roleAssignment to any resource in any resource group #10192
-
|
I'm trying to write a module that can do role assignment for many given resourcce/sp. I came across this solution: https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep, it was pretty close but I don't like the idea of having to embed a json arm template inside bicep. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
There is currently a preview feature outlined as below.
You enable this feature in the bicepconfig.json file. {
"experimentalFeaturesEnabled": {
"resourceTypedParamsAndOutputs": true
}
}More info here:
I believe it may be possible to enable to use a resource parameter for the scope of a role assignment based on this feature and passing a resource? I haven't tested it out, however I can try to follow up on this one. There may also be another issue open to create a scope from a ResourceId, if I can find it I will link it later.In the mean time using the
You shouldn't have to touch the Json file at all. Plus you can just call into the Module Example of different templates that do Resource Scope Role assignments. This is how you consume the Module....
var rolesInfo = contains(KVInfo, 'rolesInfo') ? KVInfo.rolesInfo : []
module RBAC 'x.RBAC-ALL.bicep' = [for (role, index) in rolesInfo: {
name: take(replace('dp-rbac-role-${KV.name}-${role.name}', '@', '_'), 64)
params: {
resourceId: KV.id
Global: Global
roleInfo: role
Type: contains(role, 'Type') ? role.Type : 'lookup'
deployment: Deployment
}
}]var rolesInfo = contains(storageInfo, 'rolesInfo') ? storageInfo.rolesInfo : []
module RBAC 'x.RBAC-ALL.bicep' = [for (role, index) in rolesInfo: {
name: 'dp-rbac-role-${storageInfo.name}-${role.name}'
params: {
resourceId: SA.id
Global: Global
roleInfo: role
Type: contains(role,'Type') ? role.Type : 'lookup'
deployment: Deployment
}
}]Example of rolesInfo on a Keyvault: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, Ben. The preview feature looks promising. (But it surprises me that the feature has been proposed for 2 years but still in preview?) The workaround you mentioned in the second half does work. I'm using it in my project. I just don't feel it is a perfect solution as the existence of x.RBAC-ALL-RA-Resource.bicep is just to passing parameters to the actual template (which is in ARM, not bicep). I hope to merge these two into one bicep file someday. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah the team are working on the feature... 😊 The reason why I didn't combine them, it's simply because the json can be opened using the ARM extension, so you get linting on the ARM json. If you want to combine it, it's easy to do.. Just use the following syntax. template: json(loadTextContent('./loadTextContext/genericRoleAssignment.json'))template: '''
paste the code from the json file here
'''The three |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the ''' tip. Didn't know that before. |
Beta Was this translation helpful? Give feedback.
There is currently a preview feature outlined as below.
You enable this feature in the bicepconfig.json file.
{ "experimentalFeaturesEnabled": { "resourceTypedParamsAndOutputs": true } }More info here:
I believe it may be possible to enable to use a resource parameter for the scope of a role assignment based on this feature and passing a resource? I haven't tested it out, however I can try to follow up on this one.
There may also be another issue open to create a scope from a ResourceId, if I can find it I will link it later.
In the mean time using the
static JSON filethat you mentioned, via the following Bicep works well.