Resources/subscriptions/read\"]\n}]\n```\n\n### Contributor Pattern\n```typescript\npermissions: [{\n actions: [\"*\"],\n notActions: [\n \"Microsoft.Authorization/roleAssignments/write\",\n \"Microsoft.Authorization/roleAssignments/delete\"\n ]\n}]\n```\n\n### Service-Specific Reader\n```typescript\npermissions: [{\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/disks/read\",\n \"Microsoft.Compute/snapshots/read\"\n ]\n}]\n```\n\n### Data Plane Access\n```typescript\npermissions: [{\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\",\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write\"\n ]\n}]\n```\n\n## Relationship with Role Assignment\n\nAfter creating a Role Definition, use the RoleAssignment service to assign the role to principals:\n\n```typescript\nimport { RoleDefinition } from \"@cdktf/terraform-cdk-constructs/azure-roledefinition\";\nimport { RoleAssignment } from \"@cdktf/terraform-cdk-constructs/azure-roleassignment\";\n\n// Create custom role\nconst customRole = new RoleDefinition(this, \"custom-role\", {\n roleName: \"Custom Operator\",\n permissions: [\n {\n actions: [\"Microsoft.Compute/virtualMachines/read\"]\n }\n ],\n assignableScopes: [\n \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n ]\n});\n\n// Assign the role to a principal (user, group, or service principal)\nconst assignment = new RoleAssignment(this, \"role-assignment\", {\n name: \"custom-role-assignment\",\n roleDefinitionId: customRole.id,\n principalId: \"00000000-0000-0000-0000-000000000000\", // User/Group/SP Object ID\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\"\n});\n```\n\n## Best Practices\n\n### 1. Principle of Least Privilege\nGrant only the minimum permissions required for the role's purpose:\n\n```typescript\n// Good: Specific permissions\npermissions: [{\n actions: [\n \"Microsoft.Compute/virtualMachines/read\",\n \"Microsoft.Compute/virtualMachines/start/action\"\n ]\n}]\n\n// Avoid: Overly broad permissions\npermissions: [{\n actions: [\"*\"]\n}]\n```\n\n### 2. Use NotActions Carefully\nNotActions exclude permissions from a broader grant. Use them to create exceptions:\n\n```typescript\npermissions: [{\n actions: [\"Microsoft.Compute/virtualMachines/*\"],\n notActions: [\n \"Microsoft.Compute/virtualMachines/delete\",\n \"Microsoft.Compute/virtualMachines/write\"\n ]\n}]\n```\n\n### 3. Document Role Purpose\nProvide clear descriptions:\n\n```typescript\nconst role = new RoleDefinition(this, \"role\", {\n roleName: \"VM Operator\",\n description: \"Can start, stop, and restart VMs. Cannot create, modify, or delete VMs. Intended for operations team.\",\n // ...\n});\n```\n\n### 4. Scope Appropriately\nLimit assignable scopes to only where needed:\n\n```typescript\n// Good: Limited to specific resource group\nassignableScopes: [\n \"/subscriptions/sub-id/resourceGroups/production-vms\"\n]\n\n// Acceptable: Subscription level when needed\nassignableScopes: [\n \"/subscriptions/sub-id\"\n]\n\n// Use carefully: Management group level only for organization-wide roles\nassignableScopes: [\n \"/providers/Microsoft.Management/managementGroups/my-mg\"\n]\n```\n\n### 5. Separate Control and Data Plane\nUnderstand the difference between actions and dataActions:\n\n```typescript\npermissions: [{\n // Control plane: Manage the resource itself\n actions: [\"Microsoft.Storage/storageAccounts/read\"],\n\n // Data plane: Access data within the resource\n dataActions: [\n \"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read\"\n ]\n}]\n```\n\n### 6. Test Permissions\nAlways test that the role grants the intended access and nothing more:\n\n1. Assign the role to a test principal\n2. Verify the principal can perform allowed actions\n3. Verify the principal cannot perform denied actions\n4. Check at all intended assignable scopes\n\n## Understanding Actions\n\n### Wildcard Usage\n- `*`: All actions\n- `Microsoft.Compute/*`: All actions in Compute resource provider\n- `Microsoft.Compute/virtualMachines/*`: All actions on VMs\n\n### Action Format\nActions follow the pattern: `{Provider}/{ResourceType}/{Operation}`\n\nExamples:\n- `Microsoft.Compute/virtualMachines/read`\n- `Microsoft.Network/virtualNetworks/write`\n- `Microsoft.Storage/storageAccounts/listkeys/action`\n\n### Control Plane vs Data Plane\n- **Control Plane (actions)**: Manage Azure resources\n - Example: Create VM, delete storage account\n- **Data Plane (dataActions)**: Access data in resources\n - Example: Read blob, write to queue\n\n## Migration Notes\n\nThis implementation uses the AZAPI provider with version-aware schema management. When migrating from other implementations:\n\n1. Role definitions are subscription or management group scoped (no location property)\n2. Use the `permissions` array to define role capabilities\n3. Specify `assignableScopes` to control where the role can be assigned\n4. The construct automatically resolves to the latest API version unless pinned\n\n## Troubleshooting\n\n### Role Not Appearing in Portal\n- Wait a few minutes for replication\n- Check that you're viewing the correct subscription/scope\n- Verify the role was created successfully via API\n\n### Permission Denied When Using Role\n- Check that the role includes the required actions\n- Verify the assignable scopes include the target scope\n- Ensure the role has been assigned to the principal\n\n### Role Cannot Be Deleted\n- Check if any role assignments reference this role definition\n- Remove all assignments before deleting the definition\n\n## Additional Resources\n\n- [Azure RBAC Documentation](https://docs.microsoft.com/azure/role-based-access-control/)\n- [Azure Resource Provider Operations](https://docs.microsoft.com/azure/role-based-access-control/resource-provider-operations)\n- [AZAPI Provider Documentation](https://registry.terraform.io/providers/Azure/azapi/latest/docs)\n- [Custom Roles in Azure](https://docs.microsoft.com/azure/role-based-access-control/custom-roles)\n"
275
275
  },
276
276
  "symbolId": "src/azure-roledefinition/index:"
277
277
  },
@@ -26855,8 +26855,8 @@
26855
26855
  "assembly": "@microsoft/terraform-cdk-constructs",
26856
26856
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
26857
26857
  "docs": {
26858
- "example": "// Policy assignment with managed identity:\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"deploy-monitoring-assignment\",\n policyDefinitionId: \"/providers/Microsoft.Authorization/policyDefinitions/policy-id\",\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\"\n }\n});",
26859
- "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy assignments can be deployed at subscription, resource group, or resource scope.\nLike policy definitions, they do not have a location property as they are not region-specific.",
26858
+ "example": "// Policy assignment at management group scope:\nconst mgAssignment = new PolicyAssignment(this, \"mgAssignment\", {\n name: \"mg-policy-assignment\",\n policyDefinitionId: \"/providers/Microsoft.Authorization/policyDefinitions/policy-id\",\n scope: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Management Group Policy\",\n description: \"Applies policy across the entire management group hierarchy\"\n});",
26859
+ "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy assignments can be deployed at management group, subscription, resource group,\nor resource scope. Like policy definitions, they do not have a location property as they\nare not region-specific.",
26860
26860
  "stability": "stable",
26861
26861
  "summary": "Unified Azure Policy Assignment implementation."
26862
26862
  },
@@ -26869,7 +26869,7 @@
26869
26869
  },
26870
26870
  "locationInModule": {
26871
26871
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26872
- "line": 336
26872
+ "line": 348
26873
26873
  },
26874
26874
  "parameters": [
26875
26875
  {
@@ -26904,7 +26904,7 @@
26904
26904
  "kind": "class",
26905
26905
  "locationInModule": {
26906
26906
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26907
- "line": 307
26907
+ "line": 319
26908
26908
  },
26909
26909
  "methods": [
26910
26910
  {
@@ -26914,7 +26914,7 @@
26914
26914
  },
26915
26915
  "locationInModule": {
26916
26916
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26917
- "line": 393
26917
+ "line": 397
26918
26918
  },
26919
26919
  "name": "apiSchema",
26920
26920
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -26933,7 +26933,7 @@
26933
26933
  },
26934
26934
  "locationInModule": {
26935
26935
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26936
- "line": 416
26936
+ "line": 420
26937
26937
  },
26938
26938
  "name": "createResourceBody",
26939
26939
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -26959,7 +26959,7 @@
26959
26959
  },
26960
26960
  "locationInModule": {
26961
26961
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26962
- "line": 378
26962
+ "line": 382
26963
26963
  },
26964
26964
  "name": "defaultVersion",
26965
26965
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -26977,7 +26977,7 @@
26977
26977
  },
26978
26978
  "locationInModule": {
26979
26979
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
26980
- "line": 447
26980
+ "line": 451
26981
26981
  },
26982
26982
  "name": "resolveParentId",
26983
26983
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27003,7 +27003,7 @@
27003
27003
  },
27004
27004
  "locationInModule": {
27005
27005
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27006
- "line": 385
27006
+ "line": 389
27007
27007
  },
27008
27008
  "name": "resourceType",
27009
27009
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27025,7 +27025,7 @@
27025
27025
  },
27026
27026
  "locationInModule": {
27027
27027
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27028
- "line": 403
27028
+ "line": 407
27029
27029
  },
27030
27030
  "name": "supportsTags",
27031
27031
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27047,7 +27047,7 @@
27047
27047
  "immutable": true,
27048
27048
  "locationInModule": {
27049
27049
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27050
- "line": 474
27050
+ "line": 478
27051
27051
  },
27052
27052
  "name": "assignmentScope",
27053
27053
  "type": {
@@ -27062,7 +27062,7 @@
27062
27062
  "immutable": true,
27063
27063
  "locationInModule": {
27064
27064
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27065
- "line": 481
27065
+ "line": 485
27066
27066
  },
27067
27067
  "name": "enforcementMode",
27068
27068
  "type": {
@@ -27076,7 +27076,7 @@
27076
27076
  "immutable": true,
27077
27077
  "locationInModule": {
27078
27078
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27079
- "line": 321
27079
+ "line": 333
27080
27080
  },
27081
27081
  "name": "idOutput",
27082
27082
  "type": {
@@ -27090,7 +27090,7 @@
27090
27090
  "immutable": true,
27091
27091
  "locationInModule": {
27092
27092
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27093
- "line": 322
27093
+ "line": 334
27094
27094
  },
27095
27095
  "name": "nameOutput",
27096
27096
  "type": {
@@ -27105,7 +27105,7 @@
27105
27105
  "immutable": true,
27106
27106
  "locationInModule": {
27107
27107
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27108
- "line": 467
27108
+ "line": 471
27109
27109
  },
27110
27110
  "name": "policyDefinitionId",
27111
27111
  "type": {
@@ -27120,7 +27120,7 @@
27120
27120
  "immutable": true,
27121
27121
  "locationInModule": {
27122
27122
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27123
- "line": 318
27123
+ "line": 330
27124
27124
  },
27125
27125
  "name": "props",
27126
27126
  "type": {
@@ -27135,7 +27135,7 @@
27135
27135
  "immutable": true,
27136
27136
  "locationInModule": {
27137
27137
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27138
- "line": 460
27138
+ "line": 464
27139
27139
  },
27140
27140
  "name": "resourceId",
27141
27141
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27157,7 +27157,7 @@
27157
27157
  "kind": "interface",
27158
27158
  "locationInModule": {
27159
27159
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27160
- "line": 246
27160
+ "line": 247
27161
27161
  },
27162
27162
  "name": "PolicyAssignmentBody",
27163
27163
  "properties": [
@@ -27170,7 +27170,7 @@
27170
27170
  "immutable": true,
27171
27171
  "locationInModule": {
27172
27172
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27173
- "line": 250
27173
+ "line": 251
27174
27174
  },
27175
27175
  "name": "properties",
27176
27176
  "type": {
@@ -27186,7 +27186,7 @@
27186
27186
  "immutable": true,
27187
27187
  "locationInModule": {
27188
27188
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27189
- "line": 255
27189
+ "line": 256
27190
27190
  },
27191
27191
  "name": "identity",
27192
27192
  "optional": true,
@@ -27317,7 +27317,7 @@
27317
27317
  "kind": "interface",
27318
27318
  "locationInModule": {
27319
27319
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27320
- "line": 195
27320
+ "line": 196
27321
27321
  },
27322
27322
  "name": "PolicyAssignmentProperties",
27323
27323
  "properties": [
@@ -27330,7 +27330,7 @@
27330
27330
  "immutable": true,
27331
27331
  "locationInModule": {
27332
27332
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27333
- "line": 199
27333
+ "line": 200
27334
27334
  },
27335
27335
  "name": "policyDefinitionId",
27336
27336
  "type": {
@@ -27346,7 +27346,7 @@
27346
27346
  "immutable": true,
27347
27347
  "locationInModule": {
27348
27348
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27349
- "line": 204
27349
+ "line": 205
27350
27350
  },
27351
27351
  "name": "scope",
27352
27352
  "type": {
@@ -27362,7 +27362,7 @@
27362
27362
  "immutable": true,
27363
27363
  "locationInModule": {
27364
27364
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27365
- "line": 214
27365
+ "line": 215
27366
27366
  },
27367
27367
  "name": "description",
27368
27368
  "optional": true,
@@ -27379,7 +27379,7 @@
27379
27379
  "immutable": true,
27380
27380
  "locationInModule": {
27381
27381
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27382
- "line": 209
27382
+ "line": 210
27383
27383
  },
27384
27384
  "name": "displayName",
27385
27385
  "optional": true,
@@ -27396,7 +27396,7 @@
27396
27396
  "immutable": true,
27397
27397
  "locationInModule": {
27398
27398
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27399
- "line": 219
27399
+ "line": 220
27400
27400
  },
27401
27401
  "name": "enforcementMode",
27402
27402
  "optional": true,
@@ -27413,7 +27413,7 @@
27413
27413
  "immutable": true,
27414
27414
  "locationInModule": {
27415
27415
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27416
- "line": 229
27416
+ "line": 230
27417
27417
  },
27418
27418
  "name": "metadata",
27419
27419
  "optional": true,
@@ -27430,7 +27430,7 @@
27430
27430
  "immutable": true,
27431
27431
  "locationInModule": {
27432
27432
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27433
- "line": 239
27433
+ "line": 240
27434
27434
  },
27435
27435
  "name": "nonComplianceMessages",
27436
27436
  "optional": true,
@@ -27452,7 +27452,7 @@
27452
27452
  "immutable": true,
27453
27453
  "locationInModule": {
27454
27454
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27455
- "line": 234
27455
+ "line": 235
27456
27456
  },
27457
27457
  "name": "notScopes",
27458
27458
  "optional": true,
@@ -27474,7 +27474,7 @@
27474
27474
  "immutable": true,
27475
27475
  "locationInModule": {
27476
27476
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27477
- "line": 224
27477
+ "line": 225
27478
27478
  },
27479
27479
  "name": "parameters",
27480
27480
  "optional": true,
@@ -27526,12 +27526,12 @@
27526
27526
  "docs": {
27527
27527
  "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name\"",
27528
27528
  "stability": "stable",
27529
- "summary": "The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property."
27529
+ "summary": "The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property."
27530
27530
  },
27531
27531
  "immutable": true,
27532
27532
  "locationInModule": {
27533
27533
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27534
- "line": 98
27534
+ "line": 99
27535
27535
  },
27536
27536
  "name": "scope",
27537
27537
  "type": {
@@ -27548,7 +27548,7 @@
27548
27548
  "immutable": true,
27549
27549
  "locationInModule": {
27550
27550
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27551
- "line": 114
27551
+ "line": 115
27552
27552
  },
27553
27553
  "name": "description",
27554
27554
  "optional": true,
@@ -27566,7 +27566,7 @@
27566
27566
  "immutable": true,
27567
27567
  "locationInModule": {
27568
27568
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27569
- "line": 106
27569
+ "line": 107
27570
27570
  },
27571
27571
  "name": "displayName",
27572
27572
  "optional": true,
@@ -27585,7 +27585,7 @@
27585
27585
  "immutable": true,
27586
27586
  "locationInModule": {
27587
27587
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27588
- "line": 122
27588
+ "line": 123
27589
27589
  },
27590
27590
  "name": "enforcementMode",
27591
27591
  "optional": true,
@@ -27603,7 +27603,7 @@
27603
27603
  "immutable": true,
27604
27604
  "locationInModule": {
27605
27605
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27606
- "line": 161
27606
+ "line": 162
27607
27607
  },
27608
27608
  "name": "identity",
27609
27609
  "optional": true,
@@ -27621,7 +27621,7 @@
27621
27621
  "immutable": true,
27622
27622
  "locationInModule": {
27623
27623
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27624
- "line": 188
27624
+ "line": 189
27625
27625
  },
27626
27626
  "name": "ignoreChanges",
27627
27627
  "optional": true,
@@ -27644,7 +27644,7 @@
27644
27644
  "immutable": true,
27645
27645
  "locationInModule": {
27646
27646
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27647
- "line": 150
27647
+ "line": 151
27648
27648
  },
27649
27649
  "name": "metadata",
27650
27650
  "optional": true,
@@ -27662,7 +27662,7 @@
27662
27662
  "immutable": true,
27663
27663
  "locationInModule": {
27664
27664
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27665
- "line": 182
27665
+ "line": 183
27666
27666
  },
27667
27667
  "name": "nonComplianceMessages",
27668
27668
  "optional": true,
@@ -27685,7 +27685,7 @@
27685
27685
  "immutable": true,
27686
27686
  "locationInModule": {
27687
27687
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27688
- "line": 169
27688
+ "line": 170
27689
27689
  },
27690
27690
  "name": "notScopes",
27691
27691
  "optional": true,
@@ -27708,7 +27708,7 @@
27708
27708
  "immutable": true,
27709
27709
  "locationInModule": {
27710
27710
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
27711
- "line": 138
27711
+ "line": 139
27712
27712
  },
27713
27713
  "name": "parameters",
27714
27714
  "optional": true,
@@ -27723,7 +27723,7 @@
27723
27723
  "assembly": "@microsoft/terraform-cdk-constructs",
27724
27724
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
27725
27725
  "docs": {
27726
- "example": "// Policy definition with parameters:\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"require-tag-policy\",\n displayName: \"Require tag on resources\",\n policyRule: {\n if: {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n exists: \"false\"\n },\n then: {\n effect: \"deny\"\n }\n },\n parameters: {\n tagName: {\n type: \"String\",\n metadata: {\n displayName: \"Tag Name\"\n }\n }\n }\n});",
27726
+ "example": "// Policy definition at management group scope:\nconst mgPolicyDefinition = new PolicyDefinition(this, \"mgPolicy\", {\n name: \"mg-require-tag-policy\",\n parentId: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Management Group Tag Policy\",\n description: \"Enforces tags across the management group hierarchy\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\"\n },\n then: {\n effect: \"deny\"\n }\n }\n});",
27727
27727
  "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Definitions. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy definitions are deployed at subscription or management group scope.\nUnlike most Azure resources, they do not have a location property as they are\nnot region-specific.",
27728
27728
  "stability": "stable",
27729
27729
  "summary": "Unified Azure Policy Definition implementation."
@@ -27737,7 +27737,7 @@
27737
27737
  },
27738
27738
  "locationInModule": {
27739
27739
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27740
- "line": 257
27740
+ "line": 286
27741
27741
  },
27742
27742
  "parameters": [
27743
27743
  {
@@ -27772,7 +27772,7 @@
27772
27772
  "kind": "class",
27773
27773
  "locationInModule": {
27774
27774
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27775
- "line": 228
27775
+ "line": 257
27776
27776
  },
27777
27777
  "methods": [
27778
27778
  {
@@ -27782,7 +27782,7 @@
27782
27782
  },
27783
27783
  "locationInModule": {
27784
27784
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27785
- "line": 306
27785
+ "line": 335
27786
27786
  },
27787
27787
  "name": "apiSchema",
27788
27788
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27801,7 +27801,7 @@
27801
27801
  },
27802
27802
  "locationInModule": {
27803
27803
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27804
- "line": 317
27804
+ "line": 346
27805
27805
  },
27806
27806
  "name": "createResourceBody",
27807
27807
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27832,7 +27832,7 @@
27832
27832
  },
27833
27833
  "locationInModule": {
27834
27834
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27835
- "line": 358
27835
+ "line": 387
27836
27836
  },
27837
27837
  "name": "customizeResourceConfig",
27838
27838
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27861,7 +27861,7 @@
27861
27861
  },
27862
27862
  "locationInModule": {
27863
27863
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27864
- "line": 291
27864
+ "line": 320
27865
27865
  },
27866
27866
  "name": "defaultVersion",
27867
27867
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27872,6 +27872,32 @@
27872
27872
  }
27873
27873
  }
27874
27874
  },
27875
+ {
27876
+ "docs": {
27877
+ "stability": "stable",
27878
+ "summary": "Overrides parent ID resolution to use parentId from props if provided Policy definitions can be deployed at subscription or management group scope."
27879
+ },
27880
+ "locationInModule": {
27881
+ "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27882
+ "line": 404
27883
+ },
27884
+ "name": "resolveParentId",
27885
+ "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
27886
+ "parameters": [
27887
+ {
27888
+ "name": "props",
27889
+ "type": {
27890
+ "primitive": "any"
27891
+ }
27892
+ }
27893
+ ],
27894
+ "protected": true,
27895
+ "returns": {
27896
+ "type": {
27897
+ "primitive": "string"
27898
+ }
27899
+ }
27900
+ },
27875
27901
  {
27876
27902
  "docs": {
27877
27903
  "stability": "stable",
@@ -27879,7 +27905,7 @@
27879
27905
  },
27880
27906
  "locationInModule": {
27881
27907
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27882
- "line": 298
27908
+ "line": 327
27883
27909
  },
27884
27910
  "name": "resourceType",
27885
27911
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27901,7 +27927,7 @@
27901
27927
  },
27902
27928
  "locationInModule": {
27903
27929
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27904
- "line": 341
27930
+ "line": 370
27905
27931
  },
27906
27932
  "name": "supportsTags",
27907
27933
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -27922,7 +27948,7 @@
27922
27948
  "immutable": true,
27923
27949
  "locationInModule": {
27924
27950
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27925
- "line": 242
27951
+ "line": 271
27926
27952
  },
27927
27953
  "name": "idOutput",
27928
27954
  "type": {
@@ -27936,7 +27962,7 @@
27936
27962
  "immutable": true,
27937
27963
  "locationInModule": {
27938
27964
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27939
- "line": 243
27965
+ "line": 272
27940
27966
  },
27941
27967
  "name": "nameOutput",
27942
27968
  "type": {
@@ -27951,7 +27977,7 @@
27951
27977
  "immutable": true,
27952
27978
  "locationInModule": {
27953
27979
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27954
- "line": 393
27980
+ "line": 438
27955
27981
  },
27956
27982
  "name": "policyMode",
27957
27983
  "type": {
@@ -27966,7 +27992,7 @@
27966
27992
  "immutable": true,
27967
27993
  "locationInModule": {
27968
27994
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27969
- "line": 386
27995
+ "line": 431
27970
27996
  },
27971
27997
  "name": "policyType",
27972
27998
  "type": {
@@ -27981,7 +28007,7 @@
27981
28007
  "immutable": true,
27982
28008
  "locationInModule": {
27983
28009
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27984
- "line": 239
28010
+ "line": 268
27985
28011
  },
27986
28012
  "name": "props",
27987
28013
  "type": {
@@ -27996,7 +28022,7 @@
27996
28022
  "immutable": true,
27997
28023
  "locationInModule": {
27998
28024
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
27999
- "line": 379
28025
+ "line": 424
28000
28026
  },
28001
28027
  "name": "resourceId",
28002
28028
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -28018,7 +28044,7 @@
28018
28044
  "kind": "interface",
28019
28045
  "locationInModule": {
28020
28046
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28021
- "line": 167
28047
+ "line": 178
28022
28048
  },
28023
28049
  "name": "PolicyDefinitionBody",
28024
28050
  "properties": [
@@ -28031,7 +28057,7 @@
28031
28057
  "immutable": true,
28032
28058
  "locationInModule": {
28033
28059
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28034
- "line": 171
28060
+ "line": 182
28035
28061
  },
28036
28062
  "name": "properties",
28037
28063
  "type": {
@@ -28052,7 +28078,7 @@
28052
28078
  "kind": "interface",
28053
28079
  "locationInModule": {
28054
28080
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28055
- "line": 126
28081
+ "line": 137
28056
28082
  },
28057
28083
  "name": "PolicyDefinitionProperties",
28058
28084
  "properties": [
@@ -28065,7 +28091,7 @@
28065
28091
  "immutable": true,
28066
28092
  "locationInModule": {
28067
28093
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28068
- "line": 150
28094
+ "line": 161
28069
28095
  },
28070
28096
  "name": "policyRule",
28071
28097
  "type": {
@@ -28081,7 +28107,7 @@
28081
28107
  "immutable": true,
28082
28108
  "locationInModule": {
28083
28109
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28084
- "line": 135
28110
+ "line": 146
28085
28111
  },
28086
28112
  "name": "description",
28087
28113
  "optional": true,
@@ -28098,7 +28124,7 @@
28098
28124
  "immutable": true,
28099
28125
  "locationInModule": {
28100
28126
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28101
- "line": 130
28127
+ "line": 141
28102
28128
  },
28103
28129
  "name": "displayName",
28104
28130
  "optional": true,
@@ -28115,7 +28141,7 @@
28115
28141
  "immutable": true,
28116
28142
  "locationInModule": {
28117
28143
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28118
- "line": 160
28144
+ "line": 171
28119
28145
  },
28120
28146
  "name": "metadata",
28121
28147
  "optional": true,
@@ -28132,7 +28158,7 @@
28132
28158
  "immutable": true,
28133
28159
  "locationInModule": {
28134
28160
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28135
- "line": 145
28161
+ "line": 156
28136
28162
  },
28137
28163
  "name": "mode",
28138
28164
  "optional": true,
@@ -28149,7 +28175,7 @@
28149
28175
  "immutable": true,
28150
28176
  "locationInModule": {
28151
28177
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28152
- "line": 155
28178
+ "line": 166
28153
28179
  },
28154
28180
  "name": "parameters",
28155
28181
  "optional": true,
@@ -28166,7 +28192,7 @@
28166
28192
  "immutable": true,
28167
28193
  "locationInModule": {
28168
28194
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28169
- "line": 140
28195
+ "line": 151
28170
28196
  },
28171
28197
  "name": "policyType",
28172
28198
  "optional": true,
@@ -28259,7 +28285,7 @@
28259
28285
  "immutable": true,
28260
28286
  "locationInModule": {
28261
28287
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28262
- "line": 119
28288
+ "line": 130
28263
28289
  },
28264
28290
  "name": "ignoreChanges",
28265
28291
  "optional": true,
@@ -28327,6 +28353,25 @@
28327
28353
  "primitive": "any"
28328
28354
  }
28329
28355
  },
28356
+ {
28357
+ "abstract": true,
28358
+ "docs": {
28359
+ "default": "Subscription scope (auto-detected from client config)",
28360
+ "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000\"",
28361
+ "stability": "stable",
28362
+ "summary": "The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope."
28363
+ },
28364
+ "immutable": true,
28365
+ "locationInModule": {
28366
+ "filename": "src/azure-policydefinition/lib/policy-definition.ts",
28367
+ "line": 124
28368
+ },
28369
+ "name": "parentId",
28370
+ "optional": true,
28371
+ "type": {
28372
+ "primitive": "string"
28373
+ }
28374
+ },
28330
28375
  {
28331
28376
  "abstract": true,
28332
28377
  "docs": {
@@ -37030,8 +37075,8 @@
37030
37075
  "assembly": "@microsoft/terraform-cdk-constructs",
37031
37076
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
37032
37077
  "docs": {
37033
- "example": "Conditional assignment with ABAC - Limit access to specific storage containers\n\nconst assignment = new RoleAssignment(this, \"conditional-assignment\", {\n roleDefinitionId: storageRole.id,\n principalId: user.objectId,\n scope: storageAccount.id,\n principalType: \"User\",\n condition: \"@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'\",\n conditionVersion: \"2.0\",\n description: \"Grants access only to the logs container\",\n});",
37034
- "remarks": "This class provides a single, version-aware implementation for managing Azure\nRole Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\n**Important Notes:**\n- Role assignments are scoped resources deployed at subscription, resource group,\n or resource level. They do not have a location property as they are not region-specific.\n- The `name` property (inherited from AzapiResourceProps) is not used. Azure automatically\n generates a deterministic GUID for role assignment names based on the deployment context.\n This ensures idempotent deployments without duplicate role assignments.",
37078
+ "example": "Management group scoped assignment - Assign Reader role at management group level\n\nconst mgAssignment = new RoleAssignment(this, \"mg-assignment\", {\n roleDefinitionId: \"/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\n principalId: \"00000000-0000-0000-0000-000000000000\",\n scope: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n principalType: \"Group\",\n description: \"Grants read access across the entire management group hierarchy\",\n});",
37079
+ "remarks": "This class provides a single, version-aware implementation for managing Azure\nRole Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\n**Important Notes:**\n- Role assignments are scoped resources deployed at management group, subscription,\n resource group, or resource level. They do not have a location property as they\n are not region-specific.\n- The `name` property (inherited from AzapiResourceProps) is not used. Azure automatically\n generates a deterministic GUID for role assignment names based on the deployment context.\n This ensures idempotent deployments without duplicate role assignments.",
37035
37080
  "stability": "stable",
37036
37081
  "summary": "Unified Azure Role Assignment implementation."
37037
37082
  },
@@ -37044,7 +37089,7 @@
37044
37089
  },
37045
37090
  "locationInModule": {
37046
37091
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37047
- "line": 268
37092
+ "line": 281
37048
37093
  },
37049
37094
  "parameters": [
37050
37095
  {
@@ -37079,7 +37124,7 @@
37079
37124
  "kind": "class",
37080
37125
  "locationInModule": {
37081
37126
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37082
- "line": 239
37127
+ "line": 252
37083
37128
  },
37084
37129
  "methods": [
37085
37130
  {
@@ -37089,7 +37134,7 @@
37089
37134
  },
37090
37135
  "locationInModule": {
37091
37136
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37092
- "line": 322
37137
+ "line": 335
37093
37138
  },
37094
37139
  "name": "apiSchema",
37095
37140
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37104,11 +37149,11 @@
37104
37149
  "docs": {
37105
37150
  "remarks": "The scope property is NOT included in the body as it's read-only and\nautomatically derived from the parentId.",
37106
37151
  "stability": "stable",
37107
- "summary": "Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API Note: Role assignments do not have a location property as they are scoped resources (subscription, resource group, or resource level)."
37152
+ "summary": "Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API Note: Role assignments do not have a location property as they are scoped resources (management group, subscription, resource group, or resource level)."
37108
37153
  },
37109
37154
  "locationInModule": {
37110
37155
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37111
- "line": 335
37156
+ "line": 348
37112
37157
  },
37113
37158
  "name": "createResourceBody",
37114
37159
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37134,7 +37179,7 @@
37134
37179
  },
37135
37180
  "locationInModule": {
37136
37181
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37137
- "line": 307
37182
+ "line": 320
37138
37183
  },
37139
37184
  "name": "defaultVersion",
37140
37185
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37153,7 +37198,7 @@
37153
37198
  },
37154
37199
  "locationInModule": {
37155
37200
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37156
- "line": 361
37201
+ "line": 374
37157
37202
  },
37158
37203
  "name": "resolveName",
37159
37204
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37179,7 +37224,7 @@
37179
37224
  },
37180
37225
  "locationInModule": {
37181
37226
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37182
- "line": 387
37227
+ "line": 400
37183
37228
  },
37184
37229
  "name": "resolveParentId",
37185
37230
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37205,7 +37250,7 @@
37205
37250
  },
37206
37251
  "locationInModule": {
37207
37252
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37208
- "line": 314
37253
+ "line": 327
37209
37254
  },
37210
37255
  "name": "resourceType",
37211
37256
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37227,7 +37272,7 @@
37227
37272
  "immutable": true,
37228
37273
  "locationInModule": {
37229
37274
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37230
- "line": 421
37275
+ "line": 434
37231
37276
  },
37232
37277
  "name": "assignmentScope",
37233
37278
  "type": {
@@ -37241,7 +37286,7 @@
37241
37286
  "immutable": true,
37242
37287
  "locationInModule": {
37243
37288
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37244
- "line": 253
37289
+ "line": 266
37245
37290
  },
37246
37291
  "name": "idOutput",
37247
37292
  "type": {
@@ -37255,7 +37300,7 @@
37255
37300
  "immutable": true,
37256
37301
  "locationInModule": {
37257
37302
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37258
- "line": 254
37303
+ "line": 267
37259
37304
  },
37260
37305
  "name": "nameOutput",
37261
37306
  "type": {
@@ -37270,7 +37315,7 @@
37270
37315
  "immutable": true,
37271
37316
  "locationInModule": {
37272
37317
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37273
- "line": 414
37318
+ "line": 427
37274
37319
  },
37275
37320
  "name": "principalId",
37276
37321
  "type": {
@@ -37285,7 +37330,7 @@
37285
37330
  "immutable": true,
37286
37331
  "locationInModule": {
37287
37332
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37288
- "line": 250
37333
+ "line": 263
37289
37334
  },
37290
37335
  "name": "props",
37291
37336
  "type": {
@@ -37300,7 +37345,7 @@
37300
37345
  "immutable": true,
37301
37346
  "locationInModule": {
37302
37347
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37303
- "line": 400
37348
+ "line": 413
37304
37349
  },
37305
37350
  "name": "resourceId",
37306
37351
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37316,7 +37361,7 @@
37316
37361
  "immutable": true,
37317
37362
  "locationInModule": {
37318
37363
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37319
- "line": 407
37364
+ "line": 420
37320
37365
  },
37321
37366
  "name": "roleDefinitionId",
37322
37367
  "type": {
@@ -37331,7 +37376,7 @@
37331
37376
  "immutable": true,
37332
37377
  "locationInModule": {
37333
37378
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37334
- "line": 428
37379
+ "line": 441
37335
37380
  },
37336
37381
  "name": "principalType",
37337
37382
  "optional": true,
@@ -37353,7 +37398,7 @@
37353
37398
  "kind": "interface",
37354
37399
  "locationInModule": {
37355
37400
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37356
- "line": 182
37401
+ "line": 183
37357
37402
  },
37358
37403
  "name": "RoleAssignmentBody",
37359
37404
  "properties": [
@@ -37366,7 +37411,7 @@
37366
37411
  "immutable": true,
37367
37412
  "locationInModule": {
37368
37413
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37369
- "line": 186
37414
+ "line": 187
37370
37415
  },
37371
37416
  "name": "properties",
37372
37417
  "type": {
@@ -37387,7 +37432,7 @@
37387
37432
  "kind": "interface",
37388
37433
  "locationInModule": {
37389
37434
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37390
- "line": 136
37435
+ "line": 137
37391
37436
  },
37392
37437
  "name": "RoleAssignmentProperties",
37393
37438
  "properties": [
@@ -37400,7 +37445,7 @@
37400
37445
  "immutable": true,
37401
37446
  "locationInModule": {
37402
37447
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37403
- "line": 145
37448
+ "line": 146
37404
37449
  },
37405
37450
  "name": "principalId",
37406
37451
  "type": {
@@ -37416,7 +37461,7 @@
37416
37461
  "immutable": true,
37417
37462
  "locationInModule": {
37418
37463
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37419
- "line": 140
37464
+ "line": 141
37420
37465
  },
37421
37466
  "name": "roleDefinitionId",
37422
37467
  "type": {
@@ -37432,7 +37477,7 @@
37432
37477
  "immutable": true,
37433
37478
  "locationInModule": {
37434
37479
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37435
- "line": 150
37480
+ "line": 151
37436
37481
  },
37437
37482
  "name": "scope",
37438
37483
  "type": {
@@ -37448,7 +37493,7 @@
37448
37493
  "immutable": true,
37449
37494
  "locationInModule": {
37450
37495
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37451
- "line": 165
37496
+ "line": 166
37452
37497
  },
37453
37498
  "name": "condition",
37454
37499
  "optional": true,
@@ -37465,7 +37510,7 @@
37465
37510
  "immutable": true,
37466
37511
  "locationInModule": {
37467
37512
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37468
- "line": 170
37513
+ "line": 171
37469
37514
  },
37470
37515
  "name": "conditionVersion",
37471
37516
  "optional": true,
@@ -37482,7 +37527,7 @@
37482
37527
  "immutable": true,
37483
37528
  "locationInModule": {
37484
37529
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37485
- "line": 175
37530
+ "line": 176
37486
37531
  },
37487
37532
  "name": "delegatedManagedIdentityResourceId",
37488
37533
  "optional": true,
@@ -37499,7 +37544,7 @@
37499
37544
  "immutable": true,
37500
37545
  "locationInModule": {
37501
37546
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37502
- "line": 160
37547
+ "line": 161
37503
37548
  },
37504
37549
  "name": "description",
37505
37550
  "optional": true,
@@ -37516,7 +37561,7 @@
37516
37561
  "immutable": true,
37517
37562
  "locationInModule": {
37518
37563
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37519
- "line": 155
37564
+ "line": 156
37520
37565
  },
37521
37566
  "name": "principalType",
37522
37567
  "optional": true,
@@ -37585,12 +37630,12 @@
37585
37630
  "docs": {
37586
37631
  "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Storage/storageAccounts/storage-name\"",
37587
37632
  "stability": "stable",
37588
- "summary": "The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property."
37633
+ "summary": "The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property."
37589
37634
  },
37590
37635
  "immutable": true,
37591
37636
  "locationInModule": {
37592
37637
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37593
- "line": 75
37638
+ "line": 76
37594
37639
  },
37595
37640
  "name": "scope",
37596
37641
  "type": {
@@ -37607,7 +37652,7 @@
37607
37652
  "immutable": true,
37608
37653
  "locationInModule": {
37609
37654
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37610
- "line": 105
37655
+ "line": 106
37611
37656
  },
37612
37657
  "name": "condition",
37613
37658
  "optional": true,
@@ -37626,7 +37671,7 @@
37626
37671
  "immutable": true,
37627
37672
  "locationInModule": {
37628
37673
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37629
- "line": 114
37674
+ "line": 115
37630
37675
  },
37631
37676
  "name": "conditionVersion",
37632
37677
  "optional": true,
@@ -37644,7 +37689,7 @@
37644
37689
  "immutable": true,
37645
37690
  "locationInModule": {
37646
37691
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37647
- "line": 123
37692
+ "line": 124
37648
37693
  },
37649
37694
  "name": "delegatedManagedIdentityResourceId",
37650
37695
  "optional": true,
@@ -37662,7 +37707,7 @@
37662
37707
  "immutable": true,
37663
37708
  "locationInModule": {
37664
37709
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37665
- "line": 96
37710
+ "line": 97
37666
37711
  },
37667
37712
  "name": "description",
37668
37713
  "optional": true,
@@ -37680,7 +37725,7 @@
37680
37725
  "immutable": true,
37681
37726
  "locationInModule": {
37682
37727
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37683
- "line": 129
37728
+ "line": 130
37684
37729
  },
37685
37730
  "name": "ignoreChanges",
37686
37731
  "optional": true,
@@ -37704,7 +37749,7 @@
37704
37749
  "immutable": true,
37705
37750
  "locationInModule": {
37706
37751
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
37707
- "line": 88
37752
+ "line": 89
37708
37753
  },
37709
37754
  "name": "principalType",
37710
37755
  "optional": true,
@@ -37733,7 +37778,7 @@
37733
37778
  },
37734
37779
  "locationInModule": {
37735
37780
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37736
- "line": 223
37781
+ "line": 224
37737
37782
  },
37738
37783
  "parameters": [
37739
37784
  {
@@ -37768,7 +37813,7 @@
37768
37813
  "kind": "class",
37769
37814
  "locationInModule": {
37770
37815
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37771
- "line": 194
37816
+ "line": 195
37772
37817
  },
37773
37818
  "methods": [
37774
37819
  {
@@ -37778,7 +37823,7 @@
37778
37823
  },
37779
37824
  "locationInModule": {
37780
37825
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37781
- "line": 272
37826
+ "line": 273
37782
37827
  },
37783
37828
  "name": "apiSchema",
37784
37829
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37797,7 +37842,7 @@
37797
37842
  },
37798
37843
  "locationInModule": {
37799
37844
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37800
- "line": 313
37845
+ "line": 314
37801
37846
  },
37802
37847
  "name": "createResourceBody",
37803
37848
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37823,7 +37868,7 @@
37823
37868
  },
37824
37869
  "locationInModule": {
37825
37870
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37826
- "line": 257
37871
+ "line": 258
37827
37872
  },
37828
37873
  "name": "defaultVersion",
37829
37874
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37842,7 +37887,7 @@
37842
37887
  },
37843
37888
  "locationInModule": {
37844
37889
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37845
- "line": 285
37890
+ "line": 286
37846
37891
  },
37847
37892
  "name": "resolveName",
37848
37893
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37868,7 +37913,7 @@
37868
37913
  },
37869
37914
  "locationInModule": {
37870
37915
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37871
- "line": 264
37916
+ "line": 265
37872
37917
  },
37873
37918
  "name": "resourceType",
37874
37919
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37889,7 +37934,7 @@
37889
37934
  "immutable": true,
37890
37935
  "locationInModule": {
37891
37936
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37892
- "line": 208
37937
+ "line": 209
37893
37938
  },
37894
37939
  "name": "idOutput",
37895
37940
  "type": {
@@ -37903,7 +37948,7 @@
37903
37948
  "immutable": true,
37904
37949
  "locationInModule": {
37905
37950
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37906
- "line": 209
37951
+ "line": 210
37907
37952
  },
37908
37953
  "name": "nameOutput",
37909
37954
  "type": {
@@ -37918,7 +37963,7 @@
37918
37963
  "immutable": true,
37919
37964
  "locationInModule": {
37920
37965
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37921
- "line": 205
37966
+ "line": 206
37922
37967
  },
37923
37968
  "name": "props",
37924
37969
  "type": {
@@ -37933,7 +37978,7 @@
37933
37978
  "immutable": true,
37934
37979
  "locationInModule": {
37935
37980
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37936
- "line": 334
37981
+ "line": 335
37937
37982
  },
37938
37983
  "name": "resourceId",
37939
37984
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -37949,7 +37994,7 @@
37949
37994
  "immutable": true,
37950
37995
  "locationInModule": {
37951
37996
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37952
- "line": 341
37997
+ "line": 342
37953
37998
  },
37954
37999
  "name": "roleName",
37955
38000
  "type": {
@@ -37964,7 +38009,7 @@
37964
38009
  "immutable": true,
37965
38010
  "locationInModule": {
37966
38011
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37967
- "line": 348
38012
+ "line": 349
37968
38013
  },
37969
38014
  "name": "roleType",
37970
38015
  "type": {
@@ -37985,7 +38030,7 @@
37985
38030
  "kind": "interface",
37986
38031
  "locationInModule": {
37987
38032
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
37988
- "line": 169
38033
+ "line": 170
37989
38034
  },
37990
38035
  "name": "RoleDefinitionBody",
37991
38036
  "properties": [
@@ -37998,7 +38043,7 @@
37998
38043
  "immutable": true,
37999
38044
  "locationInModule": {
38000
38045
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38001
- "line": 173
38046
+ "line": 174
38002
38047
  },
38003
38048
  "name": "properties",
38004
38049
  "type": {
@@ -38129,7 +38174,7 @@
38129
38174
  "kind": "interface",
38130
38175
  "locationInModule": {
38131
38176
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38132
- "line": 138
38177
+ "line": 139
38133
38178
  },
38134
38179
  "name": "RoleDefinitionProperties",
38135
38180
  "properties": [
@@ -38142,7 +38187,7 @@
38142
38187
  "immutable": true,
38143
38188
  "locationInModule": {
38144
38189
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38145
- "line": 162
38190
+ "line": 163
38146
38191
  },
38147
38192
  "name": "assignableScopes",
38148
38193
  "type": {
@@ -38163,7 +38208,7 @@
38163
38208
  "immutable": true,
38164
38209
  "locationInModule": {
38165
38210
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38166
- "line": 157
38211
+ "line": 158
38167
38212
  },
38168
38213
  "name": "permissions",
38169
38214
  "type": {
@@ -38184,7 +38229,7 @@
38184
38229
  "immutable": true,
38185
38230
  "locationInModule": {
38186
38231
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38187
- "line": 142
38232
+ "line": 143
38188
38233
  },
38189
38234
  "name": "roleName",
38190
38235
  "type": {
@@ -38200,7 +38245,7 @@
38200
38245
  "immutable": true,
38201
38246
  "locationInModule": {
38202
38247
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38203
- "line": 147
38248
+ "line": 148
38204
38249
  },
38205
38250
  "name": "description",
38206
38251
  "optional": true,
@@ -38217,7 +38262,7 @@
38217
38262
  "immutable": true,
38218
38263
  "locationInModule": {
38219
38264
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38220
- "line": 152
38265
+ "line": 153
38221
38266
  },
38222
38267
  "name": "type",
38223
38268
  "optional": true,
@@ -38250,14 +38295,14 @@
38250
38295
  {
38251
38296
  "abstract": true,
38252
38297
  "docs": {
38253
- "example": "[\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name\"]",
38298
+ "example": "[\"/providers/Microsoft.Management/managementGroups/my-mg\"]",
38254
38299
  "stability": "stable",
38255
38300
  "summary": "An array of scopes where this role can be assigned Can include subscription, resource group, or management group scopes Required property."
38256
38301
  },
38257
38302
  "immutable": true,
38258
38303
  "locationInModule": {
38259
38304
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38260
- "line": 125
38305
+ "line": 126
38261
38306
  },
38262
38307
  "name": "assignableScopes",
38263
38308
  "type": {
@@ -38336,7 +38381,7 @@
38336
38381
  "immutable": true,
38337
38382
  "locationInModule": {
38338
38383
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
38339
- "line": 131
38384
+ "line": 132
38340
38385
  },
38341
38386
  "name": "ignoreChanges",
38342
38387
  "optional": true,
@@ -70412,8 +70457,8 @@
70412
70457
  "assembly": "@microsoft/terraform-cdk-constructs",
70413
70458
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
70414
70459
  "docs": {
70415
- "example": "// Policy assignment with managed identity:\nconst assignment = new PolicyAssignment(this, \"assignment\", {\n name: \"deploy-monitoring-assignment\",\n policyDefinitionId: \"/providers/Microsoft.Authorization/policyDefinitions/policy-id\",\n scope: \"/subscriptions/00000000-0000-0000-0000-000000000000\",\n identity: {\n type: \"SystemAssigned\"\n }\n});",
70416
- "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy assignments can be deployed at subscription, resource group, or resource scope.\nLike policy definitions, they do not have a location property as they are not region-specific.",
70460
+ "example": "// Policy assignment at management group scope:\nconst mgAssignment = new PolicyAssignment(this, \"mgAssignment\", {\n name: \"mg-policy-assignment\",\n policyDefinitionId: \"/providers/Microsoft.Authorization/policyDefinitions/policy-id\",\n scope: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Management Group Policy\",\n description: \"Applies policy across the entire management group hierarchy\"\n});",
70461
+ "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy assignments can be deployed at management group, subscription, resource group,\nor resource scope. Like policy definitions, they do not have a location property as they\nare not region-specific.",
70417
70462
  "stability": "stable",
70418
70463
  "summary": "Unified Azure Policy Assignment implementation."
70419
70464
  },
@@ -70426,7 +70471,7 @@
70426
70471
  },
70427
70472
  "locationInModule": {
70428
70473
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70429
- "line": 336
70474
+ "line": 348
70430
70475
  },
70431
70476
  "parameters": [
70432
70477
  {
@@ -70461,7 +70506,7 @@
70461
70506
  "kind": "class",
70462
70507
  "locationInModule": {
70463
70508
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70464
- "line": 307
70509
+ "line": 319
70465
70510
  },
70466
70511
  "methods": [
70467
70512
  {
@@ -70471,7 +70516,7 @@
70471
70516
  },
70472
70517
  "locationInModule": {
70473
70518
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70474
- "line": 393
70519
+ "line": 397
70475
70520
  },
70476
70521
  "name": "apiSchema",
70477
70522
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70490,7 +70535,7 @@
70490
70535
  },
70491
70536
  "locationInModule": {
70492
70537
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70493
- "line": 416
70538
+ "line": 420
70494
70539
  },
70495
70540
  "name": "createResourceBody",
70496
70541
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70516,7 +70561,7 @@
70516
70561
  },
70517
70562
  "locationInModule": {
70518
70563
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70519
- "line": 378
70564
+ "line": 382
70520
70565
  },
70521
70566
  "name": "defaultVersion",
70522
70567
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70534,7 +70579,7 @@
70534
70579
  },
70535
70580
  "locationInModule": {
70536
70581
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70537
- "line": 447
70582
+ "line": 451
70538
70583
  },
70539
70584
  "name": "resolveParentId",
70540
70585
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70560,7 +70605,7 @@
70560
70605
  },
70561
70606
  "locationInModule": {
70562
70607
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70563
- "line": 385
70608
+ "line": 389
70564
70609
  },
70565
70610
  "name": "resourceType",
70566
70611
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70582,7 +70627,7 @@
70582
70627
  },
70583
70628
  "locationInModule": {
70584
70629
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70585
- "line": 403
70630
+ "line": 407
70586
70631
  },
70587
70632
  "name": "supportsTags",
70588
70633
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70605,7 +70650,7 @@
70605
70650
  "immutable": true,
70606
70651
  "locationInModule": {
70607
70652
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70608
- "line": 474
70653
+ "line": 478
70609
70654
  },
70610
70655
  "name": "assignmentScope",
70611
70656
  "type": {
@@ -70620,7 +70665,7 @@
70620
70665
  "immutable": true,
70621
70666
  "locationInModule": {
70622
70667
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70623
- "line": 481
70668
+ "line": 485
70624
70669
  },
70625
70670
  "name": "enforcementMode",
70626
70671
  "type": {
@@ -70634,7 +70679,7 @@
70634
70679
  "immutable": true,
70635
70680
  "locationInModule": {
70636
70681
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70637
- "line": 321
70682
+ "line": 333
70638
70683
  },
70639
70684
  "name": "idOutput",
70640
70685
  "type": {
@@ -70648,7 +70693,7 @@
70648
70693
  "immutable": true,
70649
70694
  "locationInModule": {
70650
70695
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70651
- "line": 322
70696
+ "line": 334
70652
70697
  },
70653
70698
  "name": "nameOutput",
70654
70699
  "type": {
@@ -70663,7 +70708,7 @@
70663
70708
  "immutable": true,
70664
70709
  "locationInModule": {
70665
70710
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70666
- "line": 467
70711
+ "line": 471
70667
70712
  },
70668
70713
  "name": "policyDefinitionId",
70669
70714
  "type": {
@@ -70678,7 +70723,7 @@
70678
70723
  "immutable": true,
70679
70724
  "locationInModule": {
70680
70725
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70681
- "line": 318
70726
+ "line": 330
70682
70727
  },
70683
70728
  "name": "props",
70684
70729
  "type": {
@@ -70693,7 +70738,7 @@
70693
70738
  "immutable": true,
70694
70739
  "locationInModule": {
70695
70740
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70696
- "line": 460
70741
+ "line": 464
70697
70742
  },
70698
70743
  "name": "resourceId",
70699
70744
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -70715,7 +70760,7 @@
70715
70760
  "kind": "interface",
70716
70761
  "locationInModule": {
70717
70762
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70718
- "line": 246
70763
+ "line": 247
70719
70764
  },
70720
70765
  "name": "PolicyAssignmentBody",
70721
70766
  "namespace": "azure_policyassignment",
@@ -70729,7 +70774,7 @@
70729
70774
  "immutable": true,
70730
70775
  "locationInModule": {
70731
70776
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70732
- "line": 250
70777
+ "line": 251
70733
70778
  },
70734
70779
  "name": "properties",
70735
70780
  "type": {
@@ -70745,7 +70790,7 @@
70745
70790
  "immutable": true,
70746
70791
  "locationInModule": {
70747
70792
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70748
- "line": 255
70793
+ "line": 256
70749
70794
  },
70750
70795
  "name": "identity",
70751
70796
  "optional": true,
@@ -70878,7 +70923,7 @@
70878
70923
  "kind": "interface",
70879
70924
  "locationInModule": {
70880
70925
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70881
- "line": 195
70926
+ "line": 196
70882
70927
  },
70883
70928
  "name": "PolicyAssignmentProperties",
70884
70929
  "namespace": "azure_policyassignment",
@@ -70892,7 +70937,7 @@
70892
70937
  "immutable": true,
70893
70938
  "locationInModule": {
70894
70939
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70895
- "line": 199
70940
+ "line": 200
70896
70941
  },
70897
70942
  "name": "policyDefinitionId",
70898
70943
  "type": {
@@ -70908,7 +70953,7 @@
70908
70953
  "immutable": true,
70909
70954
  "locationInModule": {
70910
70955
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70911
- "line": 204
70956
+ "line": 205
70912
70957
  },
70913
70958
  "name": "scope",
70914
70959
  "type": {
@@ -70924,7 +70969,7 @@
70924
70969
  "immutable": true,
70925
70970
  "locationInModule": {
70926
70971
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70927
- "line": 214
70972
+ "line": 215
70928
70973
  },
70929
70974
  "name": "description",
70930
70975
  "optional": true,
@@ -70941,7 +70986,7 @@
70941
70986
  "immutable": true,
70942
70987
  "locationInModule": {
70943
70988
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70944
- "line": 209
70989
+ "line": 210
70945
70990
  },
70946
70991
  "name": "displayName",
70947
70992
  "optional": true,
@@ -70958,7 +71003,7 @@
70958
71003
  "immutable": true,
70959
71004
  "locationInModule": {
70960
71005
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70961
- "line": 219
71006
+ "line": 220
70962
71007
  },
70963
71008
  "name": "enforcementMode",
70964
71009
  "optional": true,
@@ -70975,7 +71020,7 @@
70975
71020
  "immutable": true,
70976
71021
  "locationInModule": {
70977
71022
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70978
- "line": 229
71023
+ "line": 230
70979
71024
  },
70980
71025
  "name": "metadata",
70981
71026
  "optional": true,
@@ -70992,7 +71037,7 @@
70992
71037
  "immutable": true,
70993
71038
  "locationInModule": {
70994
71039
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
70995
- "line": 239
71040
+ "line": 240
70996
71041
  },
70997
71042
  "name": "nonComplianceMessages",
70998
71043
  "optional": true,
@@ -71014,7 +71059,7 @@
71014
71059
  "immutable": true,
71015
71060
  "locationInModule": {
71016
71061
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71017
- "line": 234
71062
+ "line": 235
71018
71063
  },
71019
71064
  "name": "notScopes",
71020
71065
  "optional": true,
@@ -71036,7 +71081,7 @@
71036
71081
  "immutable": true,
71037
71082
  "locationInModule": {
71038
71083
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71039
- "line": 224
71084
+ "line": 225
71040
71085
  },
71041
71086
  "name": "parameters",
71042
71087
  "optional": true,
@@ -71089,12 +71134,12 @@
71089
71134
  "docs": {
71090
71135
  "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name\"",
71091
71136
  "stability": "stable",
71092
- "summary": "The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property."
71137
+ "summary": "The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property."
71093
71138
  },
71094
71139
  "immutable": true,
71095
71140
  "locationInModule": {
71096
71141
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71097
- "line": 98
71142
+ "line": 99
71098
71143
  },
71099
71144
  "name": "scope",
71100
71145
  "type": {
@@ -71111,7 +71156,7 @@
71111
71156
  "immutable": true,
71112
71157
  "locationInModule": {
71113
71158
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71114
- "line": 114
71159
+ "line": 115
71115
71160
  },
71116
71161
  "name": "description",
71117
71162
  "optional": true,
@@ -71129,7 +71174,7 @@
71129
71174
  "immutable": true,
71130
71175
  "locationInModule": {
71131
71176
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71132
- "line": 106
71177
+ "line": 107
71133
71178
  },
71134
71179
  "name": "displayName",
71135
71180
  "optional": true,
@@ -71148,7 +71193,7 @@
71148
71193
  "immutable": true,
71149
71194
  "locationInModule": {
71150
71195
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71151
- "line": 122
71196
+ "line": 123
71152
71197
  },
71153
71198
  "name": "enforcementMode",
71154
71199
  "optional": true,
@@ -71166,7 +71211,7 @@
71166
71211
  "immutable": true,
71167
71212
  "locationInModule": {
71168
71213
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71169
- "line": 161
71214
+ "line": 162
71170
71215
  },
71171
71216
  "name": "identity",
71172
71217
  "optional": true,
@@ -71184,7 +71229,7 @@
71184
71229
  "immutable": true,
71185
71230
  "locationInModule": {
71186
71231
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71187
- "line": 188
71232
+ "line": 189
71188
71233
  },
71189
71234
  "name": "ignoreChanges",
71190
71235
  "optional": true,
@@ -71207,7 +71252,7 @@
71207
71252
  "immutable": true,
71208
71253
  "locationInModule": {
71209
71254
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71210
- "line": 150
71255
+ "line": 151
71211
71256
  },
71212
71257
  "name": "metadata",
71213
71258
  "optional": true,
@@ -71225,7 +71270,7 @@
71225
71270
  "immutable": true,
71226
71271
  "locationInModule": {
71227
71272
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71228
- "line": 182
71273
+ "line": 183
71229
71274
  },
71230
71275
  "name": "nonComplianceMessages",
71231
71276
  "optional": true,
@@ -71248,7 +71293,7 @@
71248
71293
  "immutable": true,
71249
71294
  "locationInModule": {
71250
71295
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71251
- "line": 169
71296
+ "line": 170
71252
71297
  },
71253
71298
  "name": "notScopes",
71254
71299
  "optional": true,
@@ -71271,7 +71316,7 @@
71271
71316
  "immutable": true,
71272
71317
  "locationInModule": {
71273
71318
  "filename": "src/azure-policyassignment/lib/policy-assignment.ts",
71274
- "line": 138
71319
+ "line": 139
71275
71320
  },
71276
71321
  "name": "parameters",
71277
71322
  "optional": true,
@@ -71286,7 +71331,7 @@
71286
71331
  "assembly": "@microsoft/terraform-cdk-constructs",
71287
71332
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
71288
71333
  "docs": {
71289
- "example": "// Policy definition with parameters:\nconst policyDefinition = new PolicyDefinition(this, \"policy\", {\n name: \"require-tag-policy\",\n displayName: \"Require tag on resources\",\n policyRule: {\n if: {\n field: \"[concat('tags[', parameters('tagName'), ']')]\",\n exists: \"false\"\n },\n then: {\n effect: \"deny\"\n }\n },\n parameters: {\n tagName: {\n type: \"String\",\n metadata: {\n displayName: \"Tag Name\"\n }\n }\n }\n});",
71334
+ "example": "// Policy definition at management group scope:\nconst mgPolicyDefinition = new PolicyDefinition(this, \"mgPolicy\", {\n name: \"mg-require-tag-policy\",\n parentId: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n displayName: \"Management Group Tag Policy\",\n description: \"Enforces tags across the management group hierarchy\",\n policyRule: {\n if: {\n field: \"tags['CostCenter']\",\n exists: \"false\"\n },\n then: {\n effect: \"deny\"\n }\n }\n});",
71290
71335
  "remarks": "This class provides a single, version-aware implementation for managing Azure\nPolicy Definitions. It automatically handles version resolution, schema validation,\nand property transformation.\n\nNote: Policy definitions are deployed at subscription or management group scope.\nUnlike most Azure resources, they do not have a location property as they are\nnot region-specific.",
71291
71336
  "stability": "stable",
71292
71337
  "summary": "Unified Azure Policy Definition implementation."
@@ -71300,7 +71345,7 @@
71300
71345
  },
71301
71346
  "locationInModule": {
71302
71347
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71303
- "line": 257
71348
+ "line": 286
71304
71349
  },
71305
71350
  "parameters": [
71306
71351
  {
@@ -71335,7 +71380,7 @@
71335
71380
  "kind": "class",
71336
71381
  "locationInModule": {
71337
71382
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71338
- "line": 228
71383
+ "line": 257
71339
71384
  },
71340
71385
  "methods": [
71341
71386
  {
@@ -71345,7 +71390,7 @@
71345
71390
  },
71346
71391
  "locationInModule": {
71347
71392
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71348
- "line": 306
71393
+ "line": 335
71349
71394
  },
71350
71395
  "name": "apiSchema",
71351
71396
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71364,7 +71409,7 @@
71364
71409
  },
71365
71410
  "locationInModule": {
71366
71411
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71367
- "line": 317
71412
+ "line": 346
71368
71413
  },
71369
71414
  "name": "createResourceBody",
71370
71415
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71395,7 +71440,7 @@
71395
71440
  },
71396
71441
  "locationInModule": {
71397
71442
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71398
- "line": 358
71443
+ "line": 387
71399
71444
  },
71400
71445
  "name": "customizeResourceConfig",
71401
71446
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71424,7 +71469,7 @@
71424
71469
  },
71425
71470
  "locationInModule": {
71426
71471
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71427
- "line": 291
71472
+ "line": 320
71428
71473
  },
71429
71474
  "name": "defaultVersion",
71430
71475
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71435,6 +71480,32 @@
71435
71480
  }
71436
71481
  }
71437
71482
  },
71483
+ {
71484
+ "docs": {
71485
+ "stability": "stable",
71486
+ "summary": "Overrides parent ID resolution to use parentId from props if provided Policy definitions can be deployed at subscription or management group scope."
71487
+ },
71488
+ "locationInModule": {
71489
+ "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71490
+ "line": 404
71491
+ },
71492
+ "name": "resolveParentId",
71493
+ "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
71494
+ "parameters": [
71495
+ {
71496
+ "name": "props",
71497
+ "type": {
71498
+ "primitive": "any"
71499
+ }
71500
+ }
71501
+ ],
71502
+ "protected": true,
71503
+ "returns": {
71504
+ "type": {
71505
+ "primitive": "string"
71506
+ }
71507
+ }
71508
+ },
71438
71509
  {
71439
71510
  "docs": {
71440
71511
  "stability": "stable",
@@ -71442,7 +71513,7 @@
71442
71513
  },
71443
71514
  "locationInModule": {
71444
71515
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71445
- "line": 298
71516
+ "line": 327
71446
71517
  },
71447
71518
  "name": "resourceType",
71448
71519
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71464,7 +71535,7 @@
71464
71535
  },
71465
71536
  "locationInModule": {
71466
71537
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71467
- "line": 341
71538
+ "line": 370
71468
71539
  },
71469
71540
  "name": "supportsTags",
71470
71541
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71486,7 +71557,7 @@
71486
71557
  "immutable": true,
71487
71558
  "locationInModule": {
71488
71559
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71489
- "line": 242
71560
+ "line": 271
71490
71561
  },
71491
71562
  "name": "idOutput",
71492
71563
  "type": {
@@ -71500,7 +71571,7 @@
71500
71571
  "immutable": true,
71501
71572
  "locationInModule": {
71502
71573
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71503
- "line": 243
71574
+ "line": 272
71504
71575
  },
71505
71576
  "name": "nameOutput",
71506
71577
  "type": {
@@ -71515,7 +71586,7 @@
71515
71586
  "immutable": true,
71516
71587
  "locationInModule": {
71517
71588
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71518
- "line": 393
71589
+ "line": 438
71519
71590
  },
71520
71591
  "name": "policyMode",
71521
71592
  "type": {
@@ -71530,7 +71601,7 @@
71530
71601
  "immutable": true,
71531
71602
  "locationInModule": {
71532
71603
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71533
- "line": 386
71604
+ "line": 431
71534
71605
  },
71535
71606
  "name": "policyType",
71536
71607
  "type": {
@@ -71545,7 +71616,7 @@
71545
71616
  "immutable": true,
71546
71617
  "locationInModule": {
71547
71618
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71548
- "line": 239
71619
+ "line": 268
71549
71620
  },
71550
71621
  "name": "props",
71551
71622
  "type": {
@@ -71560,7 +71631,7 @@
71560
71631
  "immutable": true,
71561
71632
  "locationInModule": {
71562
71633
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71563
- "line": 379
71634
+ "line": 424
71564
71635
  },
71565
71636
  "name": "resourceId",
71566
71637
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -71582,7 +71653,7 @@
71582
71653
  "kind": "interface",
71583
71654
  "locationInModule": {
71584
71655
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71585
- "line": 167
71656
+ "line": 178
71586
71657
  },
71587
71658
  "name": "PolicyDefinitionBody",
71588
71659
  "namespace": "azure_policydefinition",
@@ -71596,7 +71667,7 @@
71596
71667
  "immutable": true,
71597
71668
  "locationInModule": {
71598
71669
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71599
- "line": 171
71670
+ "line": 182
71600
71671
  },
71601
71672
  "name": "properties",
71602
71673
  "type": {
@@ -71617,7 +71688,7 @@
71617
71688
  "kind": "interface",
71618
71689
  "locationInModule": {
71619
71690
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71620
- "line": 126
71691
+ "line": 137
71621
71692
  },
71622
71693
  "name": "PolicyDefinitionProperties",
71623
71694
  "namespace": "azure_policydefinition",
@@ -71631,7 +71702,7 @@
71631
71702
  "immutable": true,
71632
71703
  "locationInModule": {
71633
71704
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71634
- "line": 150
71705
+ "line": 161
71635
71706
  },
71636
71707
  "name": "policyRule",
71637
71708
  "type": {
@@ -71647,7 +71718,7 @@
71647
71718
  "immutable": true,
71648
71719
  "locationInModule": {
71649
71720
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71650
- "line": 135
71721
+ "line": 146
71651
71722
  },
71652
71723
  "name": "description",
71653
71724
  "optional": true,
@@ -71664,7 +71735,7 @@
71664
71735
  "immutable": true,
71665
71736
  "locationInModule": {
71666
71737
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71667
- "line": 130
71738
+ "line": 141
71668
71739
  },
71669
71740
  "name": "displayName",
71670
71741
  "optional": true,
@@ -71681,7 +71752,7 @@
71681
71752
  "immutable": true,
71682
71753
  "locationInModule": {
71683
71754
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71684
- "line": 160
71755
+ "line": 171
71685
71756
  },
71686
71757
  "name": "metadata",
71687
71758
  "optional": true,
@@ -71698,7 +71769,7 @@
71698
71769
  "immutable": true,
71699
71770
  "locationInModule": {
71700
71771
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71701
- "line": 145
71772
+ "line": 156
71702
71773
  },
71703
71774
  "name": "mode",
71704
71775
  "optional": true,
@@ -71715,7 +71786,7 @@
71715
71786
  "immutable": true,
71716
71787
  "locationInModule": {
71717
71788
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71718
- "line": 155
71789
+ "line": 166
71719
71790
  },
71720
71791
  "name": "parameters",
71721
71792
  "optional": true,
@@ -71732,7 +71803,7 @@
71732
71803
  "immutable": true,
71733
71804
  "locationInModule": {
71734
71805
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71735
- "line": 140
71806
+ "line": 151
71736
71807
  },
71737
71808
  "name": "policyType",
71738
71809
  "optional": true,
@@ -71826,7 +71897,7 @@
71826
71897
  "immutable": true,
71827
71898
  "locationInModule": {
71828
71899
  "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71829
- "line": 119
71900
+ "line": 130
71830
71901
  },
71831
71902
  "name": "ignoreChanges",
71832
71903
  "optional": true,
@@ -71894,6 +71965,25 @@
71894
71965
  "primitive": "any"
71895
71966
  }
71896
71967
  },
71968
+ {
71969
+ "abstract": true,
71970
+ "docs": {
71971
+ "default": "Subscription scope (auto-detected from client config)",
71972
+ "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000\"",
71973
+ "stability": "stable",
71974
+ "summary": "The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope."
71975
+ },
71976
+ "immutable": true,
71977
+ "locationInModule": {
71978
+ "filename": "src/azure-policydefinition/lib/policy-definition.ts",
71979
+ "line": 124
71980
+ },
71981
+ "name": "parentId",
71982
+ "optional": true,
71983
+ "type": {
71984
+ "primitive": "string"
71985
+ }
71986
+ },
71897
71987
  {
71898
71988
  "abstract": true,
71899
71989
  "docs": {
@@ -73587,8 +73677,8 @@
73587
73677
  "assembly": "@microsoft/terraform-cdk-constructs",
73588
73678
  "base": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
73589
73679
  "docs": {
73590
- "example": "Conditional assignment with ABAC - Limit access to specific storage containers\n\nconst assignment = new RoleAssignment(this, \"conditional-assignment\", {\n roleDefinitionId: storageRole.id,\n principalId: user.objectId,\n scope: storageAccount.id,\n principalType: \"User\",\n condition: \"@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'\",\n conditionVersion: \"2.0\",\n description: \"Grants access only to the logs container\",\n});",
73591
- "remarks": "This class provides a single, version-aware implementation for managing Azure\nRole Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\n**Important Notes:**\n- Role assignments are scoped resources deployed at subscription, resource group,\n or resource level. They do not have a location property as they are not region-specific.\n- The `name` property (inherited from AzapiResourceProps) is not used. Azure automatically\n generates a deterministic GUID for role assignment names based on the deployment context.\n This ensures idempotent deployments without duplicate role assignments.",
73680
+ "example": "Management group scoped assignment - Assign Reader role at management group level\n\nconst mgAssignment = new RoleAssignment(this, \"mg-assignment\", {\n roleDefinitionId: \"/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\n principalId: \"00000000-0000-0000-0000-000000000000\",\n scope: \"/providers/Microsoft.Management/managementGroups/my-mg\",\n principalType: \"Group\",\n description: \"Grants read access across the entire management group hierarchy\",\n});",
73681
+ "remarks": "This class provides a single, version-aware implementation for managing Azure\nRole Assignments. It automatically handles version resolution, schema validation,\nand property transformation.\n\n**Important Notes:**\n- Role assignments are scoped resources deployed at management group, subscription,\n resource group, or resource level. They do not have a location property as they\n are not region-specific.\n- The `name` property (inherited from AzapiResourceProps) is not used. Azure automatically\n generates a deterministic GUID for role assignment names based on the deployment context.\n This ensures idempotent deployments without duplicate role assignments.",
73592
73682
  "stability": "stable",
73593
73683
  "summary": "Unified Azure Role Assignment implementation."
73594
73684
  },
@@ -73601,7 +73691,7 @@
73601
73691
  },
73602
73692
  "locationInModule": {
73603
73693
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73604
- "line": 268
73694
+ "line": 281
73605
73695
  },
73606
73696
  "parameters": [
73607
73697
  {
@@ -73636,7 +73726,7 @@
73636
73726
  "kind": "class",
73637
73727
  "locationInModule": {
73638
73728
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73639
- "line": 239
73729
+ "line": 252
73640
73730
  },
73641
73731
  "methods": [
73642
73732
  {
@@ -73646,7 +73736,7 @@
73646
73736
  },
73647
73737
  "locationInModule": {
73648
73738
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73649
- "line": 322
73739
+ "line": 335
73650
73740
  },
73651
73741
  "name": "apiSchema",
73652
73742
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73661,11 +73751,11 @@
73661
73751
  "docs": {
73662
73752
  "remarks": "The scope property is NOT included in the body as it's read-only and\nautomatically derived from the parentId.",
73663
73753
  "stability": "stable",
73664
- "summary": "Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API Note: Role assignments do not have a location property as they are scoped resources (subscription, resource group, or resource level)."
73754
+ "summary": "Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API Note: Role assignments do not have a location property as they are scoped resources (management group, subscription, resource group, or resource level)."
73665
73755
  },
73666
73756
  "locationInModule": {
73667
73757
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73668
- "line": 335
73758
+ "line": 348
73669
73759
  },
73670
73760
  "name": "createResourceBody",
73671
73761
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73691,7 +73781,7 @@
73691
73781
  },
73692
73782
  "locationInModule": {
73693
73783
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73694
- "line": 307
73784
+ "line": 320
73695
73785
  },
73696
73786
  "name": "defaultVersion",
73697
73787
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73710,7 +73800,7 @@
73710
73800
  },
73711
73801
  "locationInModule": {
73712
73802
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73713
- "line": 361
73803
+ "line": 374
73714
73804
  },
73715
73805
  "name": "resolveName",
73716
73806
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73736,7 +73826,7 @@
73736
73826
  },
73737
73827
  "locationInModule": {
73738
73828
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73739
- "line": 387
73829
+ "line": 400
73740
73830
  },
73741
73831
  "name": "resolveParentId",
73742
73832
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73762,7 +73852,7 @@
73762
73852
  },
73763
73853
  "locationInModule": {
73764
73854
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73765
- "line": 314
73855
+ "line": 327
73766
73856
  },
73767
73857
  "name": "resourceType",
73768
73858
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73785,7 +73875,7 @@
73785
73875
  "immutable": true,
73786
73876
  "locationInModule": {
73787
73877
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73788
- "line": 421
73878
+ "line": 434
73789
73879
  },
73790
73880
  "name": "assignmentScope",
73791
73881
  "type": {
@@ -73799,7 +73889,7 @@
73799
73889
  "immutable": true,
73800
73890
  "locationInModule": {
73801
73891
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73802
- "line": 253
73892
+ "line": 266
73803
73893
  },
73804
73894
  "name": "idOutput",
73805
73895
  "type": {
@@ -73813,7 +73903,7 @@
73813
73903
  "immutable": true,
73814
73904
  "locationInModule": {
73815
73905
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73816
- "line": 254
73906
+ "line": 267
73817
73907
  },
73818
73908
  "name": "nameOutput",
73819
73909
  "type": {
@@ -73828,7 +73918,7 @@
73828
73918
  "immutable": true,
73829
73919
  "locationInModule": {
73830
73920
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73831
- "line": 414
73921
+ "line": 427
73832
73922
  },
73833
73923
  "name": "principalId",
73834
73924
  "type": {
@@ -73843,7 +73933,7 @@
73843
73933
  "immutable": true,
73844
73934
  "locationInModule": {
73845
73935
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73846
- "line": 250
73936
+ "line": 263
73847
73937
  },
73848
73938
  "name": "props",
73849
73939
  "type": {
@@ -73858,7 +73948,7 @@
73858
73948
  "immutable": true,
73859
73949
  "locationInModule": {
73860
73950
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73861
- "line": 400
73951
+ "line": 413
73862
73952
  },
73863
73953
  "name": "resourceId",
73864
73954
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -73874,7 +73964,7 @@
73874
73964
  "immutable": true,
73875
73965
  "locationInModule": {
73876
73966
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73877
- "line": 407
73967
+ "line": 420
73878
73968
  },
73879
73969
  "name": "roleDefinitionId",
73880
73970
  "type": {
@@ -73889,7 +73979,7 @@
73889
73979
  "immutable": true,
73890
73980
  "locationInModule": {
73891
73981
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73892
- "line": 428
73982
+ "line": 441
73893
73983
  },
73894
73984
  "name": "principalType",
73895
73985
  "optional": true,
@@ -73911,7 +74001,7 @@
73911
74001
  "kind": "interface",
73912
74002
  "locationInModule": {
73913
74003
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73914
- "line": 182
74004
+ "line": 183
73915
74005
  },
73916
74006
  "name": "RoleAssignmentBody",
73917
74007
  "namespace": "azure_roleassignment",
@@ -73925,7 +74015,7 @@
73925
74015
  "immutable": true,
73926
74016
  "locationInModule": {
73927
74017
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73928
- "line": 186
74018
+ "line": 187
73929
74019
  },
73930
74020
  "name": "properties",
73931
74021
  "type": {
@@ -73946,7 +74036,7 @@
73946
74036
  "kind": "interface",
73947
74037
  "locationInModule": {
73948
74038
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73949
- "line": 136
74039
+ "line": 137
73950
74040
  },
73951
74041
  "name": "RoleAssignmentProperties",
73952
74042
  "namespace": "azure_roleassignment",
@@ -73960,7 +74050,7 @@
73960
74050
  "immutable": true,
73961
74051
  "locationInModule": {
73962
74052
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73963
- "line": 145
74053
+ "line": 146
73964
74054
  },
73965
74055
  "name": "principalId",
73966
74056
  "type": {
@@ -73976,7 +74066,7 @@
73976
74066
  "immutable": true,
73977
74067
  "locationInModule": {
73978
74068
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73979
- "line": 140
74069
+ "line": 141
73980
74070
  },
73981
74071
  "name": "roleDefinitionId",
73982
74072
  "type": {
@@ -73992,7 +74082,7 @@
73992
74082
  "immutable": true,
73993
74083
  "locationInModule": {
73994
74084
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
73995
- "line": 150
74085
+ "line": 151
73996
74086
  },
73997
74087
  "name": "scope",
73998
74088
  "type": {
@@ -74008,7 +74098,7 @@
74008
74098
  "immutable": true,
74009
74099
  "locationInModule": {
74010
74100
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74011
- "line": 165
74101
+ "line": 166
74012
74102
  },
74013
74103
  "name": "condition",
74014
74104
  "optional": true,
@@ -74025,7 +74115,7 @@
74025
74115
  "immutable": true,
74026
74116
  "locationInModule": {
74027
74117
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74028
- "line": 170
74118
+ "line": 171
74029
74119
  },
74030
74120
  "name": "conditionVersion",
74031
74121
  "optional": true,
@@ -74042,7 +74132,7 @@
74042
74132
  "immutable": true,
74043
74133
  "locationInModule": {
74044
74134
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74045
- "line": 175
74135
+ "line": 176
74046
74136
  },
74047
74137
  "name": "delegatedManagedIdentityResourceId",
74048
74138
  "optional": true,
@@ -74059,7 +74149,7 @@
74059
74149
  "immutable": true,
74060
74150
  "locationInModule": {
74061
74151
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74062
- "line": 160
74152
+ "line": 161
74063
74153
  },
74064
74154
  "name": "description",
74065
74155
  "optional": true,
@@ -74076,7 +74166,7 @@
74076
74166
  "immutable": true,
74077
74167
  "locationInModule": {
74078
74168
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74079
- "line": 155
74169
+ "line": 156
74080
74170
  },
74081
74171
  "name": "principalType",
74082
74172
  "optional": true,
@@ -74146,12 +74236,12 @@
74146
74236
  "docs": {
74147
74237
  "example": "\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Storage/storageAccounts/storage-name\"",
74148
74238
  "stability": "stable",
74149
- "summary": "The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property."
74239
+ "summary": "The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property."
74150
74240
  },
74151
74241
  "immutable": true,
74152
74242
  "locationInModule": {
74153
74243
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74154
- "line": 75
74244
+ "line": 76
74155
74245
  },
74156
74246
  "name": "scope",
74157
74247
  "type": {
@@ -74168,7 +74258,7 @@
74168
74258
  "immutable": true,
74169
74259
  "locationInModule": {
74170
74260
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74171
- "line": 105
74261
+ "line": 106
74172
74262
  },
74173
74263
  "name": "condition",
74174
74264
  "optional": true,
@@ -74187,7 +74277,7 @@
74187
74277
  "immutable": true,
74188
74278
  "locationInModule": {
74189
74279
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74190
- "line": 114
74280
+ "line": 115
74191
74281
  },
74192
74282
  "name": "conditionVersion",
74193
74283
  "optional": true,
@@ -74205,7 +74295,7 @@
74205
74295
  "immutable": true,
74206
74296
  "locationInModule": {
74207
74297
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74208
- "line": 123
74298
+ "line": 124
74209
74299
  },
74210
74300
  "name": "delegatedManagedIdentityResourceId",
74211
74301
  "optional": true,
@@ -74223,7 +74313,7 @@
74223
74313
  "immutable": true,
74224
74314
  "locationInModule": {
74225
74315
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74226
- "line": 96
74316
+ "line": 97
74227
74317
  },
74228
74318
  "name": "description",
74229
74319
  "optional": true,
@@ -74241,7 +74331,7 @@
74241
74331
  "immutable": true,
74242
74332
  "locationInModule": {
74243
74333
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74244
- "line": 129
74334
+ "line": 130
74245
74335
  },
74246
74336
  "name": "ignoreChanges",
74247
74337
  "optional": true,
@@ -74265,7 +74355,7 @@
74265
74355
  "immutable": true,
74266
74356
  "locationInModule": {
74267
74357
  "filename": "src/azure-roleassignment/lib/role-assignment.ts",
74268
- "line": 88
74358
+ "line": 89
74269
74359
  },
74270
74360
  "name": "principalType",
74271
74361
  "optional": true,
@@ -74294,7 +74384,7 @@
74294
74384
  },
74295
74385
  "locationInModule": {
74296
74386
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74297
- "line": 223
74387
+ "line": 224
74298
74388
  },
74299
74389
  "parameters": [
74300
74390
  {
@@ -74329,7 +74419,7 @@
74329
74419
  "kind": "class",
74330
74420
  "locationInModule": {
74331
74421
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74332
- "line": 194
74422
+ "line": 195
74333
74423
  },
74334
74424
  "methods": [
74335
74425
  {
@@ -74339,7 +74429,7 @@
74339
74429
  },
74340
74430
  "locationInModule": {
74341
74431
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74342
- "line": 272
74432
+ "line": 273
74343
74433
  },
74344
74434
  "name": "apiSchema",
74345
74435
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74358,7 +74448,7 @@
74358
74448
  },
74359
74449
  "locationInModule": {
74360
74450
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74361
- "line": 313
74451
+ "line": 314
74362
74452
  },
74363
74453
  "name": "createResourceBody",
74364
74454
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74384,7 +74474,7 @@
74384
74474
  },
74385
74475
  "locationInModule": {
74386
74476
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74387
- "line": 257
74477
+ "line": 258
74388
74478
  },
74389
74479
  "name": "defaultVersion",
74390
74480
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74403,7 +74493,7 @@
74403
74493
  },
74404
74494
  "locationInModule": {
74405
74495
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74406
- "line": 285
74496
+ "line": 286
74407
74497
  },
74408
74498
  "name": "resolveName",
74409
74499
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74429,7 +74519,7 @@
74429
74519
  },
74430
74520
  "locationInModule": {
74431
74521
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74432
- "line": 264
74522
+ "line": 265
74433
74523
  },
74434
74524
  "name": "resourceType",
74435
74525
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74451,7 +74541,7 @@
74451
74541
  "immutable": true,
74452
74542
  "locationInModule": {
74453
74543
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74454
- "line": 208
74544
+ "line": 209
74455
74545
  },
74456
74546
  "name": "idOutput",
74457
74547
  "type": {
@@ -74465,7 +74555,7 @@
74465
74555
  "immutable": true,
74466
74556
  "locationInModule": {
74467
74557
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74468
- "line": 209
74558
+ "line": 210
74469
74559
  },
74470
74560
  "name": "nameOutput",
74471
74561
  "type": {
@@ -74480,7 +74570,7 @@
74480
74570
  "immutable": true,
74481
74571
  "locationInModule": {
74482
74572
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74483
- "line": 205
74573
+ "line": 206
74484
74574
  },
74485
74575
  "name": "props",
74486
74576
  "type": {
@@ -74495,7 +74585,7 @@
74495
74585
  "immutable": true,
74496
74586
  "locationInModule": {
74497
74587
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74498
- "line": 334
74588
+ "line": 335
74499
74589
  },
74500
74590
  "name": "resourceId",
74501
74591
  "overrides": "@microsoft/terraform-cdk-constructs.core_azure.AzapiResource",
@@ -74511,7 +74601,7 @@
74511
74601
  "immutable": true,
74512
74602
  "locationInModule": {
74513
74603
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74514
- "line": 341
74604
+ "line": 342
74515
74605
  },
74516
74606
  "name": "roleName",
74517
74607
  "type": {
@@ -74526,7 +74616,7 @@
74526
74616
  "immutable": true,
74527
74617
  "locationInModule": {
74528
74618
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74529
- "line": 348
74619
+ "line": 349
74530
74620
  },
74531
74621
  "name": "roleType",
74532
74622
  "type": {
@@ -74547,7 +74637,7 @@
74547
74637
  "kind": "interface",
74548
74638
  "locationInModule": {
74549
74639
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74550
- "line": 169
74640
+ "line": 170
74551
74641
  },
74552
74642
  "name": "RoleDefinitionBody",
74553
74643
  "namespace": "azure_roledefinition",
@@ -74561,7 +74651,7 @@
74561
74651
  "immutable": true,
74562
74652
  "locationInModule": {
74563
74653
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74564
- "line": 173
74654
+ "line": 174
74565
74655
  },
74566
74656
  "name": "properties",
74567
74657
  "type": {
@@ -74693,7 +74783,7 @@
74693
74783
  "kind": "interface",
74694
74784
  "locationInModule": {
74695
74785
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74696
- "line": 138
74786
+ "line": 139
74697
74787
  },
74698
74788
  "name": "RoleDefinitionProperties",
74699
74789
  "namespace": "azure_roledefinition",
@@ -74707,7 +74797,7 @@
74707
74797
  "immutable": true,
74708
74798
  "locationInModule": {
74709
74799
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74710
- "line": 162
74800
+ "line": 163
74711
74801
  },
74712
74802
  "name": "assignableScopes",
74713
74803
  "type": {
@@ -74728,7 +74818,7 @@
74728
74818
  "immutable": true,
74729
74819
  "locationInModule": {
74730
74820
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74731
- "line": 157
74821
+ "line": 158
74732
74822
  },
74733
74823
  "name": "permissions",
74734
74824
  "type": {
@@ -74749,7 +74839,7 @@
74749
74839
  "immutable": true,
74750
74840
  "locationInModule": {
74751
74841
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74752
- "line": 142
74842
+ "line": 143
74753
74843
  },
74754
74844
  "name": "roleName",
74755
74845
  "type": {
@@ -74765,7 +74855,7 @@
74765
74855
  "immutable": true,
74766
74856
  "locationInModule": {
74767
74857
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74768
- "line": 147
74858
+ "line": 148
74769
74859
  },
74770
74860
  "name": "description",
74771
74861
  "optional": true,
@@ -74782,7 +74872,7 @@
74782
74872
  "immutable": true,
74783
74873
  "locationInModule": {
74784
74874
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74785
- "line": 152
74875
+ "line": 153
74786
74876
  },
74787
74877
  "name": "type",
74788
74878
  "optional": true,
@@ -74816,14 +74906,14 @@
74816
74906
  {
74817
74907
  "abstract": true,
74818
74908
  "docs": {
74819
- "example": "[\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name\"]",
74909
+ "example": "[\"/providers/Microsoft.Management/managementGroups/my-mg\"]",
74820
74910
  "stability": "stable",
74821
74911
  "summary": "An array of scopes where this role can be assigned Can include subscription, resource group, or management group scopes Required property."
74822
74912
  },
74823
74913
  "immutable": true,
74824
74914
  "locationInModule": {
74825
74915
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74826
- "line": 125
74916
+ "line": 126
74827
74917
  },
74828
74918
  "name": "assignableScopes",
74829
74919
  "type": {
@@ -74902,7 +74992,7 @@
74902
74992
  "immutable": true,
74903
74993
  "locationInModule": {
74904
74994
  "filename": "src/azure-roledefinition/lib/role-definition.ts",
74905
- "line": 131
74995
+ "line": 132
74906
74996
  },
74907
74997
  "name": "ignoreChanges",
74908
74998
  "optional": true,
@@ -110879,6 +110969,6 @@
110879
110969
  "usedFeatures": [
110880
110970
  "class-covariant-overrides"
110881
110971
  ],
110882
- "version": "1.6.0",
110883
- "fingerprint": "NswjK2VbrWieF2CKHCRXT9O6U9ME2BHA4Q0G+FKLUxE="
110972
+ "version": "1.7.1",
110973
+ "fingerprint": "Kw0J/FZOkPTbuxzpQHvrI3R6N39mSD/CkiRq0NCA+ZI="
110884
110974
  }