How to modularize a scoped role assignment with Bicep? #5805
-
|
I need to scope a role assignment to a specific resource, but I'd ideally like to build out a generic module that I can use across my deployments for consistency. If I were assigning a role assignment at the subscription level, I could just do the following: But I'm running into an issue when I add a string parameter called 'scope' intending to pass it into the scope property on the resource. Namely, the Intellisense offered by Bicep indicates this needs to be either a resource or a tenant value and not a string. I'm trying to scope to a resource and not to a tenant, so it seems I need to specify a resource, but the following isn't valid Bicep: Now, if I want to make this role assignment specific to one resource type, it's easy enough to solve: But doing this now means that I need to create duplicate Bicep files for each and every type of resource I'm deploying now and in the future and that's not ideal. Anyone have ideas on how to make this roleAssignment module generic to a passed-in resource type, version and name? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 8 replies
-
|
Agree this would be ideal. I don't think this is something that will come to be available in the near future.
These are the proposals for work to be done to encapsulate this capability and this is not currently in scope here. Also this PR is in progress.
|
Beta Was this translation helpful? Give feedback.
-
|
More focused towards your actual request, here is the decompiled code... this is the reason why we cannot do this in Bicep currently. param resourceName string
@allowed([
'Microsoft.KeyVault/vaults'
])
param resourceType string
param name string
param roleDefinitionId string
param principalId string
param principalType string
resource name_resource 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
scope: '${resourceType}/${resourceName}'
name: name
properties: {
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
principalId: principalId
principalType: principalType
}
}
output roleAssignment string = extensionResourceId(resourceId('Microsoft.KeyVault/vaults', resourceName), 'Microsoft.Authorization/roleAssignments', name)
Which we are able to do in ARM/JSON {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"resourceType": {
"type": "string",
"allowedValues": [
"Microsoft.KeyVault/vaults"
]
},
"name": {
"type": "string"
},
"roleDefinitionId": {
"type": "string"
},
"principalId": {
"type": "string"
},
"principalType": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-08-01-preview",
"scope": "[format('{0}/{1}',parameters('resourceType'),parameters('resourceName'))]",
"name": "[parameters('name')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"principalType": "[parameters('principalType')]"
}
}
],
"outputs": {
"roleAssignment": {
"type": "string",
"value": "[extensionResourceId(resourceId('Microsoft.KeyVault/vaults', parameters('resourceName')), 'Microsoft.Authorization/roleAssignments', parameters('name'))]"
}
}
} |
Beta Was this translation helpful? Give feedback.
-
|
If you would like to implement this yourself here are the (complete and working) samples. I have not finished integrating this into my other role assignment templates that I use, however you can easily take this and integrate it into your process. (I may make some updates as I do that integration). This is the Bicep Module, which takes the string parameters for the role assignment, all simple stuff.
The nested ARM template: Here is the nested decompiled Bicep version of that template, that is not supported in Bicep, which is your feature request. |
Beta Was this translation helpful? Give feedback.
-
|
That's an awfully clever workaround to simply nest a JSON ARM template within the Bicep. Thank you! |
Beta Was this translation helpful? Give feedback.
-
|
I made a v2 🤣 V2 can handle any segment length for the role assignment. Here is the new version: https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep I decided to bring the creation of the param resourceName string = 'acu1brwaoap0sadiag/default/insights-logs-networksecuritygroupflowevent' //'acu1brwaoap0sadiag' // 'ACU1-BRW-AOA-G1-kvGlobal'
param resourceType string = 'Microsoft.Storage/storageAccounts/blobServices/containers'//'Microsoft.Storage/storageAccounts' //'Microsoft.KeyVault/vaults'
param name string = '15b85812-1b39-44de-a784-758d91b13fcc' //'2c363941-91d7-49d8-abb1-033b616bfc4b' // '561a1a73-3504-4162-abba-4563effd0159'
param roleDefinitionId string = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' //'aba4ae5f-2193-4029-9191-0cb91df5e314' // '21090545-7ca7-4776-b22c-e363652d74d2'
param principalId string = '528b1170-7a6c-4970-94bb-0eb34e1ae947'
param principalType string = ''
#disable-next-line no-unused-params
param description string = '' // leave these for loggin in the portal
#disable-next-line no-unused-params
param roledescription string = '' // leave these for loggin in the portal
// ----------------------------------------------
// Implement own resourceId for any segment length
var segments = split(resourceType,'/')
var items = split(resourceName,'/')
var last = length(items)
var segment = [for (item, index) in range(1,last) : item == 1 ? '${segments[0]}/${segments[item]}/${items[index]}/' : item != last ? '${segments[item]}/${items[index]}/' : '${segments[item]}/${items[index]}' ]
var resourceid = replace(replace(replace(string(string(segment)), '","', ''), '["', ''), '"]', '') // currently no join() method
// ----------------------------------------------
resource ResourceRoleAssignment 'Microsoft.Resources/deployments@2021-04-01' = {
name: take(replace('dp-RRA-${resourceName}-${resourceType}', '/', ''),64)
properties: {
mode: 'Incremental'
expressionEvaluationOptions: {
scope: 'Outer'
}
template: json(loadTextContent('./loadTextContext/genericRoleAssignment2.json'))
parameters: {
scope: {
value: resourceid
}
name: {
value: name
}
roleDefinitionId: {
value: roleDefinitionId
}
principalId: {
value: principalId
}
principalType: {
value: principalType
}
}
}
}
output resourceid string = resourceid
output roleAssignmentId string = ResourceRoleAssignment.properties.outputs.roleAssignmentId.value{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"scope": {
"type": "string"
},
"name": {
"type": "string"
},
"roleDefinitionId": {
"type": "string"
},
"principalId": {
"type": "string"
},
"principalType": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-08-01-preview",
"scope": "[parameters('scope')]",
"name": "[parameters('name')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"principalType": "[parameters('principalType')]"
}
}
],
"outputs": {
"roleAssignmentId": {
"type": "string",
"value": "[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]"
}
}
}The inputs are: param resourceName string = 'acu1brwaoap0sadiag/default/insights-logs-networksecuritygroupflowevent'
param resourceType string = 'Microsoft.Storage/storageAccounts/blobServices/containers'The outputs are: Outputs :
Name Value
========== ==========
resourceId: "Microsoft.Storage/storageAccounts/acu1brwaoap0sadiag/blobServices/default/containers/insights-logs-networksecuritygroupflowevent"
roleAssignmentId: "/Microsoft.Storage/storageAccounts/acu1brwaoap0sadiag/blobServices/default/containers/insights-logs-networksecuritygroupflowevent/providers/Microsoft.Authorization/roleAssignments/15b85812-1b39-44de-a784-758d91b13fcc" |
Beta Was this translation helpful? Give feedback.
-
I had this on my mind for a while, thank you for the nudge to work on it. |
Beta Was this translation helpful? Give feedback.
-
|
In looking at this more, it would be nice if there was a
|
Beta Was this translation helpful? Give feedback.
-
|
Added comment on open proposal discussion. |
Beta Was this translation helpful? Give feedback.
-
|
@WhitWaldo Another suggestion here using a top-level bicep template with Bicep/ARM as child modules: https://github.com/matsest/az-bicep-roleassignment-multi-scope Still a very much workaround solution, and blocked by the same issue listed by @brwilkinson to be Bicep only |
Beta Was this translation helpful? Give feedback.
Agree this would be ideal.
I don't think this is something that will come to be available in the near future.
These are the proposals for work to be done to encapsulate this capability and this is not currently in scope here.
#2246
#2245
Also this PR is in progress.
#4971
I would recommend to jump in and contribute on those issues/threads to ensure to communicate that this capability is in demand and why, since that is the body of work that would enable this capability. Like I say "Generic Resource Types" as par…