microsoft-cdktfconstructs 1.6.0__tar.gz → 1.7.0__tar.gz

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2025 Microsoft
+Copyright (c) 2026 Microsoft
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

{microsoft_cdktfconstructs-1.6.0/src/microsoft_cdktfconstructs.egg-info → microsoft_cdktfconstructs-1.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: microsoft-cdktfconstructs
-Version: 1.6.0
+Version: 1.7.0
 Summary: Azure CDK constructs using AZAPI provider for direct Azure REST API access. Version 1.0.0 - Major breaking change migration from AzureRM to AZAPI.
 Home-page: https://github.com/azure/terraform-cdk-constructs.git
 Author: Microsoft

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/setup.py

@@ -5,7 +5,7 @@ kwargs = json.loads(
     """
 {
     "name": "microsoft-cdktfconstructs",
-    "version": "1.6.0",
+    "version": "1.7.0",
     "description": "Azure CDK constructs using AZAPI provider for direct Azure REST API access. Version 1.0.0 - Major breaking change migration from AzureRM to AZAPI.",
     "license": "MIT",
     "url": "https://github.com/azure/terraform-cdk-constructs.git",
@@ -53,7 +53,7 @@ kwargs = json.loads(
     ],
     "package_data": {
         "microsoft_cdktfconstructs._jsii": [
-            "terraform-cdk-constructs@1.6.0.jsii.tgz"
+            "terraform-cdk-constructs@1.7.0.jsii.tgz"
         ],
         "microsoft_cdktfconstructs": [
             "py.typed"

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/__init__.py

@@ -28415,19 +28415,19 @@ class PolicyAssignment(
     Policy Assignments. It automatically handles version resolution, schema validation,
     and property transformation.
 
-    Note: Policy assignments can be deployed at subscription, resource group, or resource scope.
-    Like policy definitions, they do not have a location property as they are not region-specific.
+    Note: Policy assignments can be deployed at management group, subscription, resource group,
+    or resource scope. Like policy definitions, they do not have a location property as they
+    are not region-specific.
 
     Example::
 
-        // Policy assignment with managed identity:
-        const assignment = new PolicyAssignment(this, "assignment", {
-          name: "deploy-monitoring-assignment",
+        // Policy assignment at management group scope:
+        const mgAssignment = new PolicyAssignment(this, "mgAssignment", {
+          name: "mg-policy-assignment",
           policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/policy-id",
-          scope: "/subscriptions/00000000-0000-0000-0000-000000000000",
-          identity: {
-            type: "SystemAssigned"
-          }
+          scope: "/providers/Microsoft.Management/managementGroups/my-mg",
+          displayName: "Management Group Policy",
+          description: "Applies policy across the entire management group hierarchy"
         });
     '''
 
@@ -28471,7 +28471,7 @@ class PolicyAssignment(
         :param scope_: - The scope in which to define this construct.
         :param id: - The unique identifier for this instance.
         :param policy_definition_id: The policy definition ID to assign This can be a built-in or custom policy definition Required property.
-        :param scope: The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param description: The policy assignment description Provides detailed information about the assignment.
         :param display_name: The display name of the policy assignment Provides a human-readable name for the assignment.
         :param enforcement_mode: The enforcement mode of the policy assignment. Default: "Default"
@@ -29027,7 +29027,7 @@ class PolicyAssignmentProps(_AzapiResourceProps_141a2340):
         :param name: The name of the resource.
         :param tags: Tags to apply to the resource.
         :param policy_definition_id: The policy definition ID to assign This can be a built-in or custom policy definition Required property.
-        :param scope: The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param description: The policy assignment description Provides detailed information about the assignment.
         :param display_name: The display name of the policy assignment Provides a human-readable name for the assignment.
         :param enforcement_mode: The enforcement mode of the policy assignment. Default: "Default"
@@ -29320,7 +29320,7 @@ class PolicyAssignmentProps(_AzapiResourceProps_141a2340):
 
     @builtins.property
     def scope(self) -> builtins.str:
-        '''The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        '''The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
 
         Example::
 
@@ -29478,26 +29478,20 @@ class PolicyDefinition(
 
     Example::
 
-        // Policy definition with parameters:
-        const policyDefinition = new PolicyDefinition(this, "policy", {
-          name: "require-tag-policy",
-          displayName: "Require tag on resources",
+        // Policy definition at management group scope:
+        const mgPolicyDefinition = new PolicyDefinition(this, "mgPolicy", {
+          name: "mg-require-tag-policy",
+          parentId: "/providers/Microsoft.Management/managementGroups/my-mg",
+          displayName: "Management Group Tag Policy",
+          description: "Enforces tags across the management group hierarchy",
           policyRule: {
             if: {
-              field: "[concat('tags[', parameters('tagName'), ']')]",
+              field: "tags['CostCenter']",
               exists: "false"
             },
             then: {
               effect: "deny"
             }
-          },
-          parameters: {
-            tagName: {
-              type: "String",
-              metadata: {
-                displayName: "Tag Name"
-              }
-            }
           }
         });
     '''
@@ -29514,6 +29508,7 @@ class PolicyDefinition(
         metadata: typing.Any = None,
         mode: typing.Optional[builtins.str] = None,
         parameters: typing.Any = None,
+        parent_id: typing.Optional[builtins.str] = None,
         policy_type: typing.Optional[builtins.str] = None,
         api_version: typing.Optional[builtins.str] = None,
         enable_migration_analysis: typing.Optional[builtins.bool] = None,
@@ -29545,6 +29540,7 @@ class PolicyDefinition(
         :param metadata: Metadata for the policy definition Used to store additional information like category, version, etc.
         :param mode: The policy mode Determines which resource types will be evaluated. Default: "All"
         :param parameters: Parameters for the policy definition Allows policy assignments to provide values that are used in the policy rule.
+        :param parent_id: The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope. Default: Subscription scope (auto-detected from client config)
         :param policy_type: The type of policy definition. Default: "Custom"
         :param api_version: Explicit API version to use for this resource. If not specified, the latest active version will be automatically resolved. Use this for version pinning when stability is required over latest features. Default: Latest active version from ApiVersionManager
         :param enable_migration_analysis: Whether to enable migration analysis warnings. When true, the framework will analyze the current version for deprecation status and provide migration recommendations in the deployment output. Default: true
@@ -29574,6 +29570,7 @@ class PolicyDefinition(
             metadata=metadata,
             mode=mode,
             parameters=parameters,
+            parent_id=parent_id,
             policy_type=policy_type,
             api_version=api_version,
             enable_migration_analysis=enable_migration_analysis,
@@ -29640,6 +29637,17 @@ class PolicyDefinition(
         '''Gets the default API version to use when no explicit version is specified Returns the most recent stable version as the default.'''
         return typing.cast(builtins.str, jsii.invoke(self, "defaultVersion", []))
 
+    @jsii.member(jsii_name="resolveParentId")
+    def _resolve_parent_id(self, props: typing.Any) -> builtins.str:
+        '''Overrides parent ID resolution to use parentId from props if provided Policy definitions can be deployed at subscription or management group scope.
+
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__578b265b90b8718a4c38a1538fd2c5c20601d7325814a578d432b92c44ab93aa)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(builtins.str, jsii.invoke(self, "resolveParentId", [props]))
+
     @jsii.member(jsii_name="resourceType")
     def _resource_type(self) -> builtins.str:
         '''Gets the Azure resource type for Policy Definitions.'''
@@ -29874,6 +29882,7 @@ class PolicyDefinitionProperties:
         "metadata": "metadata",
         "mode": "mode",
         "parameters": "parameters",
+        "parent_id": "parentId",
         "policy_type": "policyType",
     },
 )
@@ -29903,6 +29912,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         metadata: typing.Any = None,
         mode: typing.Optional[builtins.str] = None,
         parameters: typing.Any = None,
+        parent_id: typing.Optional[builtins.str] = None,
         policy_type: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for the unified Azure Policy Definition.
@@ -29931,6 +29941,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         :param metadata: Metadata for the policy definition Used to store additional information like category, version, etc.
         :param mode: The policy mode Determines which resource types will be evaluated. Default: "All"
         :param parameters: Parameters for the policy definition Allows policy assignments to provide values that are used in the policy rule.
+        :param parent_id: The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope. Default: Subscription scope (auto-detected from client config)
         :param policy_type: The type of policy definition. Default: "Custom"
         '''
         if isinstance(lifecycle, dict):
@@ -29961,6 +29972,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
             check_type(argname="argument metadata", value=metadata, expected_type=type_hints["metadata"])
             check_type(argname="argument mode", value=mode, expected_type=type_hints["mode"])
             check_type(argname="argument parameters", value=parameters, expected_type=type_hints["parameters"])
+            check_type(argname="argument parent_id", value=parent_id, expected_type=type_hints["parent_id"])
             check_type(argname="argument policy_type", value=policy_type, expected_type=type_hints["policy_type"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "policy_rule": policy_rule,
@@ -30007,6 +30019,8 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
             self._values["mode"] = mode
         if parameters is not None:
             self._values["parameters"] = parameters
+        if parent_id is not None:
+            self._values["parent_id"] = parent_id
         if policy_type is not None:
             self._values["policy_type"] = policy_type
 
@@ -30290,6 +30304,19 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         result = self._values.get("parameters")
         return typing.cast(typing.Any, result)
 
+    @builtins.property
+    def parent_id(self) -> typing.Optional[builtins.str]:
+        '''The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope.
+
+        :default: Subscription scope (auto-detected from client config)
+
+        Example::
+
+            "/subscriptions/00000000-0000-0000-0000-000000000000"
+        '''
+        result = self._values.get("parent_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def policy_type(self) -> typing.Optional[builtins.str]:
         '''The type of policy definition.
@@ -37543,24 +37570,23 @@ class RoleAssignment(
 
     **Important Notes:**
 
-    - Role assignments are scoped resources deployed at subscription, resource group,
-      or resource level. They do not have a location property as they are not region-specific.
+    - Role assignments are scoped resources deployed at management group, subscription,
+      resource group, or resource level. They do not have a location property as they
+      are not region-specific.
     - The ``name`` property (inherited from AzapiResourceProps) is not used. Azure automatically
       generates a deterministic GUID for role assignment names based on the deployment context.
       This ensures idempotent deployments without duplicate role assignments.
 
     Example::
 
-        Conditional assignment with ABAC - Limit access to specific storage containers
+        Management group scoped assignment - Assign Reader role at management group level
         
-        const assignment = new RoleAssignment(this, "conditional-assignment", {
-          roleDefinitionId: storageRole.id,
-          principalId: user.objectId,
-          scope: storageAccount.id,
-          principalType: "User",
-          condition: "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'",
-          conditionVersion: "2.0",
-          description: "Grants access only to the logs container",
+        const mgAssignment = new RoleAssignment(this, "mg-assignment", {
+          roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
+          principalId: "00000000-0000-0000-0000-000000000000",
+          scope: "/providers/Microsoft.Management/managementGroups/my-mg",
+          principalType: "Group",
+          description: "Grants read access across the entire management group hierarchy",
         });
     '''
 
@@ -37603,7 +37629,7 @@ class RoleAssignment(
         :param id: - The unique identifier for this instance.
         :param principal_id: The principal ID (object ID) to which the role is assigned This can be a user, group, service principal, or managed identity Required property.
         :param role_definition_id: The role definition ID to assign This can be a built-in or custom role definition Required property.
-        :param scope: The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param condition: The conditions on the role assignment Limits the resources it applies to using ABAC expressions Requires conditionVersion to be set when used.
         :param condition_version: Version of the condition syntax Required when condition is specified. Default: undefined
         :param delegated_managed_identity_resource_id: The delegated Azure Resource Id which contains a Managed Identity Applicable only when the principalType is Group Used for scenarios where a group assignment should use a specific managed identity.
@@ -37666,7 +37692,7 @@ class RoleAssignment(
 
     @jsii.member(jsii_name="createResourceBody")
     def _create_resource_body(self, props: typing.Any) -> typing.Any:
-        '''Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API  Note: Role assignments do not have a location property as they are scoped resources (subscription, resource group, or resource level).
+        '''Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API  Note: Role assignments do not have a location property as they are scoped resources (management group, subscription, resource group, or resource level).
 
         The scope property is NOT included in the body as it's read-only and
         automatically derived from the parentId.
@@ -38067,7 +38093,7 @@ class RoleAssignmentProps(_AzapiResourceProps_141a2340):
         :param tags: Tags to apply to the resource.
         :param principal_id: The principal ID (object ID) to which the role is assigned This can be a user, group, service principal, or managed identity Required property.
         :param role_definition_id: The role definition ID to assign This can be a built-in or custom role definition Required property.
-        :param scope: The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param condition: The conditions on the role assignment Limits the resources it applies to using ABAC expressions Requires conditionVersion to be set when used.
         :param condition_version: Version of the condition syntax Required when condition is specified. Default: undefined
         :param delegated_managed_identity_resource_id: The delegated Azure Resource Id which contains a Managed Identity Applicable only when the principalType is Group Used for scenarios where a group assignment should use a specific managed identity.
@@ -38360,7 +38386,7 @@ class RoleAssignmentProps(_AzapiResourceProps_141a2340):
 
     @builtins.property
     def scope(self) -> builtins.str:
-        '''The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        '''The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
 
         Example::
 
@@ -39256,7 +39282,7 @@ class RoleDefinitionProps(_AzapiResourceProps_141a2340):
 
         Example::
 
-            ["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name"]
+            ["/providers/Microsoft.Management/managementGroups/my-mg"]
         '''
         result = self._values.get("assignable_scopes")
         assert result is not None, "Required property 'assignable_scopes' is missing"
@@ -61370,6 +61396,7 @@ def _typecheckingstub__32ade476b8cbca4e3521fe6be3b2d3e62398ec6cb44fb5185a0240678
     metadata: typing.Any = None,
     mode: typing.Optional[builtins.str] = None,
     parameters: typing.Any = None,
+    parent_id: typing.Optional[builtins.str] = None,
     policy_type: typing.Optional[builtins.str] = None,
     api_version: typing.Optional[builtins.str] = None,
     enable_migration_analysis: typing.Optional[builtins.bool] = None,
@@ -61402,6 +61429,12 @@ def _typecheckingstub__a36d716d00273ea6a6af571a1c37fbb7d796ec85b026ce6ee72b0cd90
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__578b265b90b8718a4c38a1538fd2c5c20601d7325814a578d432b92c44ab93aa(
+    props: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__cb92598a4c3a4da2786ee5794feea197a9e519cd7b198cd953c0dbef404e1fe1(
     *,
     properties: typing.Union[_PolicyDefinitionProperties_ff703616, typing.Dict[builtins.str, typing.Any]],
@@ -61446,6 +61479,7 @@ def _typecheckingstub__c41e2bcae5dca3227727f47f99543edcf6e042d4b4512da008f7559fe
     metadata: typing.Any = None,
     mode: typing.Optional[builtins.str] = None,
     parameters: typing.Any = None,
+    parent_id: typing.Optional[builtins.str] = None,
     policy_type: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/_jsii/__init__.py

@@ -33,9 +33,9 @@ import constructs._jsii
 
 __jsii_assembly__ = jsii.JSIIAssembly.load(
     "@microsoft/terraform-cdk-constructs",
-    "1.6.0",
+    "1.7.0",
     __name__[0:-6],
-    "terraform-cdk-constructs@1.6.0.jsii.tgz",
+    "terraform-cdk-constructs@1.7.0.jsii.tgz",
 )
 
 __all__ = [

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/azure_policyassignment/__init__.py

@@ -5,7 +5,7 @@ This module provides a unified, version-aware implementation for managing Azure
 
 ## Overview
 
-Azure Policy Assignments apply policy definitions to specific scopes (subscription, resource group, or resource) and provide parameter values for policy enforcement. Policy assignments can configure enforcement modes, managed identities for remediation, and custom non-compliance messages.
+Azure Policy Assignments apply policy definitions to specific scopes (management group, subscription, resource group, or resource) and provide parameter values for policy enforcement. Policy assignments can configure enforcement modes, managed identities for remediation, and custom non-compliance messages.
 
 ## Key Features
 
@@ -14,7 +14,7 @@ Azure Policy Assignments apply policy definitions to specific scopes (subscripti
 * **Schema-Driven Validation**: Built-in validation based on Azure API schemas
 * **Type-Safe**: Full TypeScript support with comprehensive interfaces
 * **JSII Compatible**: Can be used from multiple programming languages
-* **Flexible Scoping**: Support for subscription, resource group, and resource-level assignments
+* **Flexible Scoping**: Support for management group, subscription, resource group, and resource-level assignments
 * **Enforcement Modes**: Control whether policies are enforced or audited
 * **Managed Identity Support**: Enable remediation for deployIfNotExists and modify policies
 * **Scope Exclusions**: Exclude specific scopes from policy evaluation
@@ -286,6 +286,14 @@ console.log("Enforcement Mode:", assignment.enforcementMode);
 
 Policy assignments can be applied at different organizational levels:
 
+#### Management Group Scope
+
+```python
+scope: "/providers/Microsoft.Management/managementGroups/my-mg";
+```
+
+Applies to all subscriptions and resources within the management group hierarchy. This is the highest level scope and is ideal for organization-wide policies.
+
 #### Subscription Scope
 
 ```python
@@ -385,6 +393,40 @@ Policy Assignment constructs expose the following outputs:
 
 ## Examples
 
+### Assign Policy at Management Group Level
+
+```python
+// Apply an organization-wide policy at management group scope
+const mgPolicyDefinition = new PolicyDefinition(this, "org-policy", {
+  name: "require-resource-tags",
+  parentId: "/providers/Microsoft.Management/managementGroups/my-mg",
+  displayName: "Require Resource Tags",
+  policyRule: {
+    if: {
+      field: "tags['CostCenter']",
+      exists: "false",
+    },
+    then: {
+      effect: "deny",
+    },
+  },
+});
+
+const mgAssignment = new PolicyAssignment(this, "mg-tag-assignment", {
+  name: "require-tags-org-wide",
+  displayName: "Require Tags Across Organization",
+  description: "Enforces required tags across all subscriptions in the management group",
+  policyDefinitionId: mgPolicyDefinition.id,
+  scope: "/providers/Microsoft.Management/managementGroups/my-mg",
+  nonComplianceMessages: [
+    {
+      message:
+        "All resources must have a CostCenter tag for billing and cost allocation purposes.",
+    },
+  ],
+});
+```
+
 ### Assign Tag Policy at Subscription Level
 
 ```python
@@ -625,19 +667,19 @@ class PolicyAssignment(
     Policy Assignments. It automatically handles version resolution, schema validation,
     and property transformation.
 
-    Note: Policy assignments can be deployed at subscription, resource group, or resource scope.
-    Like policy definitions, they do not have a location property as they are not region-specific.
+    Note: Policy assignments can be deployed at management group, subscription, resource group,
+    or resource scope. Like policy definitions, they do not have a location property as they
+    are not region-specific.
 
     Example::
 
-        // Policy assignment with managed identity:
-        const assignment = new PolicyAssignment(this, "assignment", {
-          name: "deploy-monitoring-assignment",
+        // Policy assignment at management group scope:
+        const mgAssignment = new PolicyAssignment(this, "mgAssignment", {
+          name: "mg-policy-assignment",
           policyDefinitionId: "/providers/Microsoft.Authorization/policyDefinitions/policy-id",
-          scope: "/subscriptions/00000000-0000-0000-0000-000000000000",
-          identity: {
-            type: "SystemAssigned"
-          }
+          scope: "/providers/Microsoft.Management/managementGroups/my-mg",
+          displayName: "Management Group Policy",
+          description: "Applies policy across the entire management group hierarchy"
         });
     '''
 
@@ -681,7 +723,7 @@ class PolicyAssignment(
         :param scope_: - The scope in which to define this construct.
         :param id: - The unique identifier for this instance.
         :param policy_definition_id: The policy definition ID to assign This can be a built-in or custom policy definition Required property.
-        :param scope: The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param description: The policy assignment description Provides detailed information about the assignment.
         :param display_name: The display name of the policy assignment Provides a human-readable name for the assignment.
         :param enforcement_mode: The enforcement mode of the policy assignment. Default: "Default"
@@ -1237,7 +1279,7 @@ class PolicyAssignmentProps(_AzapiResourceProps_141a2340):
         :param name: The name of the resource.
         :param tags: Tags to apply to the resource.
         :param policy_definition_id: The policy definition ID to assign This can be a built-in or custom policy definition Required property.
-        :param scope: The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param description: The policy assignment description Provides detailed information about the assignment.
         :param display_name: The display name of the policy assignment Provides a human-readable name for the assignment.
         :param enforcement_mode: The enforcement mode of the policy assignment. Default: "Default"
@@ -1530,7 +1572,7 @@ class PolicyAssignmentProps(_AzapiResourceProps_141a2340):
 
     @builtins.property
     def scope(self) -> builtins.str:
-        '''The scope at which the policy assignment is applied Can be a subscription, resource group, or resource Required property.
+        '''The scope at which the policy assignment is applied Can be a management group, subscription, resource group, or resource Required property.
 
         Example::
 

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/azure_policydefinition/__init__.py

@@ -347,6 +347,32 @@ Policy Definition constructs expose the following outputs:
 
 ## Examples
 
+### Policy Definition at Management Group Scope
+
+```python
+// Create a policy definition at management group scope
+// This makes the policy available to all subscriptions under the management group
+new PolicyDefinition(this, "mg-policy", {
+  name: "org-wide-tag-policy",
+  parentId: "/providers/Microsoft.Management/managementGroups/my-mg",
+  displayName: "Organization-Wide Tag Policy",
+  description: "Enforces required tags across all subscriptions in the organization",
+  policyRule: {
+    if: {
+      field: "tags['CostCenter']",
+      exists: "false",
+    },
+    then: {
+      effect: "deny",
+    },
+  },
+  metadata: {
+    category: "Tags",
+    version: "1.0.0",
+  },
+});
+```
+
 ### Require Specific Resource Locations
 
 ```python
@@ -503,26 +529,20 @@ class PolicyDefinition(
 
     Example::
 
-        // Policy definition with parameters:
-        const policyDefinition = new PolicyDefinition(this, "policy", {
-          name: "require-tag-policy",
-          displayName: "Require tag on resources",
+        // Policy definition at management group scope:
+        const mgPolicyDefinition = new PolicyDefinition(this, "mgPolicy", {
+          name: "mg-require-tag-policy",
+          parentId: "/providers/Microsoft.Management/managementGroups/my-mg",
+          displayName: "Management Group Tag Policy",
+          description: "Enforces tags across the management group hierarchy",
           policyRule: {
             if: {
-              field: "[concat('tags[', parameters('tagName'), ']')]",
+              field: "tags['CostCenter']",
               exists: "false"
             },
             then: {
               effect: "deny"
             }
-          },
-          parameters: {
-            tagName: {
-              type: "String",
-              metadata: {
-                displayName: "Tag Name"
-              }
-            }
           }
         });
     '''
@@ -539,6 +559,7 @@ class PolicyDefinition(
         metadata: typing.Any = None,
         mode: typing.Optional[builtins.str] = None,
         parameters: typing.Any = None,
+        parent_id: typing.Optional[builtins.str] = None,
         policy_type: typing.Optional[builtins.str] = None,
         api_version: typing.Optional[builtins.str] = None,
         enable_migration_analysis: typing.Optional[builtins.bool] = None,
@@ -570,6 +591,7 @@ class PolicyDefinition(
         :param metadata: Metadata for the policy definition Used to store additional information like category, version, etc.
         :param mode: The policy mode Determines which resource types will be evaluated. Default: "All"
         :param parameters: Parameters for the policy definition Allows policy assignments to provide values that are used in the policy rule.
+        :param parent_id: The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope. Default: Subscription scope (auto-detected from client config)
         :param policy_type: The type of policy definition. Default: "Custom"
         :param api_version: Explicit API version to use for this resource. If not specified, the latest active version will be automatically resolved. Use this for version pinning when stability is required over latest features. Default: Latest active version from ApiVersionManager
         :param enable_migration_analysis: Whether to enable migration analysis warnings. When true, the framework will analyze the current version for deprecation status and provide migration recommendations in the deployment output. Default: true
@@ -599,6 +621,7 @@ class PolicyDefinition(
             metadata=metadata,
             mode=mode,
             parameters=parameters,
+            parent_id=parent_id,
             policy_type=policy_type,
             api_version=api_version,
             enable_migration_analysis=enable_migration_analysis,
@@ -665,6 +688,17 @@ class PolicyDefinition(
         '''Gets the default API version to use when no explicit version is specified Returns the most recent stable version as the default.'''
         return typing.cast(builtins.str, jsii.invoke(self, "defaultVersion", []))
 
+    @jsii.member(jsii_name="resolveParentId")
+    def _resolve_parent_id(self, props: typing.Any) -> builtins.str:
+        '''Overrides parent ID resolution to use parentId from props if provided Policy definitions can be deployed at subscription or management group scope.
+
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__654a1826887b06f5f0eb0d4ebd8791aca0ddea0906f2c8bab902c91a46f42c39)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(builtins.str, jsii.invoke(self, "resolveParentId", [props]))
+
     @jsii.member(jsii_name="resourceType")
     def _resource_type(self) -> builtins.str:
         '''Gets the Azure resource type for Policy Definitions.'''
@@ -899,6 +933,7 @@ class PolicyDefinitionProperties:
         "metadata": "metadata",
         "mode": "mode",
         "parameters": "parameters",
+        "parent_id": "parentId",
         "policy_type": "policyType",
     },
 )
@@ -928,6 +963,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         metadata: typing.Any = None,
         mode: typing.Optional[builtins.str] = None,
         parameters: typing.Any = None,
+        parent_id: typing.Optional[builtins.str] = None,
         policy_type: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for the unified Azure Policy Definition.
@@ -956,6 +992,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         :param metadata: Metadata for the policy definition Used to store additional information like category, version, etc.
         :param mode: The policy mode Determines which resource types will be evaluated. Default: "All"
         :param parameters: Parameters for the policy definition Allows policy assignments to provide values that are used in the policy rule.
+        :param parent_id: The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope. Default: Subscription scope (auto-detected from client config)
         :param policy_type: The type of policy definition. Default: "Custom"
         '''
         if isinstance(lifecycle, dict):
@@ -986,6 +1023,7 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
             check_type(argname="argument metadata", value=metadata, expected_type=type_hints["metadata"])
             check_type(argname="argument mode", value=mode, expected_type=type_hints["mode"])
             check_type(argname="argument parameters", value=parameters, expected_type=type_hints["parameters"])
+            check_type(argname="argument parent_id", value=parent_id, expected_type=type_hints["parent_id"])
             check_type(argname="argument policy_type", value=policy_type, expected_type=type_hints["policy_type"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "policy_rule": policy_rule,
@@ -1032,6 +1070,8 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
             self._values["mode"] = mode
         if parameters is not None:
             self._values["parameters"] = parameters
+        if parent_id is not None:
+            self._values["parent_id"] = parent_id
         if policy_type is not None:
             self._values["policy_type"] = policy_type
 
@@ -1315,6 +1355,19 @@ class PolicyDefinitionProps(_AzapiResourceProps_141a2340):
         result = self._values.get("parameters")
         return typing.cast(typing.Any, result)
 
+    @builtins.property
+    def parent_id(self) -> typing.Optional[builtins.str]:
+        '''The parent scope where the policy definition should be created Can be a management group or subscription scope If not specified, defaults to subscription scope.
+
+        :default: Subscription scope (auto-detected from client config)
+
+        Example::
+
+            "/subscriptions/00000000-0000-0000-0000-000000000000"
+        '''
+        result = self._values.get("parent_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def policy_type(self) -> typing.Optional[builtins.str]:
         '''The type of policy definition.
@@ -1360,6 +1413,7 @@ def _typecheckingstub__d4e28903a06a72000244427e86989df6a69cc84776e7713a5ea395600
     metadata: typing.Any = None,
     mode: typing.Optional[builtins.str] = None,
     parameters: typing.Any = None,
+    parent_id: typing.Optional[builtins.str] = None,
     policy_type: typing.Optional[builtins.str] = None,
     api_version: typing.Optional[builtins.str] = None,
     enable_migration_analysis: typing.Optional[builtins.bool] = None,
@@ -1392,6 +1446,12 @@ def _typecheckingstub__d51b9a44e8620493aa3fd63ad76bd0951072b15d9e32625134dbeec45
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__654a1826887b06f5f0eb0d4ebd8791aca0ddea0906f2c8bab902c91a46f42c39(
+    props: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0657ed07126b893992a523233fa3e437c3251a22d3ed4c9a0e0df9d02677dc69(
     *,
     properties: typing.Union[PolicyDefinitionProperties, typing.Dict[builtins.str, typing.Any]],
@@ -1436,6 +1496,7 @@ def _typecheckingstub__ccbdb84b0b985105c2d0fe9b91c8b618a099c872fe29f9344a6d87ae9
     metadata: typing.Any = None,
     mode: typing.Optional[builtins.str] = None,
     parameters: typing.Any = None,
+    parent_id: typing.Optional[builtins.str] = None,
     policy_type: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/azure_roleassignment/__init__.py

@@ -1,7 +1,7 @@
 r'''
 # Azure Role Assignment Construct
 
-This module provides a CDK construct for managing Azure Role Assignments using the AZAPI provider. Role assignments grant specific permissions (roles) to security principals (users, groups, service principals, managed identities) at a particular scope (subscription, resource group, or resource).
+This module provides a CDK construct for managing Azure Role Assignments using the AZAPI provider. Role assignments grant specific permissions (roles) to security principals (users, groups, service principals, managed identities) at a particular scope (management group, subscription, resource group, or resource).
 
 ## Table of Contents
 
@@ -23,7 +23,7 @@ This module provides a CDK construct for managing Azure Role Assignments using t
 * **Schema-Driven Validation**: Built-in property validation with comprehensive error messages
 * **Principal Types**: Support for User, Group, ServicePrincipal, ForeignGroup, and Device principals
 * **Conditional Access (ABAC)**: Attribute-Based Access Control with condition expressions
-* **Flexible Scoping**: Assign roles at subscription, resource group, or individual resource scope
+* **Flexible Scoping**: Assign roles at management group, subscription, resource group, or individual resource scope
 * **Delegated Managed Identity**: Support for delegated identity scenarios with group assignments
 * **Built-in and Custom Roles**: Works with both Azure built-in roles and custom role definitions
 * **JSII Compliance**: Full support for multi-language bindings
@@ -151,6 +151,20 @@ const groupAssignment = new RoleAssignment(this, 'group-assignment', {
 });
 ```
 
+### Management Group Scoped Assignment
+
+```python
+// Assign a role at management group scope for organization-wide access
+const mgAssignment = new RoleAssignment(this, 'mg-reader', {
+  name: 'mg-reader-assignment',
+  roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader
+  principalId: '00000000-0000-0000-0000-000000000000',
+  scope: '/providers/Microsoft.Management/managementGroups/my-mg',
+  principalType: 'Group',
+  description: 'Grants read access across the entire management group hierarchy',
+});
+```
+
 ### Resource Group Scoped Assignment
 
 ```python
@@ -185,7 +199,7 @@ const resourceAssignment = new RoleAssignment(this, 'storage-contributor', {
 |----------|------|-------------|
 | `roleDefinitionId` | string | The role definition ID to assign (built-in or custom role) |
 | `principalId` | string | The Object ID of the principal (user, group, service principal, managed identity) |
-| `scope` | string | The scope at which the role is assigned (subscription, resource group, or resource) |
+| `scope` | string | The scope at which the role is assigned (management group, subscription, resource group, or resource) |
 
 ### Optional Properties
 
@@ -320,6 +334,9 @@ roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3
 Assign roles at the narrowest scope possible:
 
 ```python
+// ❌ Bad: Management group-wide access when subscription scope is sufficient
+scope: '/providers/Microsoft.Management/managementGroups/my-mg'
+
 // ❌ Bad: Subscription-wide access when not needed
 scope: '/subscriptions/00000000-0000-0000-0000-000000000000'
 
@@ -402,7 +419,35 @@ new RoleAssignment(this, 'assignment', {
 
 ## Examples
 
-### Example 1: Multi-Region Monitoring Setup
+### Example 1: Management Group Level Access Control
+
+```python
+// Grant organization-wide read access to security team at management group level
+const securityReaderAssignment = new RoleAssignment(this, 'security-mg-reader', {
+  name: 'security-org-reader',
+  roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', // Reader
+  principalId: securityTeamGroup.objectId,
+  scope: '/providers/Microsoft.Management/managementGroups/root-mg',
+  principalType: 'Group',
+  description: 'Grants security team read access across all subscriptions and resources in the organization',
+  tags: {
+    team: 'security',
+    purpose: 'compliance-monitoring',
+  },
+});
+
+// Grant User Access Administrator at management group for identity management team
+const identityMgmtAssignment = new RoleAssignment(this, 'identity-mg-uaa', {
+  name: 'identity-user-access-admin',
+  roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', // User Access Administrator
+  principalId: identityTeamGroup.objectId,
+  scope: '/providers/Microsoft.Management/managementGroups/root-mg',
+  principalType: 'Group',
+  description: 'Grants identity team ability to manage role assignments organization-wide',
+});
+```
+
+### Example 2: Multi-Region Monitoring Setup
 
 ```python
 const regions = ['eastus', 'westus', 'northeurope'];
@@ -579,24 +624,23 @@ class RoleAssignment(
 
     **Important Notes:**
 
-    - Role assignments are scoped resources deployed at subscription, resource group,
-      or resource level. They do not have a location property as they are not region-specific.
+    - Role assignments are scoped resources deployed at management group, subscription,
+      resource group, or resource level. They do not have a location property as they
+      are not region-specific.
     - The ``name`` property (inherited from AzapiResourceProps) is not used. Azure automatically
       generates a deterministic GUID for role assignment names based on the deployment context.
       This ensures idempotent deployments without duplicate role assignments.
 
     Example::
 
-        Conditional assignment with ABAC - Limit access to specific storage containers
+        Management group scoped assignment - Assign Reader role at management group level
         
-        const assignment = new RoleAssignment(this, "conditional-assignment", {
-          roleDefinitionId: storageRole.id,
-          principalId: user.objectId,
-          scope: storageAccount.id,
-          principalType: "User",
-          condition: "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'logs'",
-          conditionVersion: "2.0",
-          description: "Grants access only to the logs container",
+        const mgAssignment = new RoleAssignment(this, "mg-assignment", {
+          roleDefinitionId: "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
+          principalId: "00000000-0000-0000-0000-000000000000",
+          scope: "/providers/Microsoft.Management/managementGroups/my-mg",
+          principalType: "Group",
+          description: "Grants read access across the entire management group hierarchy",
         });
     '''
 
@@ -639,7 +683,7 @@ class RoleAssignment(
         :param id: - The unique identifier for this instance.
         :param principal_id: The principal ID (object ID) to which the role is assigned This can be a user, group, service principal, or managed identity Required property.
         :param role_definition_id: The role definition ID to assign This can be a built-in or custom role definition Required property.
-        :param scope: The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param condition: The conditions on the role assignment Limits the resources it applies to using ABAC expressions Requires conditionVersion to be set when used.
         :param condition_version: Version of the condition syntax Required when condition is specified. Default: undefined
         :param delegated_managed_identity_resource_id: The delegated Azure Resource Id which contains a Managed Identity Applicable only when the principalType is Group Used for scenarios where a group assignment should use a specific managed identity.
@@ -702,7 +746,7 @@ class RoleAssignment(
 
     @jsii.member(jsii_name="createResourceBody")
     def _create_resource_body(self, props: typing.Any) -> typing.Any:
-        '''Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API  Note: Role assignments do not have a location property as they are scoped resources (subscription, resource group, or resource level).
+        '''Creates the resource body for the Azure API call Transforms the input properties into the JSON format expected by Azure REST API  Note: Role assignments do not have a location property as they are scoped resources (management group, subscription, resource group, or resource level).
 
         The scope property is NOT included in the body as it's read-only and
         automatically derived from the parentId.
@@ -1103,7 +1147,7 @@ class RoleAssignmentProps(_AzapiResourceProps_141a2340):
         :param tags: Tags to apply to the resource.
         :param principal_id: The principal ID (object ID) to which the role is assigned This can be a user, group, service principal, or managed identity Required property.
         :param role_definition_id: The role definition ID to assign This can be a built-in or custom role definition Required property.
-        :param scope: The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        :param scope: The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
         :param condition: The conditions on the role assignment Limits the resources it applies to using ABAC expressions Requires conditionVersion to be set when used.
         :param condition_version: Version of the condition syntax Required when condition is specified. Default: undefined
         :param delegated_managed_identity_resource_id: The delegated Azure Resource Id which contains a Managed Identity Applicable only when the principalType is Group Used for scenarios where a group assignment should use a specific managed identity.
@@ -1396,7 +1440,7 @@ class RoleAssignmentProps(_AzapiResourceProps_141a2340):
 
     @builtins.property
     def scope(self) -> builtins.str:
-        '''The scope at which the role assignment is applied Can be a subscription, resource group, or resource Required property.
+        '''The scope at which the role assignment is applied Can be a management group, subscription, resource group, or resource Required property.
 
         Example::
 

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs/azure_roledefinition/__init__.py

@@ -100,6 +100,30 @@ const storageOperator = new RoleDefinition(this, "storage-operator", {
 });
 ```
 
+### Role with Management Group Scope
+
+Define a role that can be assigned at management group level for organization-wide access:
+
+```python
+const orgRole = new RoleDefinition(this, "org-role", {
+  name: "org-wide-role",
+  roleName: "Organization Reader",
+  description: "Can view resources across the entire organization hierarchy",
+  permissions: [
+    {
+      actions: [
+        "Microsoft.Resources/subscriptions/read",
+        "Microsoft.Resources/subscriptions/resourceGroups/read",
+        "Microsoft.Management/managementGroups/read"
+      ]
+    }
+  ],
+  assignableScopes: [
+    "/providers/Microsoft.Management/managementGroups/my-mg"
+  ]
+});
+```
+
 ### Multiple Assignable Scopes
 
 Define a role that can be assigned at multiple levels:
@@ -334,10 +358,15 @@ assignableScopes: [
   "/subscriptions/sub-id/resourceGroups/production-vms"
 ]
 
-// Avoid: Too broad if not necessary
+// Acceptable: Subscription level when needed
 assignableScopes: [
   "/subscriptions/sub-id"
 ]
+
+// Use carefully: Management group level only for organization-wide roles
+assignableScopes: [
+  "/providers/Microsoft.Management/managementGroups/my-mg"
+]
 ```
 
 ### 5. Separate Control and Data Plane
@@ -1273,7 +1302,7 @@ class RoleDefinitionProps(_AzapiResourceProps_141a2340):
 
         Example::
 
-            ["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name"]
+            ["/providers/Microsoft.Management/managementGroups/my-mg"]
         '''
         result = self._values.get("assignable_scopes")
         assert result is not None, "Required property 'assignable_scopes' is missing"

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0/src/microsoft_cdktfconstructs.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: microsoft-cdktfconstructs
-Version: 1.6.0
+Version: 1.7.0
 Summary: Azure CDK constructs using AZAPI provider for direct Azure REST API access. Version 1.0.0 - Major breaking change migration from AzureRM to AZAPI.
 Home-page: https://github.com/azure/terraform-cdk-constructs.git
 Author: Microsoft

{microsoft_cdktfconstructs-1.6.0 → microsoft_cdktfconstructs-1.7.0}/src/microsoft_cdktfconstructs.egg-info/SOURCES.txt

@@ -11,7 +11,7 @@ src/microsoft_cdktfconstructs.egg-info/dependency_links.txt
 src/microsoft_cdktfconstructs.egg-info/requires.txt
 src/microsoft_cdktfconstructs.egg-info/top_level.txt
 src/microsoft_cdktfconstructs/_jsii/__init__.py
-src/microsoft_cdktfconstructs/_jsii/terraform-cdk-constructs@1.6.0.jsii.tgz
+src/microsoft_cdktfconstructs/_jsii/terraform-cdk-constructs@1.7.0.jsii.tgz
 src/microsoft_cdktfconstructs/azure_actiongroup/__init__.py
 src/microsoft_cdktfconstructs/azure_activitylogalert/__init__.py
 src/microsoft_cdktfconstructs/azure_aks/__init__.py