Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. Azure Native v2
  3. API Docs
  4. documentdb
  5. SqlResourceSqlRoleDefinition
These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.
Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi
pulumi/pulumi-azure-native

azure-native-v2.documentdb.SqlResourceSqlRoleDefinition

Explore with Pulumi AI

These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.
Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi
pulumi/pulumi-azure-native

An Azure Cosmos DB SQL Role Definition. Azure REST API version: 2023-04-15. Prior API version in Azure Native 1.x: 2021-03-01-preview.

Other available API versions: 2023-09-15, 2023-09-15-preview, 2023-11-15, 2023-11-15-preview, 2024-02-15-preview, 2024-05-15, 2024-05-15-preview, 2024-08-15, 2024-09-01-preview, 2024-11-15, 2024-12-01-preview.

Example Usage

CosmosDBSqlRoleDefinitionCreateUpdate

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var sqlResourceSqlRoleDefinition = new AzureNative.DocumentDB.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", new()
    {
        AccountName = "myAccountName",
        AssignableScopes = new[]
        {
            "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
            "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
        },
        Permissions = new[]
        {
            new AzureNative.DocumentDB.Inputs.PermissionArgs
            {
                DataActions = new[]
                {
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
                },
                NotDataActions = new() { },
            },
        },
        ResourceGroupName = "myResourceGroupName",
        RoleDefinitionId = "myRoleDefinitionId",
        RoleName = "myRoleName",
        Type = AzureNative.DocumentDB.RoleDefinitionType.CustomRole,
    });

});
Copy
package main

import (
	documentdb "github.com/pulumi/pulumi-azure-native-sdk/documentdb/v2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := documentdb.NewSqlResourceSqlRoleDefinition(ctx, "sqlResourceSqlRoleDefinition", &documentdb.SqlResourceSqlRoleDefinitionArgs{
			AccountName: pulumi.String("myAccountName"),
			AssignableScopes: pulumi.StringArray{
				pulumi.String("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales"),
				pulumi.String("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"),
			},
			Permissions: documentdb.PermissionArray{
				&documentdb.PermissionArgs{
					DataActions: pulumi.StringArray{
						pulumi.String("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create"),
						pulumi.String("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"),
					},
					NotDataActions: pulumi.StringArray{},
				},
			},
			ResourceGroupName: pulumi.String("myResourceGroupName"),
			RoleDefinitionId:  pulumi.String("myRoleDefinitionId"),
			RoleName:          pulumi.String("myRoleName"),
			Type:              documentdb.RoleDefinitionTypeCustomRole,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.documentdb.SqlResourceSqlRoleDefinition;
import com.pulumi.azurenative.documentdb.SqlResourceSqlRoleDefinitionArgs;
import com.pulumi.azurenative.documentdb.inputs.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var sqlResourceSqlRoleDefinition = new SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", SqlResourceSqlRoleDefinitionArgs.builder()
            .accountName("myAccountName")
            .assignableScopes(            
                "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
                "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases")
            .permissions(PermissionArgs.builder()
                .dataActions(                
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read")
                .notDataActions()
                .build())
            .resourceGroupName("myResourceGroupName")
            .roleDefinitionId("myRoleDefinitionId")
            .roleName("myRoleName")
            .type("CustomRole")
            .build());

    }
}
Copy
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const sqlResourceSqlRoleDefinition = new azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition", {
    accountName: "myAccountName",
    assignableScopes: [
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions: [{
        dataActions: [
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        notDataActions: [],
    }],
    resourceGroupName: "myResourceGroupName",
    roleDefinitionId: "myRoleDefinitionId",
    roleName: "myRoleName",
    type: azure_native.documentdb.RoleDefinitionType.CustomRole,
});
Copy
import pulumi
import pulumi_azure_native as azure_native

sql_resource_sql_role_definition = azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinition",
    account_name="myAccountName",
    assignable_scopes=[
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
        "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions=[{
        "data_actions": [
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        "not_data_actions": [],
    }],
    resource_group_name="myResourceGroupName",
    role_definition_id="myRoleDefinitionId",
    role_name="myRoleName",
    type=azure_native.documentdb.RoleDefinitionType.CUSTOM_ROLE)
Copy
resources:
  sqlResourceSqlRoleDefinition:
    type: azure-native:documentdb:SqlResourceSqlRoleDefinition
    properties:
      accountName: myAccountName
      assignableScopes:
        - /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales
        - /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases
      permissions:
        - dataActions:
            - Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create
            - Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read
          notDataActions: []
      resourceGroupName: myResourceGroupName
      roleDefinitionId: myRoleDefinitionId
      roleName: myRoleName
      type: CustomRole
Copy

Create SqlResourceSqlRoleDefinition Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SqlResourceSqlRoleDefinition(name: string, args: SqlResourceSqlRoleDefinitionArgs, opts?: CustomResourceOptions);
@overload
def SqlResourceSqlRoleDefinition(resource_name: str,
                                 args: SqlResourceSqlRoleDefinitionArgs,
                                 opts: Optional[ResourceOptions] = None)

@overload
def SqlResourceSqlRoleDefinition(resource_name: str,
                                 opts: Optional[ResourceOptions] = None,
                                 account_name: Optional[str] = None,
                                 resource_group_name: Optional[str] = None,
                                 assignable_scopes: Optional[Sequence[str]] = None,
                                 permissions: Optional[Sequence[PermissionArgs]] = None,
                                 role_definition_id: Optional[str] = None,
                                 role_name: Optional[str] = None,
                                 type: Optional[RoleDefinitionType] = None)
func NewSqlResourceSqlRoleDefinition(ctx *Context, name string, args SqlResourceSqlRoleDefinitionArgs, opts ...ResourceOption) (*SqlResourceSqlRoleDefinition, error)
public SqlResourceSqlRoleDefinition(string name, SqlResourceSqlRoleDefinitionArgs args, CustomResourceOptions? opts = null)
public SqlResourceSqlRoleDefinition(String name, SqlResourceSqlRoleDefinitionArgs args)
public SqlResourceSqlRoleDefinition(String name, SqlResourceSqlRoleDefinitionArgs args, CustomResourceOptions options)

type: azure-native:documentdb:SqlResourceSqlRoleDefinition
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. SqlResourceSqlRoleDefinitionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. SqlResourceSqlRoleDefinitionArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. SqlResourceSqlRoleDefinitionArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. SqlResourceSqlRoleDefinitionArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. SqlResourceSqlRoleDefinitionArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var sqlResourceSqlRoleDefinitionResource = new AzureNative.Documentdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", new()
{
    AccountName = "string",
    ResourceGroupName = "string",
    AssignableScopes = new[]
    {
        "string",
    },
    Permissions = new[]
    {
        
        {
            { "dataActions", new[]
            {
                "string",
            } },
            { "id", "string" },
            { "notDataActions", new[]
            {
                "string",
            } },
        },
    },
    RoleDefinitionId = "string",
    RoleName = "string",
    Type = "BuiltInRole",
});
Copy
example, err := documentdb.NewSqlResourceSqlRoleDefinition(ctx, "sqlResourceSqlRoleDefinitionResource", &documentdb.SqlResourceSqlRoleDefinitionArgs{
	AccountName:       "string",
	ResourceGroupName: "string",
	AssignableScopes: []string{
		"string",
	},
	Permissions: []map[string]interface{}{
		map[string]interface{}{
			"dataActions": []string{
				"string",
			},
			"id": "string",
			"notDataActions": []string{
				"string",
			},
		},
	},
	RoleDefinitionId: "string",
	RoleName:         "string",
	Type:             "BuiltInRole",
})
Copy
var sqlResourceSqlRoleDefinitionResource = new SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", SqlResourceSqlRoleDefinitionArgs.builder()
    .accountName("string")
    .resourceGroupName("string")
    .assignableScopes("string")
    .permissions(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
    .roleDefinitionId("string")
    .roleName("string")
    .type("BuiltInRole")
    .build());
Copy
sql_resource_sql_role_definition_resource = azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource",
    account_name=string,
    resource_group_name=string,
    assignable_scopes=[string],
    permissions=[{
        dataActions: [string],
        id: string,
        notDataActions: [string],
    }],
    role_definition_id=string,
    role_name=string,
    type=BuiltInRole)
Copy
const sqlResourceSqlRoleDefinitionResource = new azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlResourceSqlRoleDefinitionResource", {
    accountName: "string",
    resourceGroupName: "string",
    assignableScopes: ["string"],
    permissions: [{
        dataActions: ["string"],
        id: "string",
        notDataActions: ["string"],
    }],
    roleDefinitionId: "string",
    roleName: "string",
    type: "BuiltInRole",
});
Copy
type: azure-native:documentdb:SqlResourceSqlRoleDefinition
properties:
    accountName: string
    assignableScopes:
        - string
    permissions:
        - dataActions:
            - string
          id: string
          notDataActions:
            - string
    resourceGroupName: string
    roleDefinitionId: string
    roleName: string
    type: BuiltInRole
Copy

SqlResourceSqlRoleDefinition Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SqlResourceSqlRoleDefinition resource accepts the following input properties:

AccountName
This property is required.
Changes to this property will trigger replacement.
string
Cosmos DB database account name.
ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
AssignableScopes List<string>
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
Permissions List<Pulumi.AzureNative.DocumentDB.Inputs.Permission>
The set of operations allowed through this Role Definition.
RoleDefinitionId Changes to this property will trigger replacement. string
The GUID for the Role Definition.
RoleName string
A user-friendly name for the Role Definition. Must be unique for the database account.
Type Pulumi.AzureNative.DocumentDB.RoleDefinitionType
Indicates whether the Role Definition was built-in or user created.
AccountName
This property is required.
Changes to this property will trigger replacement.
string
Cosmos DB database account name.
ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
AssignableScopes []string
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
Permissions []PermissionArgs
The set of operations allowed through this Role Definition.
RoleDefinitionId Changes to this property will trigger replacement. string
The GUID for the Role Definition.
RoleName string
A user-friendly name for the Role Definition. Must be unique for the database account.
Type RoleDefinitionType
Indicates whether the Role Definition was built-in or user created.
accountName
This property is required.
Changes to this property will trigger replacement.
String
Cosmos DB database account name.
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
assignableScopes List<String>
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
permissions List<Permission>
The set of operations allowed through this Role Definition.
roleDefinitionId Changes to this property will trigger replacement. String
The GUID for the Role Definition.
roleName String
A user-friendly name for the Role Definition. Must be unique for the database account.
type RoleDefinitionType
Indicates whether the Role Definition was built-in or user created.
accountName
This property is required.
Changes to this property will trigger replacement.
string
Cosmos DB database account name.
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
assignableScopes string[]
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
permissions Permission[]
The set of operations allowed through this Role Definition.
roleDefinitionId Changes to this property will trigger replacement. string
The GUID for the Role Definition.
roleName string
A user-friendly name for the Role Definition. Must be unique for the database account.
type RoleDefinitionType
Indicates whether the Role Definition was built-in or user created.
account_name
This property is required.
Changes to this property will trigger replacement.
str
Cosmos DB database account name.
resource_group_name
This property is required.
Changes to this property will trigger replacement.
str
The name of the resource group. The name is case insensitive.
assignable_scopes Sequence[str]
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
permissions Sequence[PermissionArgs]
The set of operations allowed through this Role Definition.
role_definition_id Changes to this property will trigger replacement. str
The GUID for the Role Definition.
role_name str
A user-friendly name for the Role Definition. Must be unique for the database account.
type RoleDefinitionType
Indicates whether the Role Definition was built-in or user created.
accountName
This property is required.
Changes to this property will trigger replacement.
String
Cosmos DB database account name.
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
assignableScopes List<String>
A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
permissions List<Property Map>
The set of operations allowed through this Role Definition.
roleDefinitionId Changes to this property will trigger replacement. String
The GUID for the Role Definition.
roleName String
A user-friendly name for the Role Definition. Must be unique for the database account.
type "BuiltInRole" | "CustomRole"
Indicates whether the Role Definition was built-in or user created.

Outputs

All input properties are implicitly available as output properties. Additionally, the SqlResourceSqlRoleDefinition resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Name string
The name of the database account.
Id string
The provider-assigned unique ID for this managed resource.
Name string
The name of the database account.
id String
The provider-assigned unique ID for this managed resource.
name String
The name of the database account.
id string
The provider-assigned unique ID for this managed resource.
name string
The name of the database account.
id str
The provider-assigned unique ID for this managed resource.
name str
The name of the database account.
id String
The provider-assigned unique ID for this managed resource.
name String
The name of the database account.

Supporting Types

Permission
, PermissionArgs

DataActions List<string>
An array of data actions that are allowed.
Id string
The id for the permission.
NotDataActions List<string>
An array of data actions that are denied.
DataActions []string
An array of data actions that are allowed.
Id string
The id for the permission.
NotDataActions []string
An array of data actions that are denied.
dataActions List<String>
An array of data actions that are allowed.
id String
The id for the permission.
notDataActions List<String>
An array of data actions that are denied.
dataActions string[]
An array of data actions that are allowed.
id string
The id for the permission.
notDataActions string[]
An array of data actions that are denied.
data_actions Sequence[str]
An array of data actions that are allowed.
id str
The id for the permission.
not_data_actions Sequence[str]
An array of data actions that are denied.
dataActions List<String>
An array of data actions that are allowed.
id String
The id for the permission.
notDataActions List<String>
An array of data actions that are denied.

PermissionResponse
, PermissionResponseArgs

DataActions List<string>
An array of data actions that are allowed.
Id string
The id for the permission.
NotDataActions List<string>
An array of data actions that are denied.
DataActions []string
An array of data actions that are allowed.
Id string
The id for the permission.
NotDataActions []string
An array of data actions that are denied.
dataActions List<String>
An array of data actions that are allowed.
id String
The id for the permission.
notDataActions List<String>
An array of data actions that are denied.
dataActions string[]
An array of data actions that are allowed.
id string
The id for the permission.
notDataActions string[]
An array of data actions that are denied.
data_actions Sequence[str]
An array of data actions that are allowed.
id str
The id for the permission.
not_data_actions Sequence[str]
An array of data actions that are denied.
dataActions List<String>
An array of data actions that are allowed.
id String
The id for the permission.
notDataActions List<String>
An array of data actions that are denied.

RoleDefinitionType
, RoleDefinitionTypeArgs

BuiltInRole
BuiltInRole
CustomRole
CustomRole
RoleDefinitionTypeBuiltInRole
BuiltInRole
RoleDefinitionTypeCustomRole
CustomRole
BuiltInRole
BuiltInRole
CustomRole
CustomRole
BuiltInRole
BuiltInRole
CustomRole
CustomRole
BUILT_IN_ROLE
BuiltInRole
CUSTOM_ROLE
CustomRole
"BuiltInRole"
BuiltInRole
"CustomRole"
CustomRole

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:documentdb:SqlResourceSqlRoleDefinition myRoleDefinitionId /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlRoleDefinitions/{roleDefinitionId}
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
azure-native-v2 pulumi/pulumi-azure-native
License
Apache-2.0
These are the docs for Azure Native v2. We recommenend using the latest version, Azure Native v3.
Azure Native v2 v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi
pulumi/pulumi-azure-native