How to use the @pulumi/azure.role function in @pulumi/azure

tenantId: tenantId,
    objectId: principalId,
    secretPermissions: ["get"],
});

// Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
const sqlAdmin = new azure.sql.ActiveDirectoryAdministrator("adadmin", {
    resourceGroupName: resourceGroup.name,
    tenantId: tenantId,
    objectId: principalId,
    login: "adadmin",
    serverName: sqlServer.name,
});

// Grant access from App Service to the container in the storage
const blobPermission = new azure.role.Assignment("readblob", {
    principalId,
    scope: pulumi.interpolate`${storageAccount.id}/blobServices/default/containers/${storageContainer.name}`,
    roleDefinitionName: "Storage Blob Data Reader",
});

// Add SQL firewall exceptions
const firewallRules = app.outboundIpAddresses.apply(
    ips => ips.split(",").map(
        ip => new azure.sql.FirewallRule(`FR${ip}`, {
            resourceGroupName: resourceGroup.name,
            startIpAddress: ip,
            endIpAddress: ip,
            serverName: sqlServer.name,
        }),
    ));

// Create the AD service principal for the K8s cluster.
        const adApp = new azuread.Application("aks", undefined, {parent: this});
        const adSp = new azuread.ServicePrincipal("aksSp", {
            applicationId: adApp.applicationId,
        }, {parent: this});
        const adSpPassword = new azuread.ServicePrincipalPassword("aksSpPassword", {
            servicePrincipalId: adSp.id,
            value: password,
            endDate: "2099-01-01T00:00:00Z",
        }, {parent: this});

        const resourceGroup = new azure.core.ResourceGroup("multicloud");

        // Grant the resource group the "Network Contributor" role so that it can link the static IP to a
        // Service LoadBalancer.
        const rgNetworkRole = new azure.role.Assignment("spRole", {
            principalId: adSp.id,
            scope: resourceGroup.id,
            roleDefinitionName: "Network Contributor",
        }, {parent: this});

        // Create a Virtual Network for the cluster
        const vnet = new azure.network.VirtualNetwork("multicloud", {
            resourceGroupName: resourceGroup.name,
            addressSpaces: ["10.2.0.0/16"],
        }, {parent: this});

        // Create a Subnet for the cluster
        const subnet = new azure.network.Subnet("multicloud", {
            resourceGroupName: resourceGroup.name,
            virtualNetworkName: vnet.name,
            addressPrefix: "10.2.1.0/24",

const passwordClient = new random.RandomString(`${name}-pwd-client`, {
    length: 20,
    special: true,
}, {additionalSecretOutputs: ["result"]}).result;
const spPasswordClient = new azuread.ServicePrincipalPassword(`${name}-sppwd-client`, {
    servicePrincipalId: principalClient.id,
    value: passwordClient,
    endDate: "2099-01-01T00:00:00Z",
});

// Define a resource group (shared for all stacks)
const resourceGroup = new azure.core.ResourceGroup("k8s-az");

// Grant the resource group the "Network Contributor" role so that it
// can link the static IP to a Service LoadBalancer.
const rgNetworkRole = new azure.role.Assignment(`${name}-spRole`, {
    principalId: principalClient.id,
    scope: resourceGroup.id,
    roleDefinitionName: "Network Contributor",
});

const clientConfig = azure.core.getClientConfig();
const currentPrincipal = clientConfig.objectId;

const admins = new azuread.Group("admins", {
    name: "pulumi:admins",
    members: [
        currentPrincipal,
    ],
});

/* Create a new user in AD.