diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 673231c2f7..a62f0857f9 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -323,7 +323,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { | [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. | | [`ntlmV1`](#parameter-ntlmv1) | string | The value is to enable clients making request using NTLM v1. | | [`replicaSets`](#parameter-replicasets) | array | Additional replica set for the managed domain. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The name of the SKU specific to Azure ADDS Services. | | [`syncNtlmPasswords`](#parameter-syncntlmpasswords) | string | The value is to enable synchronized users to use NTLM authentication. | | [`syncOnPremPasswords`](#parameter-synconprempasswords) | string | The value is to enable on-premises users to authenticate against managed domain. | @@ -628,7 +628,7 @@ Additional replica set for the managed domain. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -641,7 +641,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -689,7 +689,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep index 206efc45d4..5fd0a7a9fb 100644 --- a/modules/aad/domain-service/main.bicep +++ b/modules/aad/domain-service/main.bicep @@ -127,7 +127,7 @@ param enableDefaultTelemetry bool = true @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -213,7 +213,7 @@ resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource domainService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(domainService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -249,7 +249,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json index 6e3976bfcc..d0510c3e8a 100644 --- a/modules/aad/domain-service/main.json +++ b/modules/aad/domain-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10052117540394396974" + "version": "0.23.1.45101", + "templateHash": "1250805842529058137" }, "name": "Azure Active Directory Domain Services", "description": "This module deploys an Azure Active Directory Domain Services (AADDS).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -411,7 +411,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -518,7 +518,7 @@ "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.AAD/domainServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index c35c2a2be3..88a08b2384 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -136,7 +136,17 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuCapacity: 1 @@ -217,7 +227,17 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -294,13 +314,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuCapacity: 1 skuName: 'S0' tags: { @@ -374,15 +387,6 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuCapacity": { "value": 1 }, @@ -421,7 +425,7 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = { | [`firewallSettings`](#parameter-firewallsettings) | object | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The total number of query replica scale-out instances. | | [`skuName`](#parameter-skuname) | string | The SKU name of the Azure Analysis Services server to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -609,7 +613,7 @@ The name of the Azure Analysis Services server to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -622,7 +626,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -670,7 +674,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/analysis-services/server/main.bicep b/modules/analysis-services/server/main.bicep index c0e59767e5..fe7c530a48 100644 --- a/modules/analysis-services/server/main.bicep +++ b/modules/analysis-services/server/main.bicep @@ -32,7 +32,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -148,7 +148,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/analysis-services/server/main.json b/modules/analysis-services/server/main.json index cb62fdcfee..b5a8657aef 100644 --- a/modules/analysis-services/server/main.json +++ b/modules/analysis-services/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11444956126966610005" + "templateHash": "16473107761572219540" }, "name": "Analysis Services Servers", "description": "This module deploys an Analysis Services Server.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -270,7 +270,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { diff --git a/modules/analysis-services/server/tests/e2e/max/main.test.bicep b/modules/analysis-services/server/tests/e2e/max/main.test.bicep index 95d51e6ea4..93bfb2efaa 100644 --- a/modules/analysis-services/server/tests/e2e/max/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/max/main.test.bicep @@ -85,7 +85,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep index e5705e2cbf..705eaf124d 100644 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -83,13 +83,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] enablePowerBIService: true } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index aa9604ceea..fd30fb48ed 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -250,7 +250,17 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] subscriptions: [ @@ -447,7 +457,17 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -616,13 +636,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { subscriptionRequired: false } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] subscriptions: [ { name: 'testArmSubscriptionAllApis' @@ -812,15 +825,6 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "subscriptions": { "value": [ { @@ -882,7 +886,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = { | [`portalsettings`](#parameter-portalsettings) | array | Portal settings. | | [`products`](#parameter-products) | array | Products. | | [`restore`](#parameter-restore) | bool | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The pricing tier of this API Management service. | | [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. | | [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. | @@ -1233,7 +1237,7 @@ Undelete API Management Service if it was previously soft-deleted. If this flag ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1246,7 +1250,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1294,7 +1298,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/api-management/service/main.bicep b/modules/api-management/service/main.bicep index c71fd923f4..9e8142b83f 100644 --- a/modules/api-management/service/main.bicep +++ b/modules/api-management/service/main.bicep @@ -51,7 +51,7 @@ param publisherName string @description('Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.') param restore bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The pricing tier of this API Management service.') @@ -430,7 +430,7 @@ resource service_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021- resource service_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(service.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -477,7 +477,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/api-management/service/main.json b/modules/api-management/service/main.json index 4331c55f43..bb97234fb2 100644 --- a/modules/api-management/service/main.json +++ b/modules/api-management/service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12034021056308380039" + "templateHash": "12791748357960289440" }, "name": "API Management Services", "description": "This module deploys an API Management Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -346,7 +346,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "sku": { @@ -605,7 +605,7 @@ "scope": "[format('Microsoft.ApiManagement/service/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ApiManagement/service', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/api-management/service/tests/e2e/max/main.test.bicep b/modules/api-management/service/tests/e2e/max/main.test.bicep index 609d61a44b..5a03a93afb 100644 --- a/modules/api-management/service/tests/e2e/max/main.test.bicep +++ b/modules/api-management/service/tests/e2e/max/main.test.bicep @@ -194,7 +194,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index a722f02c9d..497fa84bc5 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -192,13 +192,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' subscriptionRequired: false } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] subscriptions: [ { name: 'testArmSubscriptionAllApis' diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index 1913e261cd..990cfe2b51 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -129,7 +129,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeleteRetentionInDays: 1 @@ -206,7 +216,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -289,7 +309,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeleteRetentionInDays: 1 @@ -382,7 +412,17 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -562,13 +602,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] softDeleteRetentionInDays: 1 tags: { Environment: 'Non-Prod' @@ -654,15 +687,6 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "softDeleteRetentionInDays": { "value": 1 }, @@ -705,7 +729,7 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Pricing tier of App Configuration. | | [`softDeleteRetentionInDays`](#parameter-softdeleteretentionindays) | int | The amount of time in days that the configuration store will be retained when it is soft deleted. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -995,7 +1019,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1147,7 +1171,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1190,7 +1214,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1203,7 +1227,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1251,7 +1275,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app-configuration/configuration-store/main.bicep b/modules/app-configuration/configuration-store/main.bicep index 68dd210d37..f4bc48c14c 100644 --- a/modules/app-configuration/configuration-store/main.bicep +++ b/modules/app-configuration/configuration-store/main.bicep @@ -56,7 +56,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -188,7 +188,7 @@ resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticSet resource configurationStore_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(configurationStore.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -259,7 +259,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -336,7 +336,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/app-configuration/configuration-store/main.json b/modules/app-configuration/configuration-store/main.json index f3f2d4fd17..8356549175 100644 --- a/modules/app-configuration/configuration-store/main.json +++ b/modules/app-configuration/configuration-store/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "75945570727927214" + "templateHash": "1035721071234192840" }, "name": "App Configuration Stores", "description": "This module deploys an App Configuration Store.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -546,7 +546,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -701,7 +701,7 @@ "scope": "[format('Microsoft.AppConfiguration/configurationStores/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep index df73c1e7d6..8c676e3be7 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/encr/main.test.bicep @@ -75,7 +75,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep index f3f76a3b95..a3bba846cd 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/max/main.test.bicep @@ -104,7 +104,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index d5aa0ab214..11ffe42dcc 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -102,13 +102,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] softDeleteRetentionInDays: 1 managedIdentities: { systemAssigned: true diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index a5789ffb6c..6f88154a11 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -694,7 +694,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -742,7 +742,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/container-app/main.bicep b/modules/app/container-app/main.bicep index 2ba53033af..939f2bed5c 100644 --- a/modules/app/container-app/main.bicep +++ b/modules/app/container-app/main.bicep @@ -197,7 +197,7 @@ resource containerApp_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!emp resource containerApp_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(containerApp.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -244,7 +244,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/container-app/main.json b/modules/app/container-app/main.json index 3e89b56a68..151294bb80 100644 --- a/modules/app/container-app/main.json +++ b/modules/app/container-app/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3901132801605374235" + "templateHash": "3664175856787955387" }, "name": "Container Apps", "description": "This module deploys a Container App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -457,7 +457,7 @@ "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app/job/README.md b/modules/app/job/README.md index c1201754ba..cd12e8e51d 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -687,7 +687,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -735,7 +735,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/job/main.bicep b/modules/app/job/main.bicep index ee9795e632..15d8106352 100644 --- a/modules/app/job/main.bicep +++ b/modules/app/job/main.bicep @@ -135,7 +135,7 @@ resource containerAppJob_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource containerAppJob_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(containerAppJob.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -174,7 +174,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/job/main.json b/modules/app/job/main.json index 47a3c78d1e..2913e527df 100644 --- a/modules/app/job/main.json +++ b/modules/app/job/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1177002150217044728" + "templateHash": "5076851392653441401" }, "name": "Container App Jobs", "description": "This module deploys a Container App Job.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -347,7 +347,7 @@ "scope": "[format('Microsoft.App/jobs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/jobs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index d222427925..913062b3a2 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -313,7 +313,7 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { | [`logsDestination`](#parameter-logsdestination) | string | Logs destination. | | [`platformReservedCidr`](#parameter-platformreservedcidr) | string | IP range in CIDR notation that can be reserved for environment infrastructure IP addresses. It must not overlap with any other provided IP ranges and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | | [`platformReservedDnsIP`](#parameter-platformreserveddnsip) | string | An IP address from the IP range defined by "platformReservedCidr" that will be reserved for the internal DNS server. It must not be the first address in the range and can only be used when the environment is deployed into a virtual network. If not provided, it will be set with a default value by the platform. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | Managed environment SKU. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workloadProfiles`](#parameter-workloadprofiles) | array | Workload profiles configured for the Managed Environment. | @@ -450,7 +450,7 @@ An IP address from the IP range defined by "platformReservedCidr" that will be r ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -463,7 +463,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -511,7 +511,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/app/managed-environment/main.bicep b/modules/app/managed-environment/main.bicep index 12fc9772c4..f3905ce986 100644 --- a/modules/app/managed-environment/main.bicep +++ b/modules/app/managed-environment/main.bicep @@ -14,7 +14,7 @@ param location string = resourceGroup().location @description('Optional. Tags of the resource.') param tags object? -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -135,7 +135,7 @@ resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { resource managedEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -180,7 +180,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/app/managed-environment/main.json b/modules/app/managed-environment/main.json index cd7af31c94..ba37943c32 100644 --- a/modules/app/managed-environment/main.json +++ b/modules/app/managed-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17510800738142190994" + "templateHash": "15830956831455159038" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -135,7 +135,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "skuName": { @@ -334,7 +334,7 @@ "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.App/managedEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 11b5cc06c2..fb894b62e8 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -252,7 +252,17 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] runbooks: [ @@ -484,7 +494,17 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -704,13 +724,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] runbooks: [ { description: 'Test runbook' @@ -935,15 +948,6 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "runbooks": { "value": [ { @@ -1097,7 +1101,7 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' | [`modules`](#parameter-modules) | array | List of modules to be created in the automation account. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`runbooks`](#parameter-runbooks) | array | List of runbooks to be created in the automation account. | | [`schedules`](#parameter-schedules) | array | List of schedules to be created in the automation account. | | [`skuName`](#parameter-skuname) | string | SKU name of the account. | @@ -1390,7 +1394,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1542,7 +1546,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1585,7 +1589,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1598,7 +1602,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1646,7 +1650,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/automation/automation-account/main.bicep b/modules/automation/automation-account/main.bicep index c7c66989e5..a2dfa7b527 100644 --- a/modules/automation/automation-account/main.bicep +++ b/modules/automation/automation-account/main.bicep @@ -65,7 +65,7 @@ param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the Automation Account resource.') @@ -361,7 +361,7 @@ module automationAccount_privateEndpoints '../../network/private-endpoint/main.b resource automationAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(automationAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -408,7 +408,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -485,7 +485,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/automation/automation-account/main.json b/modules/automation/automation-account/main.json index db9ba071f1..369cf74eb5 100644 --- a/modules/automation/automation-account/main.json +++ b/modules/automation/automation-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3971272162822794152" + "templateHash": "15622091278066868534" }, "name": "Automation Accounts", "description": "This module deploys an Azure Automation Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -573,7 +573,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -719,7 +719,7 @@ "scope": "[format('Microsoft.Automation/automationAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Automation/automationAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/automation/automation-account/tests/e2e/max/main.test.bicep b/modules/automation/automation-account/tests/e2e/max/main.test.bicep index 4a97bffb39..b77d8bbd82 100644 --- a/modules/automation/automation-account/tests/e2e/max/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/max/main.test.bicep @@ -137,7 +137,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index f024413f06..e4d4913905 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -135,13 +135,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] runbooks: [ { description: 'Test runbook' diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 0c37755f50..e818d8120c 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -277,7 +277,17 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -378,7 +388,17 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -467,13 +487,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'Redis Cache Enterprise' @@ -567,15 +580,6 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -613,7 +617,7 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Requires clients to use a specified TLS version (or higher) to connect. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | The type of Redis Enterprise Cluster to deploy. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`zoneRedundant`](#parameter-zoneredundant) | bool | When true, the cluster will be deployed across availability zones. | @@ -801,7 +805,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -953,7 +957,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -981,7 +985,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -994,7 +998,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1042,7 +1046,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cache/redis-enterprise/main.bicep b/modules/cache/redis-enterprise/main.bicep index 1be629fba1..cdc3b5a490 100644 --- a/modules/cache/redis-enterprise/main.bicep +++ b/modules/cache/redis-enterprise/main.bicep @@ -11,7 +11,7 @@ param name string @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -126,7 +126,7 @@ resource redisEnterprise_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource redisEnterprise_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redisEnterprise.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -208,7 +208,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -285,7 +285,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/cache/redis-enterprise/main.json b/modules/cache/redis-enterprise/main.json index 27f647f9e5..07490f41f9 100644 --- a/modules/cache/redis-enterprise/main.json +++ b/modules/cache/redis-enterprise/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9202709558148407604" + "templateHash": "14212744208009857353" }, "name": "Redis Cache Enterprise", "description": "This module deploys a Redis Cache Enterprise.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -383,7 +383,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -550,7 +550,7 @@ "scope": "[format('Microsoft.Cache/redisEnterprise/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cache/redisEnterprise', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep index 11967b6582..baf56e3e5e 100644 --- a/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/max/main.test.bicep @@ -89,7 +89,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep index e11f40719a..b9030436a7 100644 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -87,13 +87,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] minimumTlsVersion: '1.2' zoneRedundant: true privateEndpoints: [ diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 45e6ec422f..33f02d5c1f 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -473,7 +473,7 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = { | [`redisVersion`](#parameter-redisversion) | string | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6). | | [`replicasPerMaster`](#parameter-replicaspermaster) | int | The number of replicas to be created per primary. | | [`replicasPerPrimary`](#parameter-replicasperprimary) | int | The number of replicas to be created per primary. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`shardCount`](#parameter-shardcount) | int | The number of shards to be created on a Premium Cluster Cache. | | [`skuName`](#parameter-skuname) | string | The type of Redis cache to deploy. | | [`staticIP`](#parameter-staticip) | string | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. | @@ -732,7 +732,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -884,7 +884,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -962,7 +962,7 @@ The number of replicas to be created per primary. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -975,7 +975,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1023,7 +1023,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cache/redis/main.bicep b/modules/cache/redis/main.bicep index bb1d2191e5..4a34e577ce 100644 --- a/modules/cache/redis/main.bicep +++ b/modules/cache/redis/main.bicep @@ -11,7 +11,7 @@ param name string @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -201,7 +201,7 @@ resource redis_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05 resource redis_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(redis.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -281,7 +281,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -358,7 +358,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/cache/redis/main.json b/modules/cache/redis/main.json index f05edb97ec..90b5617b8a 100644 --- a/modules/cache/redis/main.json +++ b/modules/cache/redis/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7671125906841819197" + "templateHash": "10455754336377427456" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -432,7 +432,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -707,7 +707,7 @@ "scope": "[format('Microsoft.Cache/redis/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cache/redis', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 47cbe6ed82..81efa1a9e1 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -105,7 +105,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] ruleSets: [ @@ -221,7 +231,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -315,7 +335,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -394,7 +424,17 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] } @@ -459,13 +499,6 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { name: 'myCustomLockName' } originResponseTimeoutSeconds: 60 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] } } ``` @@ -536,15 +569,6 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { }, "originResponseTimeoutSeconds": { "value": 60 - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] } } } @@ -581,7 +605,7 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = { | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`originResponseTimeoutSeconds`](#parameter-originresponsetimeoutseconds) | int | Send and receive timeout on forwarding request to the origin. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. | | [`secrets`](#parameter-secrets) | array | Array of secret objects. | | [`tags`](#parameter-tags) | object | Endpoint tags. | @@ -677,7 +701,7 @@ Array of origin group objects. Required if the afdEndpoints is specified. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -690,7 +714,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -738,7 +762,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/cdn/profile/main.bicep b/modules/cdn/profile/main.bicep index 30ce9173c1..dd7abe44db 100644 --- a/modules/cdn/profile/main.bicep +++ b/modules/cdn/profile/main.bicep @@ -56,7 +56,7 @@ param tags object? @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -112,7 +112,7 @@ resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource profile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(profile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -238,7 +238,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/cdn/profile/main.json b/modules/cdn/profile/main.json index e8a03d38c8..3b9850f2ef 100644 --- a/modules/cdn/profile/main.json +++ b/modules/cdn/profile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17584746093289526242" + "templateHash": "9196888550176341860" }, "name": "CDN Profiles", "description": "This module deploys a CDN Profile.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -212,7 +212,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -289,7 +289,7 @@ "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Cdn/profiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/cdn/profile/tests/e2e/afd/main.test.bicep b/modules/cdn/profile/tests/e2e/afd/main.test.bicep index 9d3e21d539..e9e3864bf9 100644 --- a/modules/cdn/profile/tests/e2e/afd/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/afd/main.test.bicep @@ -60,7 +60,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' enableDefaultTelemetry: enableDefaultTelemetry roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cdn/profile/tests/e2e/max/main.test.bicep b/modules/cdn/profile/tests/e2e/max/main.test.bicep index fb18eefa09..85bf8f601d 100644 --- a/modules/cdn/profile/tests/e2e/max/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/max/main.test.bicep @@ -93,7 +93,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep index 00e2285b20..af0c232249 100644 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -91,12 +91,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' originGroups: [] geoFilters: [] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index b78be7385e..7eb1754df5 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -104,7 +104,17 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -150,7 +160,17 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -190,13 +210,6 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { name: 'myCustomLockName' } proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -235,15 +248,6 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { "proximityPlacementGroupResourceId": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -277,7 +281,7 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { | [`platformFaultDomainCount`](#parameter-platformfaultdomaincount) | int | The number of fault domains to use. | | [`platformUpdateDomainCount`](#parameter-platformupdatedomaincount) | int | The number of update domains to use. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | SKU of the availability set.

- Use 'Aligned' for virtual machines with managed disks.

- Use 'Classic' for virtual machines with unmanaged disks. | | [`tags`](#parameter-tags) | object | Tags of the availability set resource. | @@ -351,7 +355,7 @@ Resource ID of a proximity placement group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -364,7 +368,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -412,7 +416,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/availability-set/main.bicep b/modules/compute/availability-set/main.bicep index d48a10bd65..e7365a0176 100644 --- a/modules/compute/availability-set/main.bicep +++ b/modules/compute/availability-set/main.bicep @@ -23,7 +23,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') @@ -81,7 +81,7 @@ resource availabilitySet_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource availabilitySet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(availabilitySet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/availability-set/main.json b/modules/compute/availability-set/main.json index b95d3d6e5b..1785fba305 100644 --- a/modules/compute/availability-set/main.json +++ b/modules/compute/availability-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10273034762819706688" + "templateHash": "5227518019590396567" }, "name": "Availability Sets", "description": "This module deploys an Availability Set.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -156,7 +156,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -237,7 +237,7 @@ "scope": "[format('Microsoft.Compute/availabilitySets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/availabilitySets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/availability-set/tests/e2e/max/main.test.bicep b/modules/compute/availability-set/tests/e2e/max/main.test.bicep index 1241842e7b..af84f42458 100644 --- a/modules/compute/availability-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/max/main.test.bicep @@ -61,7 +61,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep index 7a305c8119..6aff4b922e 100644 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -59,13 +59,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: 'myCustomLockName' } proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index 024684795c..48783288cd 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -58,7 +58,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -109,7 +119,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -159,7 +179,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -215,7 +245,17 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -261,13 +301,6 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -316,15 +349,6 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -361,7 +385,7 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = | [`location`](#parameter-location) | string | Resource location. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. At least one identity type is required. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`rotationToLatestKeyVersionEnabled`](#parameter-rotationtolatestkeyversionenabled) | bool | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | [`tags`](#parameter-tags) | object | Tags of the disk encryption resource. | @@ -486,7 +510,7 @@ The name of the disk encryption set that is being created. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -499,7 +523,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -547,7 +571,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/disk-encryption-set/main.bicep b/modules/compute/disk-encryption-set/main.bicep index 0a96eb063a..c31fc9e4b7 100644 --- a/modules/compute/disk-encryption-set/main.bicep +++ b/modules/compute/disk-encryption-set/main.bicep @@ -38,7 +38,7 @@ param managedIdentities managedIdentitiesType = { systemAssigned: true } -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the disk encryption resource.') @@ -125,7 +125,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { resource diskEncryptionSet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(diskEncryptionSet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -187,7 +187,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/disk-encryption-set/main.json b/modules/compute/disk-encryption-set/main.json index d55eee6014..dbd6c27c6b 100644 --- a/modules/compute/disk-encryption-set/main.json +++ b/modules/compute/disk-encryption-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2310785535465824906" + "templateHash": "3002808940290583221" }, "name": "Disk Encryption Sets", "description": "This module deploys a Disk Encryption Set.", @@ -68,7 +68,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -203,7 +203,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -304,7 +304,7 @@ "scope": "[format('Microsoft.Compute/diskEncryptionSets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/diskEncryptionSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep index f494661b94..c7ca375354 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/accessPolicies/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep index b71ed7a6ec..23cb40bc46 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/max/main.test.bicep @@ -66,7 +66,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index c49b0266d2..f27ccfe1eb 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -64,13 +64,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } keyName: nestedDependencies.outputs.keyName keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { userAssignedResourceIds: [ nestedDependencies.outputs.managedIdentityResourceId diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index a2b245fd26..feef599a20 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -109,7 +109,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -155,7 +165,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -193,7 +213,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sourceUri: '' @@ -238,7 +268,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -294,7 +334,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -358,7 +408,17 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -404,13 +464,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -467,15 +520,6 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { "publicNetworkAccess": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -529,7 +573,7 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = { | [`optimizedForFrequentAttach`](#parameter-optimizedforfrequentattach) | bool | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine. | | [`osType`](#parameter-ostype) | string | Sources of a disk creation. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Policy for controlling export on the disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityDataUri`](#parameter-securitydatauri) | string | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. | | [`sourceResourceId`](#parameter-sourceresourceid) | string | If create option is Copy, this is the ARM ID of the source snapshot or disk. | | [`sourceUri`](#parameter-sourceuri) | string | If create option is Import, this is the URI of a blob to be imported into a managed disk. | @@ -750,7 +794,7 @@ Policy for controlling export on the disk. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -763,7 +807,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -811,7 +855,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/disk/main.bicep b/modules/compute/disk/main.bicep index b81bda894c..7989977bb4 100644 --- a/modules/compute/disk/main.bicep +++ b/modules/compute/disk/main.bicep @@ -121,7 +121,7 @@ param acceleratedNetwork bool = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the availability set resource.') @@ -205,7 +205,7 @@ resource disk_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource disk_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(disk.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -241,7 +241,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/disk/main.json b/modules/compute/disk/main.json index efff55288f..37e7361de7 100644 --- a/modules/compute/disk/main.json +++ b/modules/compute/disk/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13415296044159532527" + "templateHash": "8419179965275134660" }, "name": "Compute Disks", "description": "This module deploys a Compute Disk", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -325,7 +325,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -430,7 +430,7 @@ "scope": "[format('Microsoft.Compute/disks/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/disks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/disk/tests/e2e/image/main.test.bicep b/modules/compute/disk/tests/e2e/image/main.test.bicep index 7b49045a5d..67fd259073 100644 --- a/modules/compute/disk/tests/e2e/image/main.test.bicep +++ b/modules/compute/disk/tests/e2e/image/main.test.bicep @@ -54,7 +54,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' imageReferenceId: '${subscription().id}/Providers/Microsoft.Compute/Locations/westeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2022-datacenter-azure-edition/Versions/20348.1006.220908' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/import/main.test.bicep b/modules/compute/disk/tests/e2e/import/main.test.bicep index e343bbfbdc..0622d78455 100644 --- a/modules/compute/disk/tests/e2e/import/main.test.bicep +++ b/modules/compute/disk/tests/e2e/import/main.test.bicep @@ -57,7 +57,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' createOption: 'Import' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/max/main.test.bicep b/modules/compute/disk/tests/e2e/max/main.test.bicep index cd544f46b9..25ab818edd 100644 --- a/modules/compute/disk/tests/e2e/max/main.test.bicep +++ b/modules/compute/disk/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicNetworkAccess: 'Enabled' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep index 0b70c6e0b5..e22035fb5e 100644 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' logicalSectorSize: 512 osType: 'Windows' publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 5d352f0fb3..478eaa6765 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -222,7 +222,17 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -386,7 +396,17 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -542,13 +562,6 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -705,15 +718,6 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/compute/gallery/application/main.bicep b/modules/compute/gallery/application/main.bicep index f1cf6372c2..dcb745225b 100644 --- a/modules/compute/gallery/application/main.bicep +++ b/modules/compute/gallery/application/main.bicep @@ -90,7 +90,7 @@ resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { resource application_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(application.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/application/main.json b/modules/compute/gallery/application/main.json index ffc09df846..173a43d0c8 100644 --- a/modules/compute/gallery/application/main.json +++ b/modules/compute/gallery/application/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4468420728204112478" + "version": "0.23.1.45101", + "templateHash": "13733131047823769084" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -235,7 +235,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/image/main.bicep b/modules/compute/gallery/image/main.bicep index 3f5a724b3c..a922e5e74b 100644 --- a/modules/compute/gallery/image/main.bicep +++ b/modules/compute/gallery/image/main.bicep @@ -213,7 +213,7 @@ resource image 'Microsoft.Compute/galleries/images@2022-03-03' = { resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/image/main.json b/modules/compute/gallery/image/main.json index 9c37688f70..966b22684c 100644 --- a/modules/compute/gallery/image/main.json +++ b/modules/compute/gallery/image/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12640831453229356933" + "version": "0.23.1.45101", + "templateHash": "17846161223611480196" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -396,7 +396,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/main.bicep b/modules/compute/gallery/main.bicep index 5d9a951fa4..54aaf1e3f9 100644 --- a/modules/compute/gallery/main.bicep +++ b/modules/compute/gallery/main.bicep @@ -75,7 +75,7 @@ resource gallery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource gallery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(gallery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/compute/gallery/main.json b/modules/compute/gallery/main.json index 988b6b53a7..44e5d0a6f9 100644 --- a/modules/compute/gallery/main.json +++ b/modules/compute/gallery/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8907363611903070816" + "templateHash": "15313131097423380423" }, "name": "Azure Compute Galleries", "description": "This module deploys an Azure Compute Gallery (formerly known as Shared Image Gallery).", @@ -229,7 +229,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -284,7 +284,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8232745966352037801" + "templateHash": "13733131047823769084" }, "name": "Compute Galleries Applications", "description": "This module deploys an Azure Compute Gallery Application.", @@ -513,7 +513,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/applications/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/applications', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -618,7 +618,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3383509605637851908" + "templateHash": "17846161223611480196" }, "name": "Compute Galleries Image Definitions", "description": "This module deploys an Azure Compute Gallery Image Definition.", @@ -1008,7 +1008,7 @@ "scope": "[format('Microsoft.Compute/galleries/{0}/images/{1}', parameters('galleryName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/gallery/tests/e2e/max/main.test.bicep b/modules/compute/gallery/tests/e2e/max/main.test.bicep index efc7e9a946..2562a048e5 100644 --- a/modules/compute/gallery/tests/e2e/max/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/max/main.test.bicep @@ -176,7 +176,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep index c519821e4f..7d759c2f2a 100644 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -174,13 +174,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' sku: '20_04-lts-gen2' } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index f642c6f3c1..8b7d4eb4db 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -57,7 +57,17 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -119,7 +129,17 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -165,13 +185,6 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { enableDefaultTelemetry: '' hyperVGeneration: 'V1' osState: 'Generalized' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' tagA: 'You\'re it' @@ -226,15 +239,6 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { "osState": { "value": "Generalized" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -278,7 +282,7 @@ module image 'br:bicep/modules/compute.image:1.0.0' = { | [`osAccountType`](#parameter-osaccounttype) | string | Specifies the storage account type for the managed disk. NOTE: UltraSSD_LRS can only be used with data disks, it cannot be used with OS Disk. - Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS. | | [`osDiskCaching`](#parameter-osdiskcaching) | string | Specifies the caching requirements. Default: None for Standard storage. ReadOnly for Premium storage. - None, ReadOnly, ReadWrite. | | [`osState`](#parameter-osstate) | string | The OS State. For managed images, use Generalized. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`snapshotResourceId`](#parameter-snapshotresourceid) | string | The snapshot resource ID. | | [`sourceVirtualMachineResourceId`](#parameter-sourcevirtualmachineresourceid) | string | The source virtual machine from which Image is created. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -386,7 +390,7 @@ This property allows you to specify the type of the OS that is included in the d ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -399,7 +403,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -447,7 +451,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/image/main.bicep b/modules/compute/image/main.bicep index f83ef220ab..20e3e6ea11 100644 --- a/modules/compute/image/main.bicep +++ b/modules/compute/image/main.bicep @@ -26,7 +26,7 @@ param zoneResilient bool = false @description('Optional. Gets the HyperVGenerationType of the VirtualMachine created from the image. - V1 or V2.') param hyperVGeneration string = 'V1' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -120,7 +120,7 @@ resource image 'Microsoft.Compute/images@2022-11-01' = { resource image_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(image.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -147,7 +147,7 @@ output location string = image.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/image/main.json b/modules/compute/image/main.json index d559e8bc9b..b3099a9dec 100644 --- a/modules/compute/image/main.json +++ b/modules/compute/image/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18345867974770384550" + "templateHash": "6473488393825855372" }, "name": "Images", "description": "This module deploys a Compute Image.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -135,7 +135,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -274,7 +274,7 @@ "scope": "[format('Microsoft.Compute/images/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/images', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/image/tests/e2e/max/main.test.bicep b/modules/compute/image/tests/e2e/max/main.test.bicep index e4da6461c2..4ef529aeea 100644 --- a/modules/compute/image/tests/e2e/max/main.test.bicep +++ b/modules/compute/image/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' hyperVGeneration: 'V1' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep index 8403077e92..ee4dfe3db0 100644 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' osDiskCaching: 'ReadWrite' osType: 'Windows' hyperVGeneration: 'V1' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zoneResilient: true diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId osState: 'Generalized' diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index a5861c05f9..b78e4a52f2 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -115,7 +115,17 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -178,7 +188,17 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -237,13 +257,6 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' TagA: 'Would you kindly...' @@ -299,15 +312,6 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -348,7 +352,7 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro | [`intent`](#parameter-intent) | object | Specifies the user intent of the proximity placement group. | | [`location`](#parameter-location) | string | Resource location. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the proximity placement group resource. | | [`type`](#parameter-type) | string | Specifies the type of the proximity placement group. | | [`zones`](#parameter-zones) | array | Specifies the Availability Zone where virtual machine, virtual machine scale set or availability set associated with the proximity placement group can be created. | @@ -416,7 +420,7 @@ The name of the proximity placement group that is being created. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -429,7 +433,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -477,7 +481,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/proximity-placement-group/main.bicep b/modules/compute/proximity-placement-group/main.bicep index f2f76a2216..45047683d4 100644 --- a/modules/compute/proximity-placement-group/main.bicep +++ b/modules/compute/proximity-placement-group/main.bicep @@ -18,7 +18,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the proximity placement group resource.') @@ -80,7 +80,7 @@ resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2020-05-01' resource proximityPlacementGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(proximityPlacementGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -116,7 +116,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/proximity-placement-group/main.json b/modules/compute/proximity-placement-group/main.json index cf403363a2..6d3f4e9580 100644 --- a/modules/compute/proximity-placement-group/main.json +++ b/modules/compute/proximity-placement-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2277527270184526895" + "templateHash": "1474026739792714088" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -139,7 +139,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -239,7 +239,7 @@ "scope": "[format('Microsoft.Compute/proximityPlacementGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/proximityPlacementGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep index c996b25ec1..a0e4f0cbc6 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep index 498ccb1f1d..db7c9800b0 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zones: [ '1' ] diff --git a/modules/compute/virtual-machine-scale-set/README.md b/modules/compute/virtual-machine-scale-set/README.md index 05c8624341..5e27d6d457 100644 --- a/modules/compute/virtual-machine-scale-set/README.md +++ b/modules/compute/virtual-machine-scale-set/README.md @@ -1267,7 +1267,7 @@ module virtualMachineScaleSet 'br:bicep/modules/compute.virtual-machine-scale-se | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | | [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | | [`scaleInPolicy`](#parameter-scaleinpolicy) | object | Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in. | | [`scaleSetFaultDomain`](#parameter-scalesetfaultdomain) | int | Fault Domain count for each placement group. | @@ -1808,7 +1808,7 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1821,7 +1821,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1869,7 +1869,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/virtual-machine-scale-set/main.bicep b/modules/compute/virtual-machine-scale-set/main.bicep index 977ec6753f..0f845b192c 100644 --- a/modules/compute/virtual-machine-scale-set/main.bicep +++ b/modules/compute/virtual-machine-scale-set/main.bicep @@ -46,7 +46,7 @@ param adminPassword string = '' @description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.') param customData string = '' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Fault Domain count for each placement group.') @@ -627,7 +627,7 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource vmss_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vmss.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -674,7 +674,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine-scale-set/main.json b/modules/compute/virtual-machine-scale-set/main.json index 1bde1e509e..95643ce69d 100644 --- a/modules/compute/virtual-machine-scale-set/main.json +++ b/modules/compute/virtual-machine-scale-set/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13725426990469147977" + "templateHash": "6314533557974797448" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -306,7 +306,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scaleSetFaultDomain": { @@ -974,7 +974,7 @@ "scope": "[format('Microsoft.Compute/virtualMachineScaleSets/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/compute/virtual-machine/README.md b/modules/compute/virtual-machine/README.md index dfe8bb4ccc..3f0e0fce12 100644 --- a/modules/compute/virtual-machine/README.md +++ b/modules/compute/virtual-machine/README.md @@ -271,7 +271,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -578,7 +588,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1164,7 +1184,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -1491,7 +1521,17 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1983,7 +2023,7 @@ module virtualMachine 'br:bicep/modules/compute.virtual-machine:1.0.0' = { | [`provisionVMAgent`](#parameter-provisionvmagent) | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | | [`proximityPlacementGroupResourceId`](#parameter-proximityplacementgroupresourceid) | string | Resource ID of a proximity placement group. | | [`publicKeys`](#parameter-publickeys) | array | The list of SSH public keys used to authenticate with linux based VMs. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasTokenValidityLength`](#parameter-sastokenvaliditylength) | string | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | | [`secureBootEnabled`](#parameter-securebootenabled) | bool | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | | [`securityType`](#parameter-securitytype) | string | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | @@ -2509,7 +2549,7 @@ The list of SSH public keys used to authenticate with linux based VMs. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2522,7 +2562,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2570,7 +2610,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/compute/virtual-machine/main.bicep b/modules/compute/virtual-machine/main.bicep index a8660a203e..f908e4b473 100644 --- a/modules/compute/virtual-machine/main.bicep +++ b/modules/compute/virtual-machine/main.bicep @@ -189,7 +189,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -663,7 +663,7 @@ resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? resource vm_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vm.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -710,7 +710,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine/main.json b/modules/compute/virtual-machine/main.json index 601f4cfe90..cb696cbdcc 100644 --- a/modules/compute/virtual-machine/main.json +++ b/modules/compute/virtual-machine/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10032149803242831111" + "templateHash": "89939038941992549" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -602,7 +602,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -938,7 +938,7 @@ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1001,7 +1001,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10451257297733630828" + "templateHash": "11123708724712871468" } }, "definitions": { @@ -1144,7 +1144,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1251,7 +1251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, diff --git a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep index 3126ee1dfb..a7e44aaf79 100644 --- a/modules/compute/virtual-machine/modules/nested_networkInterface.bicep +++ b/modules/compute/virtual-machine/modules/nested_networkInterface.bicep @@ -15,7 +15,7 @@ param lock lockType @description('Optional. The diagnostic settings of the Network Interface.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false @@ -124,7 +124,7 @@ type diagnosticSettingType = { }[]? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep index a0562afb0a..b4b5e7ba57 100644 --- a/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/linux/main.test.bicep @@ -281,7 +281,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep index e095862d0d..7bc8a2c00f 100644 --- a/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep +++ b/modules/compute/virtual-machine/tests/e2e/windows/main.test.bicep @@ -302,7 +302,17 @@ module testDeployment '../../../main.bicep' = { proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 9d068e56b9..546708177b 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -261,7 +261,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] softDeletePolicyDays: 7 @@ -396,7 +406,17 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -602,13 +622,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { name: '' } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] softDeletePolicyDays: 7 softDeletePolicyStatus: 'disabled' tags: { @@ -736,15 +749,6 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "softDeletePolicyDays": { "value": 7 }, @@ -811,7 +815,7 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { | [`replications`](#parameter-replications) | array | All replications to create. | | [`retentionPolicyDays`](#parameter-retentionpolicydays) | int | The number of days to retain an untagged manifest after which it gets purged. | | [`retentionPolicyStatus`](#parameter-retentionpolicystatus) | string | The value that indicates whether the retention policy is enabled or not. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`softDeletePolicyDays`](#parameter-softdeletepolicydays) | int | The number of days after which a soft-deleted item is permanently deleted. | | [`softDeletePolicyStatus`](#parameter-softdeletepolicystatus) | string | Soft Delete policy status. Default is disabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1175,7 +1179,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1327,7 +1331,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1412,7 +1416,7 @@ The value that indicates whether the retention policy is enabled or not. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1425,7 +1429,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1473,7 +1477,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/container-registry/registry/main.bicep b/modules/container-registry/registry/main.bicep index adb6b45d84..ff38067ac0 100644 --- a/modules/container-registry/registry/main.bicep +++ b/modules/container-registry/registry/main.bicep @@ -13,7 +13,7 @@ param acrAdminUserEnabled bool = false @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tier of your Azure container registry.') @@ -326,7 +326,7 @@ resource registry_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021 resource registry_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(registry.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -400,7 +400,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -477,7 +477,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/container-registry/registry/main.json b/modules/container-registry/registry/main.json index 40951db6fa..39a04d3a66 100644 --- a/modules/container-registry/registry/main.json +++ b/modules/container-registry/registry/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "601165591390231173" + "templateHash": "6862455028328660677" }, "name": "Azure Container Registries (ACR)", "description": "This module deploys an Azure Container Registry (ACR).", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -467,7 +467,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "acrSku": { @@ -847,7 +847,7 @@ "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ContainerRegistry/registries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/container-registry/registry/tests/e2e/max/main.test.bicep b/modules/container-registry/registry/tests/e2e/max/main.test.bicep index d846a7b696..767cc9ee2e 100644 --- a/modules/container-registry/registry/tests/e2e/max/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/max/main.test.bicep @@ -124,7 +124,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index f0bf4552b3..7f6dd675d7 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -122,13 +122,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: nestedDependencies.outputs.pairedRegionName } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index fe444ca1da..dd804e181f 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -21,7 +21,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster. | `Microsoft.ContainerService/managedClusters/agentPools` | [2023-07-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-07-02-preview/managedClusters/agentPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | -| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/fluxConfigurations) | ## Usage examples @@ -234,7 +234,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -501,7 +511,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -701,7 +721,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -838,7 +868,17 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1230,7 +1270,7 @@ module managedCluster 'br:bicep/modules/container-service.managed-cluster:1.0.0' | [`podIdentityProfileUserAssignedIdentities`](#parameter-podidentityprofileuserassignedidentities) | array | The pod identities to use in the cluster. | | [`podIdentityProfileUserAssignedIdentityExceptions`](#parameter-podidentityprofileuserassignedidentityexceptions) | array | The pod identity exceptions to allow. | | [`privateDNSZone`](#parameter-privatednszone) | string | Private DNS Zone configuration. Set to 'system' and AKS will create a private DNS zone in the node resource group. Set to '' to disable private DNS Zone creation and use public DNS. Supply the resource ID here of an existing Private DNS zone to use an existing zone. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceCidr`](#parameter-servicecidr) | string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | | [`skuTier`](#parameter-skutier) | string | Tier of a managed cluster SKU. - Free or Standard. | | [`sshPublicKey`](#parameter-sshpublickey) | string | Specifies the SSH RSA public key string for the Linux nodes. | @@ -2116,7 +2156,7 @@ Private DNS Zone configuration. Set to 'system' and AKS will create a private DN ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2129,7 +2169,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2177,7 +2217,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 304a5c48e6..bd9f8294c5 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -323,7 +323,7 @@ param monitoringWorkspaceId string = '' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -683,7 +683,7 @@ resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticSetting resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -765,7 +765,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index e6da45a8e2..ae0399022d 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4013697482173328246" + "templateHash": "8572950365871080651" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -923,7 +923,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -1249,7 +1249,7 @@ "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1804,7 +1804,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18265527122738367400" + "templateHash": "548642834195454661" }, "name": "Kubernetes Configuration Extensions", "description": "This module deploys a Kubernetes Configuration Extension.", @@ -1967,7 +1967,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8985718648814286209" + "templateHash": "10031296768791737313" }, "name": "Kubernetes Configuration Flux Configurations", "description": "This module deploys a Kubernetes Configuration Flux Configuration.", @@ -2023,9 +2023,8 @@ }, "kustomizations": { "type": "object", - "defaultValue": {}, "metadata": { - "description": "Optional. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." + "description": "Required. Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster." } }, "namespace": { @@ -2079,14 +2078,14 @@ }, { "type": "Microsoft.KubernetesConfiguration/fluxConfigurations", - "apiVersion": "2022-03-01", + "apiVersion": "2023-05-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[parameters('name')]", "properties": { "bucket": "[if(not(empty(parameters('bucket'))), parameters('bucket'), null())]", "configurationProtectedSettings": "[if(not(empty(parameters('configurationProtectedSettings'))), parameters('configurationProtectedSettings'), createObject())]", "gitRepository": "[if(not(empty(parameters('gitRepository'))), parameters('gitRepository'), null())]", - "kustomizations": "[if(not(empty(parameters('kustomizations'))), parameters('kustomizations'), createObject())]", + "kustomizations": "[parameters('kustomizations')]", "namespace": "[parameters('namespace')]", "scope": "[parameters('scope')]", "sourceKind": "[parameters('sourceKind')]", diff --git a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index 32f8c42ed3..c5cc686316 100644 --- a/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -200,7 +200,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep index 9c91011d20..cede954b18 100644 --- a/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep +++ b/modules/container-service/managed-cluster/tests/e2e/kubenet/main.test.bicep @@ -151,7 +151,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 400baf8e89..c04ef52978 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -181,7 +181,17 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -313,7 +323,17 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -423,13 +443,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -554,15 +567,6 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -611,7 +615,7 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { | [`managedVirtualNetworkName`](#parameter-managedvirtualnetworkname) | string | The name of the Managed Virtual Network. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `customerManagedKey` @@ -955,7 +959,7 @@ Configuration Details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1107,7 +1111,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1150,7 +1154,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1163,7 +1167,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1211,7 +1215,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/data-factory/factory/main.bicep b/modules/data-factory/factory/main.bicep index d6c26ec855..f0718db857 100644 --- a/modules/data-factory/factory/main.bicep +++ b/modules/data-factory/factory/main.bicep @@ -70,7 +70,7 @@ param privateEndpoints privateEndpointType @description('Optional. The customer managed key definition.') param customerManagedKey customerManagedKeyType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -216,7 +216,7 @@ resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2 resource dataFactory_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataFactory.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -287,7 +287,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -364,7 +364,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/data-factory/factory/main.json b/modules/data-factory/factory/main.json index e57d5fc9a6..2c237602dc 100644 --- a/modules/data-factory/factory/main.json +++ b/modules/data-factory/factory/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1174493614082908540" + "templateHash": "13040115678809105758" }, "name": "Data Factories", "description": "This module deploys a Data Factory.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -591,7 +591,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -732,7 +732,7 @@ "scope": "[format('Microsoft.DataFactory/factories/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DataFactory/factories', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/data-factory/factory/tests/e2e/max/main.test.bicep b/modules/data-factory/factory/tests/e2e/max/main.test.bicep index a04cfe8f10..7134060c90 100644 --- a/modules/data-factory/factory/tests/e2e/max/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/max/main.test.bicep @@ -142,7 +142,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 28b941a4e4..1a7cb59527 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -140,13 +140,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index a7771b8b43..6ade55fb30 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -171,7 +171,17 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -286,7 +296,17 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -391,13 +411,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { managedIdentities: { systemAssigned: true } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -505,15 +518,6 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { "systemAssigned": true } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -549,7 +553,7 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securitySettings`](#parameter-securitysettings) | object | Security settings for the backup vault. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | | [`type`](#parameter-type) | string | The vault redundancy level to use. | @@ -664,7 +668,7 @@ Name of the Backup Vault. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -677,7 +681,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -725,7 +729,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/data-protection/backup-vault/main.bicep b/modules/data-protection/backup-vault/main.bicep index 942fbcfb34..f337814938 100644 --- a/modules/data-protection/backup-vault/main.bicep +++ b/modules/data-protection/backup-vault/main.bicep @@ -11,7 +11,7 @@ param enableDefaultTelemetry bool = true @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -128,7 +128,7 @@ resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empt resource backupVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(backupVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -172,7 +172,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/data-protection/backup-vault/main.json b/modules/data-protection/backup-vault/main.json index 8b0c13673f..487583bb38 100644 --- a/modules/data-protection/backup-vault/main.json +++ b/modules/data-protection/backup-vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8279564580875716128" + "templateHash": "11737453267233569722" }, "name": "Data Protection Backup Vaults", "description": "This module deploys a Data Protection Backup Vault.", @@ -59,7 +59,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -142,7 +142,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -297,7 +297,7 @@ "scope": "[format('Microsoft.DataProtection/backupVaults/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep index 4d25b7b7c4..588b2e0c20 100644 --- a/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/max/main.test.bicep @@ -55,7 +55,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep index 8d44a80490..1bcb119964 100644 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -53,13 +53,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' managedIdentities: { systemAssigned: true diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index 56b4202f0c..02ebe4193a 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -110,7 +110,17 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -164,7 +174,17 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -210,13 +230,6 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -263,15 +276,6 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -303,7 +307,7 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -381,7 +385,7 @@ The name of the Azure Databricks access connector to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -394,7 +398,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -442,7 +446,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/databricks/access-connector/main.bicep b/modules/databricks/access-connector/main.bicep index 6a680d39ce..53ba92c2c2 100644 --- a/modules/databricks/access-connector/main.bicep +++ b/modules/databricks/access-connector/main.bicep @@ -11,7 +11,7 @@ param tags object? @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -70,7 +70,7 @@ resource accessConnector_lock 'Microsoft.Authorization/locks@2020-05-01' = if (! resource accessConnector_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(accessConnector.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/databricks/access-connector/main.json b/modules/databricks/access-connector/main.json index fbb23e6cc8..dce724ef4b 100644 --- a/modules/databricks/access-connector/main.json +++ b/modules/databricks/access-connector/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6639727250601518153" + "templateHash": "3245638906962144809" }, "name": "Azure Databricks Access Connectors", "description": "This module deploys an Azure Databricks Access Connector.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -152,7 +152,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -234,7 +234,7 @@ "scope": "[format('Microsoft.Databricks/accessConnectors/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Databricks/accessConnectors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep index 268b24f056..586cd17f0c 100644 --- a/modules/databricks/access-connector/tests/e2e/max/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index bf7405d2c9..64b4f1b6ab 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index fcb2e26a86..a41556f10d 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -160,7 +160,17 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'premium' @@ -298,7 +308,17 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -402,13 +422,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { publicNetworkAccess: 'Disabled' requiredNsgRules: 'NoAzureDatabricksRules' requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuName: 'premium' storageAccountName: 'sadwwaf001' storageAccountSkuName: 'Standard_ZRS' @@ -539,15 +552,6 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { "requireInfrastructureEncryption": { "value": true }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuName": { "value": "premium" }, @@ -608,7 +612,7 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | | [`requiredNsgRules`](#parameter-requirednsgrules) | string | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | The pricing tier of workspace. | | [`storageAccountName`](#parameter-storageaccountname) | string | Default DBFS storage account name. | | [`storageAccountSkuName`](#parameter-storageaccountskuname) | string | Storage account SKU name. | @@ -939,7 +943,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1091,7 +1095,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1161,7 +1165,7 @@ A boolean indicating whether or not the DBFS root file system will be enabled wi ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1174,7 +1178,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1222,7 +1226,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/databricks/workspace/main.bicep b/modules/databricks/workspace/main.bicep index 524ab6c616..0d7e6cdb19 100644 --- a/modules/databricks/workspace/main.bicep +++ b/modules/databricks/workspace/main.bicep @@ -19,7 +19,7 @@ param skuName string = 'premium' @description('Optional. Location for all Resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -273,7 +273,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -333,7 +333,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -410,7 +410,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/databricks/workspace/main.json b/modules/databricks/workspace/main.json index 390fcb0f0c..47a19aa465 100644 --- a/modules/databricks/workspace/main.json +++ b/modules/databricks/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "450554632364437388" + "templateHash": "17678709403904494263" }, "name": "Azure Databricks Workspaces", "description": "This module deploys an Azure Databricks Workspace.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -475,7 +475,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -777,7 +777,7 @@ "scope": "[format('Microsoft.Databricks/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Databricks/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/databricks/workspace/tests/e2e/max/main.test.bicep b/modules/databricks/workspace/tests/e2e/max/main.test.bicep index 00f1d84997..5656e772da 100644 --- a/modules/databricks/workspace/tests/e2e/max/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/max/main.test.bicep @@ -103,7 +103,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index 537323ad34..66928e1121 100644 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -101,13 +101,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/db-for-my-sql/flexible-server/README.md b/modules/db-for-my-sql/flexible-server/README.md index e23b4de351..4d655aab35 100644 --- a/modules/db-for-my-sql/flexible-server/README.md +++ b/modules/db-for-my-sql/flexible-server/README.md @@ -160,7 +160,17 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] storageAutoGrow: 'Enabled' @@ -273,7 +283,17 @@ module flexibleServer 'br:bicep/modules/db-for-my-sql.flexible-server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1044,7 +1064,7 @@ Array of role assignment objects that contain the "roleDefinitionIdOrName" and " | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1092,7 +1112,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/db-for-my-sql/flexible-server/main.bicep b/modules/db-for-my-sql/flexible-server/main.bicep index dc99f1c7e9..d89c29094a 100644 --- a/modules/db-for-my-sql/flexible-server/main.bicep +++ b/modules/db-for-my-sql/flexible-server/main.bicep @@ -284,7 +284,7 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -384,7 +384,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/db-for-my-sql/flexible-server/main.json b/modules/db-for-my-sql/flexible-server/main.json index a4ccada7bc..5d63ee48ca 100644 --- a/modules/db-for-my-sql/flexible-server/main.json +++ b/modules/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4826973555855760872" + "templateHash": "13509958318011769977" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -698,7 +698,7 @@ "scope": "[format('Microsoft.DBforMySQL/flexibleServers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index e5203d967c..46a67b9445 100644 --- a/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/modules/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -76,7 +76,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/db-for-postgre-sql/flexible-server/README.md b/modules/db-for-postgre-sql/flexible-server/README.md index bfa29ed68f..30ebf9dba0 100644 --- a/modules/db-for-postgre-sql/flexible-server/README.md +++ b/modules/db-for-postgre-sql/flexible-server/README.md @@ -543,7 +543,7 @@ module flexibleServer 'br:bicep/modules/db-for-postgre-sql.flexible-server:1.0.0 | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | | [`passwordAuth`](#parameter-passwordauth) | string | If Enabled, password authentication is enabled. | | [`privateDnsZoneArmResourceId`](#parameter-privatednszonearmresourceid) | string | Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access" and required when "delegatedSubnetResourceId" is used. The Private DNS Zone must be lined to the Virtual Network referenced in "delegatedSubnetResourceId". | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`storageSizeGB`](#parameter-storagesizegb) | int | Max storage allowed for a server. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`tenantId`](#parameter-tenantid) | string | Tenant id of the server. | @@ -939,7 +939,7 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -952,7 +952,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1000,7 +1000,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/db-for-postgre-sql/flexible-server/main.bicep b/modules/db-for-postgre-sql/flexible-server/main.bicep index e1731b412a..c6d1b75d5c 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.bicep +++ b/modules/db-for-postgre-sql/flexible-server/main.bicep @@ -143,7 +143,7 @@ param configurations array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -261,7 +261,7 @@ resource flexibleServer_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource flexibleServer_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(flexibleServer.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -379,7 +379,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/db-for-postgre-sql/flexible-server/main.json b/modules/db-for-postgre-sql/flexible-server/main.json index 6a905a8e17..25dcb199a2 100644 --- a/modules/db-for-postgre-sql/flexible-server/main.json +++ b/modules/db-for-postgre-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13706520211272319877" + "templateHash": "10058986332950368920" }, "name": "DBforPostgreSQL Flexible Servers", "description": "This module deploys a DBforPostgreSQL Flexible Server.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -506,7 +506,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -655,7 +655,7 @@ "scope": "[format('Microsoft.DBforPostgreSQL/flexibleServers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DBforPostgreSQL/flexibleServers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 22947a3ef1..0c3b211b08 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -145,7 +145,17 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -234,7 +244,17 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -305,13 +325,6 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -393,15 +406,6 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/application-group/main.bicep b/modules/desktop-virtualization/application-group/main.bicep index 390e74da2f..55bd2d0ee3 100644 --- a/modules/desktop-virtualization/application-group/main.bicep +++ b/modules/desktop-virtualization/application-group/main.bicep @@ -143,7 +143,7 @@ module appGroup_applications 'application/main.bicep' = [for (application, index resource appGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/application-group/main.json b/modules/desktop-virtualization/application-group/main.json index 50f7154d0c..f94e06adf4 100644 --- a/modules/desktop-virtualization/application-group/main.json +++ b/modules/desktop-virtualization/application-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10392643216669479103" + "templateHash": "1467950374107623921" }, "name": "Azure Virtual Desktop (AVD) Application Groups", "description": "This module deploys an Azure Virtual Desktop (AVD) Application Group.", @@ -385,7 +385,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/applicationGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/applicationGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep index 49d1fc5088..3529748317 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/max/main.test.bicep @@ -106,7 +106,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep index a5bb068c02..8bfb658ff8 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -104,13 +104,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index 37af321393..5e3c70c4fb 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -135,7 +135,17 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -245,7 +255,17 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -337,13 +357,6 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -446,15 +459,6 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { "personalDesktopAssignmentType": { "value": "Automatic" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/host-pool/main.bicep b/modules/desktop-virtualization/host-pool/main.bicep index 228901fa8d..1af44b1e15 100644 --- a/modules/desktop-virtualization/host-pool/main.bicep +++ b/modules/desktop-virtualization/host-pool/main.bicep @@ -249,7 +249,7 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021 resource hostPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(hostPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/host-pool/main.json b/modules/desktop-virtualization/host-pool/main.json index 9d02aba679..3e319b32f0 100644 --- a/modules/desktop-virtualization/host-pool/main.json +++ b/modules/desktop-virtualization/host-pool/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14800561756618420199" + "templateHash": "14589445999747413105" }, "name": "Azure Virtual Desktop (AVD) Host Pools", "description": "This module deploys an Azure Virtual Desktop (AVD) Host Pool.", @@ -583,7 +583,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/hostPools/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep index b014dcfb07..07996d49e3 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' personalDesktopAssignmentType: 'Automatic' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep index eb8918d929..05123d5d47 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } maxSessionLimit: 99999 personalDesktopAssignmentType: 'Automatic' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] vmTemplate: { customImageId: null domain: 'domainname.onmicrosoft.com' diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 96f2d667e4..6511a66cc7 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -111,7 +111,17 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] schedules: [ @@ -208,7 +218,17 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -297,13 +317,6 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' enableDefaultTelemetry: '' friendlyName: 'My Scaling Plan' hostPoolType: 'Pooled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] schedules: [ { daysOfWeek: [ @@ -393,15 +406,6 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' "hostPoolType": { "value": "Pooled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "schedules": { "value": [ { diff --git a/modules/desktop-virtualization/scaling-plan/main.bicep b/modules/desktop-virtualization/scaling-plan/main.bicep index 1f9734fb0a..69551d44a8 100644 --- a/modules/desktop-virtualization/scaling-plan/main.bicep +++ b/modules/desktop-virtualization/scaling-plan/main.bicep @@ -155,7 +155,7 @@ resource scalingPlan_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2 resource scalingplan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(scalingPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/scaling-plan/main.json b/modules/desktop-virtualization/scaling-plan/main.json index aee281bcd0..8a5a0b2063 100644 --- a/modules/desktop-virtualization/scaling-plan/main.json +++ b/modules/desktop-virtualization/scaling-plan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16044277949435808798" + "templateHash": "16049673590929985376" }, "name": "Azure Virtual Desktop (AVD) Scaling Plans", "description": "This module deploys an Azure Virtual Desktop (AVD) Scaling Plan.", @@ -387,7 +387,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/scalingPlans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/scalingPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep index 9f93f1cae3..73f13bcc7f 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${namePrefix}${serviceShort}001' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep index 4e2ea6cc47..5eedc422fe 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 641cdb7674..f363e71c1c 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -119,7 +119,17 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -187,7 +197,17 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -241,13 +261,6 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -308,15 +321,6 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/desktop-virtualization/workspace/main.bicep b/modules/desktop-virtualization/workspace/main.bicep index 36963fc0af..418a5c72d4 100644 --- a/modules/desktop-virtualization/workspace/main.bicep +++ b/modules/desktop-virtualization/workspace/main.bicep @@ -108,7 +108,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/desktop-virtualization/workspace/main.json b/modules/desktop-virtualization/workspace/main.json index 3f354c8932..dab0738414 100644 --- a/modules/desktop-virtualization/workspace/main.json +++ b/modules/desktop-virtualization/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2244374453334498480" + "templateHash": "13505731187520194526" }, "name": "Azure Virtual Desktop (AVD) Workspaces", "description": "This module deploys an Azure Virtual Desktop (AVD) Workspace.", @@ -357,7 +357,7 @@ "scope": "[format('Microsoft.DesktopVirtualization/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DesktopVirtualization/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep index 92de7edff9..7e08439b65 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/max/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep index 4de3839aa1..78a62c1b38 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -86,13 +86,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index 6970eecd5d..b062197091 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -247,7 +247,17 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] schedules: [ @@ -532,7 +542,17 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -785,13 +805,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { } ] premiumDataDisks: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] schedules: [ { dailyRecurrence: { @@ -1069,15 +1082,6 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { "premiumDataDisks": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "schedules": { "value": [ { @@ -1464,7 +1468,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1512,7 +1516,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index 784eb271af..75e9e340d9 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -292,7 +292,7 @@ module lab_costs 'cost/main.bicep' = if (!empty(costs)) { resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(lab.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -339,7 +339,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index 049a0fad52..a5bb38da18 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10325694451607731112" + "templateHash": "335466902333101649" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -431,7 +431,7 @@ "scope": "[format('Microsoft.DevTestLab/labs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DevTestLab/labs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -484,10 +484,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15407797032940609921" + "templateHash": "2685254804143459925" }, "name": "DevTest Lab Virtual Networks", - "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", + "description": "This module deploys a DevTest Lab Virtual Network.\n\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -657,10 +657,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9914622679648067397" + "templateHash": "5652685942577853564" }, "name": "DevTest Lab Policy Sets Policies", - "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", + "description": "This module deploys a DevTest Lab Policy Sets Policy.\n\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -862,10 +862,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12981849767656574818" + "templateHash": "1015942076148002236" }, "name": "DevTest Lab Schedules", - "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", + "description": "This module deploys a DevTest Lab Schedule.\n\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1086,10 +1086,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18307130406875558192" + "templateHash": "421100563759718119" }, "name": "DevTest Lab Notification Channels", - "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", + "description": "This module deploys a DevTest Lab Notification Channel.\n\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1270,10 +1270,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2347337632859394324" + "templateHash": "7965418783863447380" }, "name": "DevTest Lab Artifact Sources", - "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", + "description": "This module deploys a DevTest Lab Artifact Source.\n\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1486,10 +1486,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12516166788941938286" + "templateHash": "14581778776350915706" }, "name": "DevTest Lab Costs", - "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", + "description": "This module deploys a DevTest Lab Cost.\n\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep index c93e8c1ec2..21a1faa4f9 100644 --- a/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/max/main.test.bicep @@ -68,7 +68,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 2fe087e82c..fb32ba4ed3 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -66,13 +66,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' resourceType: 'DevTest Lab' diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index a972da2410..b17f411ae0 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -716,7 +716,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -868,7 +868,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -924,7 +924,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -972,7 +972,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 435fbefba7..d70d7c7c03 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -198,7 +198,7 @@ resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticS resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -248,7 +248,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -325,7 +325,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 6906b63c09..418e025eaf 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8178960412871211847" + "templateHash": "10882496143186980105" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -590,7 +590,7 @@ "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/document-db/database-account/README.md b/modules/document-db/database-account/README.md index 2c1640c6c2..d9167cbc22 100644 --- a/modules/document-db/database-account/README.md +++ b/modules/document-db/database-account/README.md @@ -139,7 +139,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -269,7 +279,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -519,7 +539,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -780,7 +810,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -846,7 +886,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -919,7 +969,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1001,7 +1061,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sqlDatabases: [ @@ -1170,7 +1240,17 @@ module databaseAccount 'br:bicep/modules/document-db.database-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1666,7 +1746,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1818,7 +1898,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1859,7 +1939,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1907,7 +1987,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/document-db/database-account/main.bicep b/modules/document-db/database-account/main.bicep index c59540db7f..728a5b2274 100644 --- a/modules/document-db/database-account/main.bicep +++ b/modules/document-db/database-account/main.bicep @@ -271,7 +271,7 @@ resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource databaseAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(databaseAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -374,7 +374,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -451,7 +451,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/document-db/database-account/main.json b/modules/document-db/database-account/main.json index 5f9de4eea6..2b2a72a670 100644 --- a/modules/document-db/database-account/main.json +++ b/modules/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6369048122051620701" + "templateHash": "17655203248795781813" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -759,7 +759,7 @@ "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep index 44f12410b3..49de1571cd 100644 --- a/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/gremlindb/main.test.bicep @@ -144,7 +144,17 @@ module testDeployment '../../../main.bicep' = { location: location roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep index ddb9ac1a75..6acaad1ecb 100644 --- a/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/mongodb/main.test.bicep @@ -277,7 +277,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep index c8dbd06e37..2b71669ee2 100644 --- a/modules/document-db/database-account/tests/e2e/plain/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/plain/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep index aacecc5a6c..843e9e6afe 100644 --- a/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep +++ b/modules/document-db/database-account/tests/e2e/sqldb/main.test.bicep @@ -108,7 +108,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 3fb31b9d56..faca598780 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -346,7 +346,17 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuCapacity: 2 @@ -553,7 +563,17 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -835,13 +855,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { } ] publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuCapacity: 2 skuName: 'Standard' tags: { @@ -1041,15 +1054,6 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { "publicNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuCapacity": { "value": 2 }, @@ -1104,7 +1108,7 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The Event Hub's throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. | | [`skuName`](#parameter-skuname) | string | event hub plan SKU name. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1443,7 +1447,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1595,7 +1599,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1646,7 +1650,7 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1659,7 +1663,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1707,7 +1711,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/event-hub/namespace/eventhub/README.md b/modules/event-hub/namespace/eventhub/README.md index c07d8cf98d..2b6f569738 100644 --- a/modules/event-hub/namespace/eventhub/README.md +++ b/modules/event-hub/namespace/eventhub/README.md @@ -55,7 +55,7 @@ This module deploys an Event Hub Namespace Event Hub. | [`retentionDescriptionCleanupPolicy`](#parameter-retentiondescriptioncleanuppolicy) | string | Retention cleanup policy. Enumerates the possible values for cleanup policy. | | [`retentionDescriptionRetentionTimeInHours`](#parameter-retentiondescriptionretentiontimeinhours) | int | Retention time in hours. Number of hours to retain the events for this Event Hub. This value is only used when cleanupPolicy is Delete. If cleanupPolicy is Compact the returned value of this property is Long.MaxValue. | | [`retentionDescriptionTombstoneRetentionTimeInHours`](#parameter-retentiondescriptiontombstoneretentiontimeinhours) | int | Retention cleanup policy. Number of hours to retain the tombstone markers of a compacted Event Hub. This value is only used when cleanupPolicy is Compact. Consumer must complete reading the tombstone marker within this specified amount of time if consumer begins from starting offset to ensure they get a valid snapshot for the specific key described by the tombstone marker within the compacted Event Hub. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of the Event Hub. | ### Parameter: `authorizationRules` @@ -251,7 +251,7 @@ Retention cleanup policy. Number of hours to retain the tombstone markers of a c ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -264,7 +264,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -312,7 +312,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/event-hub/namespace/eventhub/main.bicep b/modules/event-hub/namespace/eventhub/main.bicep index 3c35bc5d6a..1a7b842fb7 100644 --- a/modules/event-hub/namespace/eventhub/main.bicep +++ b/modules/event-hub/namespace/eventhub/main.bicep @@ -54,7 +54,7 @@ param consumergroups array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Name for capture destination.') @@ -210,7 +210,7 @@ module eventHub_authorizationRules 'authorization-rule/main.bicep' = [for (autho resource eventHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(eventHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -246,7 +246,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/event-hub/namespace/eventhub/main.json b/modules/event-hub/namespace/eventhub/main.json index 6a49ec7b04..fd2925ece3 100644 --- a/modules/event-hub/namespace/eventhub/main.json +++ b/modules/event-hub/namespace/eventhub/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5933888781308133415" + "version": "0.23.1.45101", + "templateHash": "8940174354642715236" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -190,7 +190,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "captureDescriptionDestinationName": { @@ -395,7 +395,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -441,8 +441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3522913919009222120" + "version": "0.23.1.45101", + "templateHash": "7142673381100704232" }, "name": "Event Hub Namespace Event Hub Consumer Groups", "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.", @@ -569,8 +569,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12245634232079362340" + "version": "0.23.1.45101", + "templateHash": "4935957739850887741" }, "name": "Event Hub Namespace Event Hub Authorization Rules", "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.", diff --git a/modules/event-hub/namespace/main.bicep b/modules/event-hub/namespace/main.bicep index d2d61ec7e5..15c2d861ac 100644 --- a/modules/event-hub/namespace/main.bicep +++ b/modules/event-hub/namespace/main.bicep @@ -89,7 +89,7 @@ param customerManagedKey customerManagedKeyType @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.') param requireInfrastructureEncryption bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -284,7 +284,7 @@ module eventHubNamespace_privateEndpoints '../../network/private-endpoint/main.b resource eventHubNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(eventHubNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -366,7 +366,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -443,7 +443,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/event-hub/namespace/main.json b/modules/event-hub/namespace/main.json index b9126fb393..3850b06fb2 100644 --- a/modules/event-hub/namespace/main.json +++ b/modules/event-hub/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8197964729486546650" + "templateHash": "16593644436338874715" }, "name": "Event Hub Namespaces", "description": "This module deploys an Event Hub Namespace.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -602,7 +602,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -732,7 +732,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1074,7 +1074,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "303986499638328151" + "templateHash": "8940174354642715236" }, "name": "Event Hub Namespace Event Hubs", "description": "This module deploys an Event Hub Namespace Event Hub.", @@ -1114,7 +1114,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1258,7 +1258,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "captureDescriptionDestinationName": { @@ -1463,7 +1463,7 @@ "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep index 488b5ffd14..c909eeb152 100644 --- a/modules/event-hub/namespace/tests/e2e/max/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/max/main.test.bicep @@ -202,7 +202,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep index cc44ed4bea..c00b8c1668 100644 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -200,13 +200,6 @@ module testDeployment '../../../main.bicep' = { } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: true userAssignedResourceIds: [ diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 79237275b6..6bc9b8f4a7 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -113,7 +113,17 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -166,7 +176,17 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -211,13 +231,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { '' ] } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -263,15 +276,6 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { ] } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -304,7 +308,7 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -374,7 +378,7 @@ Name of the resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -387,7 +391,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -435,7 +439,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/health-bot/health-bot/main.bicep b/modules/health-bot/health-bot/main.bicep index a871850e71..bf0e08c90d 100644 --- a/modules/health-bot/health-bot/main.bicep +++ b/modules/health-bot/health-bot/main.bicep @@ -22,7 +22,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -81,7 +81,7 @@ resource healthBot_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource healthBot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(healthBot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -122,7 +122,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/health-bot/health-bot/main.json b/modules/health-bot/health-bot/main.json index 407ce75492..538d2d760a 100644 --- a/modules/health-bot/health-bot/main.json +++ b/modules/health-bot/health-bot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8223277098210162532" + "templateHash": "582765600236650029" }, "name": "Azure Health Bots", "description": "This module deploys an Azure Health Bot.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -160,7 +160,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -240,7 +240,7 @@ "scope": "[format('Microsoft.HealthBot/healthBots/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthBot/healthBots', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep index 95e2fb3513..d5e7889ab8 100644 --- a/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index db64640a07..4e5cb79986 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 157be90d8f..c16881ae98 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -211,7 +211,17 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -356,7 +366,17 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -489,13 +509,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { name: 'myCustomLockName' } publicNetworkAccess: 'Enabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -633,15 +646,6 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { "publicNetworkAccess": { "value": "Enabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -676,7 +680,7 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `dicomservices` @@ -763,7 +767,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -776,7 +780,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -824,7 +828,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/healthcare-apis/workspace/fhirservice/README.md b/modules/healthcare-apis/workspace/fhirservice/README.md index 812564b302..958af930d2 100644 --- a/modules/healthcare-apis/workspace/fhirservice/README.md +++ b/modules/healthcare-apis/workspace/fhirservice/README.md @@ -60,7 +60,7 @@ This module deploys a Healthcare API Workspace FHIR Service. | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | [`resourceVersionOverrides`](#parameter-resourceversionoverrides) | object | A list of FHIR Resources and their version policy overrides. | | [`resourceVersionPolicy`](#parameter-resourceversionpolicy) | string | The default value for tracking history across all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`smartProxyEnabled`](#parameter-smartproxyenabled) | bool | If the SMART on FHIR proxy is enabled. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -413,7 +413,7 @@ The default value for tracking history across all resources. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -426,7 +426,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -474,7 +474,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/healthcare-apis/workspace/fhirservice/main.bicep b/modules/healthcare-apis/workspace/fhirservice/main.bicep index 57d17573b7..b41f57a9b9 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.bicep +++ b/modules/healthcare-apis/workspace/fhirservice/main.bicep @@ -75,7 +75,7 @@ param initialImportMode bool = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -236,7 +236,7 @@ resource fhir_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource fhir_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(fhir.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -286,7 +286,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/healthcare-apis/workspace/fhirservice/main.json b/modules/healthcare-apis/workspace/fhirservice/main.json index fce246a502..f02cfeeaed 100644 --- a/modules/healthcare-apis/workspace/fhirservice/main.json +++ b/modules/healthcare-apis/workspace/fhirservice/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2224237744308505065" + "templateHash": "13185908730981475512" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -387,7 +387,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -590,7 +590,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/healthcare-apis/workspace/main.bicep b/modules/healthcare-apis/workspace/main.bicep index dae1a76439..dfc7fa3888 100644 --- a/modules/healthcare-apis/workspace/main.bicep +++ b/modules/healthcare-apis/workspace/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @allowed([ @@ -92,7 +92,7 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -204,7 +204,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/healthcare-apis/workspace/main.json b/modules/healthcare-apis/workspace/main.json index ea29fb1d3f..919958fc5a 100644 --- a/modules/healthcare-apis/workspace/main.json +++ b/modules/healthcare-apis/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "293789912767761082" + "templateHash": "16618408806092022062" }, "name": "Healthcare API Workspaces", "description": "This module deploys a Healthcare API Workspace.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -129,7 +129,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -247,7 +247,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -326,7 +326,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2224237744308505065" + "templateHash": "13185908730981475512" }, "name": "Healthcare API Workspace FHIR Services", "description": "This module deploys a Healthcare API Workspace FHIR Service.", @@ -389,7 +389,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -707,7 +707,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -910,7 +910,7 @@ "scope": "[format('Microsoft.HealthcareApis/workspaces/{0}/fhirservices/{1}', parameters('workspaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.HealthcareApis/workspaces/fhirservices', parameters('workspaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep index d60b106eae..3d1bf48e56 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/max/main.test.bicep @@ -155,7 +155,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep index cf7c124a03..bc4990b2d3 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -153,13 +153,6 @@ module testDeployment '../../../main.bicep' = { ] } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 09d6045d46..d6bec73204 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -86,7 +86,17 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopes: [ @@ -167,7 +177,17 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -244,13 +264,6 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { } ] enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopes: [ '' ] @@ -324,15 +337,6 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopes": { "value": [ "" @@ -371,7 +375,7 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { | [`enabled`](#parameter-enabled) | bool | Indicates whether this alert is enabled. | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopes`](#parameter-scopes) | array | The list of resource IDs that this Activity Log Alert is scoped to. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -424,7 +428,7 @@ The name of the alert. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -437,7 +441,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -485,7 +489,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/activity-log-alert/main.bicep b/modules/insights/activity-log-alert/main.bicep index 98263ac6db..86c5717716 100644 --- a/modules/insights/activity-log-alert/main.bicep +++ b/modules/insights/activity-log-alert/main.bicep @@ -25,7 +25,7 @@ param actions array = [] @description('Required. An Array of objects containing conditions that will cause this alert to activate. Conditions can also be combined with logical operators `allOf` and `anyOf`. Each condition can specify only one field between `equals` and `containsAny`. An alert rule condition must have exactly one category (Administrative, ServiceHealth, ResourceHealth, Alert, Autoscale, Recommendation, Security, or Policy).') param conditions array -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -79,7 +79,7 @@ resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { resource activityLogAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(activityLogAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -106,7 +106,7 @@ output location string = activityLogAlert.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/activity-log-alert/main.json b/modules/insights/activity-log-alert/main.json index 34e3b67f45..404dcfedae 100644 --- a/modules/insights/activity-log-alert/main.json +++ b/modules/insights/activity-log-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "367673046450488883" + "templateHash": "10623125824018281845" }, "name": "Activity Log Alerts", "description": "This module deploys an Activity Log Alert.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -133,7 +133,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -213,7 +213,7 @@ "scope": "[format('Microsoft.Insights/activityLogAlerts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/activityLogAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep index f0b393e71e..09f337ec7c 100644 --- a/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/max/main.test.bicep @@ -93,7 +93,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep index 4d12202f85..4efeddccfe 100644 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -91,13 +91,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' actionGroupId: nestedDependencies.outputs.actionGroupResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scopes: [ subscription().id ] diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 4b38911013..4f94650da2 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -284,7 +284,7 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | The configuration to set whether network access from public internet to the endpoints are allowed. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | ### Parameter: `enableDefaultTelemetry` @@ -364,7 +364,7 @@ The configuration to set whether network access from public internet to the endp ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -377,7 +377,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -425,7 +425,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/data-collection-endpoint/main.bicep b/modules/insights/data-collection-endpoint/main.bicep index e6e65306b7..b4f4003adb 100644 --- a/modules/insights/data-collection-endpoint/main.bicep +++ b/modules/insights/data-collection-endpoint/main.bicep @@ -25,7 +25,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The configuration to set whether network access from public internet to the endpoints are allowed.') @@ -86,7 +86,7 @@ resource dataCollectionEndpoint_lock 'Microsoft.Authorization/locks@2020-05-01' resource dataCollectionEndpoint_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataCollectionEndpoint.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/data-collection-endpoint/main.json b/modules/insights/data-collection-endpoint/main.json index 99cde4054c..fbababc42e 100644 --- a/modules/insights/data-collection-endpoint/main.json +++ b/modules/insights/data-collection-endpoint/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13482359133825530422" + "templateHash": "15918286561058568413" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -146,7 +146,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -229,7 +229,7 @@ "scope": "[format('Microsoft.Insights/dataCollectionEndpoints/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/data-collection-rule/main.bicep b/modules/insights/data-collection-rule/main.bicep index 14cb3af5b9..e5086019f1 100644 --- a/modules/insights/data-collection-rule/main.bicep +++ b/modules/insights/data-collection-rule/main.bicep @@ -100,7 +100,7 @@ resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource dataCollectionRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(dataCollectionRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/insights/data-collection-rule/main.json b/modules/insights/data-collection-rule/main.json index 465b252587..f35574da13 100644 --- a/modules/insights/data-collection-rule/main.json +++ b/modules/insights/data-collection-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9197823813224298423" + "templateHash": "10935624485627515874" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", @@ -260,7 +260,7 @@ "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index 2a8c4ddd54..73bea47720 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -64,7 +64,17 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -125,7 +135,17 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -184,13 +204,6 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { ] alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' enableDefaultTelemetry: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -244,15 +257,6 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { "enableDefaultTelemetry": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -305,7 +309,7 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`evaluationFrequency`](#parameter-evaluationfrequency) | string | how often the metric alert is evaluated represented in ISO 8601 duration format. | | [`location`](#parameter-location) | string | Location for all resources. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopes`](#parameter-scopes) | array | the list of resource IDs that this metric alert is scoped to. | | [`severity`](#parameter-severity) | int | The severity of the alert. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -399,7 +403,7 @@ The name of the alert. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -412,7 +416,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -460,7 +464,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/metric-alert/main.bicep b/modules/insights/metric-alert/main.bicep index 3dad0cc566..9ac5667d66 100644 --- a/modules/insights/metric-alert/main.bicep +++ b/modules/insights/metric-alert/main.bicep @@ -75,7 +75,7 @@ param alertCriteriaType string = 'Microsoft.Azure.Monitor.MultipleResourceMultip @description('Required. Criterias to trigger the alert. Array of \'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria\' or \'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria\' objects. When using MultipleResourceMultipleMetricCriteria criteria type, some parameters becomes mandatory. It is not possible to convert from SingleResourceMultipleMetricCriteria to MultipleResourceMultipleMetricCriteria. The alert must be deleted and recreated.') param criterias array -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -134,7 +134,7 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { resource metricAlert_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(metricAlert.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -161,7 +161,7 @@ output location string = metricAlert.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/metric-alert/main.json b/modules/insights/metric-alert/main.json index 2db2abd469..bb99105f80 100644 --- a/modules/insights/metric-alert/main.json +++ b/modules/insights/metric-alert/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5346116636281635704" + "templateHash": "3497356791031567888" }, "name": "Metric Alerts", "description": "This module deploys a Metric Alert.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -211,7 +211,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -296,7 +296,7 @@ "scope": "[format('Microsoft.Insights/metricAlerts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/metricAlerts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep index aff5f631ca..ef36753b63 100644 --- a/modules/insights/metric-alert/tests/e2e/max/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/max/main.test.bicep @@ -71,7 +71,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep index edad7e8898..8af9b43124 100644 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -69,13 +69,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.actionGroupResourceId ] alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] targetResourceRegion: 'westeurope' targetResourceType: 'microsoft.compute/virtualmachines' windowSize: 'PT15M' diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 847be38edc..dbe63cc67b 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -113,7 +113,17 @@ This instance deploys the module with most of its features enabled. { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopedResources: [ @@ -171,7 +181,17 @@ This instance deploys the module with most of its features enabled. { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -226,13 +246,6 @@ This instance deploys the module in alignment with the best-practices of the Azu } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopedResources: [ { linkedResourceId: '' @@ -283,15 +296,6 @@ This instance deploys the module in alignment with the best-practices of the Azu } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopedResources": { "value": [ { @@ -331,7 +335,7 @@ This instance deploys the module in alignment with the best-practices of the Azu | [`location`](#parameter-location) | string | The location of the private link scope. Should be global. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scopedResources`](#parameter-scopedresources) | array | Configuration details for Azure Monitor Resources. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -402,7 +406,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -554,7 +558,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -582,7 +586,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -595,7 +599,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -643,7 +647,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep index 1a4c327c37..aff38da1dd 100644 --- a/modules/insights/private-link-scope/main.bicep +++ b/modules/insights/private-link-scope/main.bicep @@ -12,7 +12,7 @@ param location string = 'global' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for Azure Monitor Resources.') @@ -102,7 +102,7 @@ module privateLinkScope_privateEndpoints '../../network/private-endpoint/main.bi resource privateLinkScope_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkScope.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -138,7 +138,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -215,7 +215,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/insights/private-link-scope/main.json b/modules/insights/private-link-scope/main.json index 36e1148e6e..826cdce33e 100644 --- a/modules/insights/private-link-scope/main.json +++ b/modules/insights/private-link-scope/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2298112212939244874" + "templateHash": "3912801049685613645" }, "name": "Azure Monitor Private Link Scopes", "description": "This module deploys an Azure Monitor Private Link Scope.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -304,7 +304,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scopedResources": { @@ -392,7 +392,7 @@ "scope": "[format('microsoft.insights/privateLinkScopes/{0}', parameters('name'))]", "name": "[guid(resourceId('microsoft.insights/privateLinkScopes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep index dc9ca75fdc..917468f472 100644 --- a/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/max/main.test.bicep @@ -76,7 +76,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index c18ef415f3..8fa06958a0 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -74,13 +74,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index c243ee7cbb..ea540474e8 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -83,7 +83,17 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] suppressForMinutes: 'PT5M' @@ -168,7 +178,17 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -243,13 +263,6 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' enableDefaultTelemetry: '' evaluationFrequency: 'PT5M' queryTimeRange: 'PT5M' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] suppressForMinutes: 'PT5M' tags: { Environment: 'Non-Prod' @@ -327,15 +340,6 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' "queryTimeRange": { "value": "PT5M" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "suppressForMinutes": { "value": "PT5M" }, @@ -380,7 +384,7 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' | [`kind`](#parameter-kind) | string | Indicates the type of scheduled query rule. | | [`location`](#parameter-location) | string | Location for all resources. | | [`queryTimeRange`](#parameter-querytimerange) | string | If specified (in ISO 8601 duration format) then overrides the query time range. Relevant only for rules of the kind LogAlert. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`severity`](#parameter-severity) | int | Severity of the alert. Should be an integer between [0-4]. Value of 0 is severest. Relevant and required only for rules of the kind LogAlert. | | [`skipQueryValidation`](#parameter-skipqueryvalidation) | bool | The flag which indicates whether the provided query should be validated or not. Relevant only for rules of the kind LogAlert. | | [`suppressForMinutes`](#parameter-suppressforminutes) | string | Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired. If set, autoMitigate must be disabled.Relevant only for rules of the kind LogAlert. | @@ -472,7 +476,7 @@ If specified (in ISO 8601 duration format) then overrides the query time range. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -485,7 +489,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -533,7 +537,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/insights/scheduled-query-rule/main.bicep b/modules/insights/scheduled-query-rule/main.bicep index 2d4ac0bd58..5a205cd495 100644 --- a/modules/insights/scheduled-query-rule/main.bicep +++ b/modules/insights/scheduled-query-rule/main.bicep @@ -33,7 +33,7 @@ param skipQueryValidation bool = false @description('Optional. List of resource type of the target resource(s) on which the alert is created/updated. For example if the scope is a resource group and targetResourceTypes is Microsoft.Compute/virtualMachines, then a different alert will be fired for each virtual machine in the resource group which meet the alert criteria. Relevant only for rules of the kind LogAlert.') param targetResourceTypes array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Required. The list of resource IDs that this scheduled query rule is scoped to.') @@ -119,7 +119,7 @@ resource queryRule 'Microsoft.Insights/scheduledQueryRules@2021-02-01-preview' = resource queryRule_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queryRule.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -146,7 +146,7 @@ output location string = queryRule.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/insights/scheduled-query-rule/main.json b/modules/insights/scheduled-query-rule/main.json index 031154f77b..87d5b4cd95 100644 --- a/modules/insights/scheduled-query-rule/main.json +++ b/modules/insights/scheduled-query-rule/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13321854191011496877" + "templateHash": "12406976097155234839" }, "name": "Scheduled Query Rules", "description": "This module deploys a Scheduled Query Rule.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -150,7 +150,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "scopes": { @@ -283,7 +283,7 @@ "scope": "[format('Microsoft.Insights/scheduledQueryRules/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/scheduledQueryRules', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep index 703927ec7c..b6aa16ced8 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/max/main.test.bicep @@ -87,7 +87,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' queryTimeRange: 'PT5M' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep index 3690a19042..3504694196 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -85,13 +85,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } evaluationFrequency: 'PT5M' queryTimeRange: 'PT5M' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scopes: [ nestedDependencies.outputs.logAnalyticsWorkspaceResourceId ] diff --git a/modules/insights/webtest/main.bicep b/modules/insights/webtest/main.bicep index 7f464360ba..b5d72e8b02 100644 --- a/modules/insights/webtest/main.bicep +++ b/modules/insights/webtest/main.bicep @@ -129,7 +129,7 @@ resource webtest_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource webtest_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(webtest.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/insights/webtest/main.json b/modules/insights/webtest/main.json index 332045650c..5275b0e4c2 100644 --- a/modules/insights/webtest/main.json +++ b/modules/insights/webtest/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8858444279583976442" + "templateHash": "1408808004644515116" }, "name": "Web Tests", "description": "This module deploys a Web Test.", @@ -317,7 +317,7 @@ "scope": "[format('Microsoft.Insights/webtests/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Insights/webtests', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index 4f79f5409d..cb7a86c358 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -337,7 +337,17 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -475,7 +485,17 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -585,13 +605,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -722,15 +735,6 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", diff --git a/modules/machine-learning-services/workspace/main.bicep b/modules/machine-learning-services/workspace/main.bicep index 6fd6b14e6f..a80c313a99 100644 --- a/modules/machine-learning-services/workspace/main.bicep +++ b/modules/machine-learning-services/workspace/main.bicep @@ -269,7 +269,7 @@ module workspace_privateEndpoints '../../network/private-endpoint/main.bicep' = resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/machine-learning-services/workspace/main.json b/modules/machine-learning-services/workspace/main.json index beecae4279..10c91f2d3c 100644 --- a/modules/machine-learning-services/workspace/main.json +++ b/modules/machine-learning-services/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14893819276831488808" + "templateHash": "262742885593710440" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", @@ -740,7 +740,7 @@ "scope": "[format('Microsoft.MachineLearningServices/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -798,10 +798,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15942233592020548593" + "templateHash": "10790106014691997162" }, "name": "Machine Learning Services Workspaces Computes", - "description": "This module deploys a Machine Learning Services Workspaces Compute.\r\n\r\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", + "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, "definitions": { diff --git a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep index ed13d35628..f09fb15a5c 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/max/main.test.bicep @@ -142,7 +142,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep index 21ded20172..416696a964 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -140,13 +140,6 @@ module testDeployment '../../../main.bicep' = { } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] managedIdentities: { systemAssigned: false userAssignedResourceIds: [ diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 208ba523f4..52d305a61f 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -130,7 +130,17 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -209,7 +219,17 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -278,13 +298,6 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config timeZone: 'W. Europe Standard Time' } namespace: 'mmcwafns' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -356,15 +369,6 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config "namespace": { "value": "mmcwafns" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -403,7 +407,7 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config | [`maintenanceScope`](#parameter-maintenancescope) | string | Gets or sets maintenanceScope of the configuration. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Definition of a MaintenanceWindow. | | [`namespace`](#parameter-namespace) | string | Gets or sets namespace of the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Gets or sets tags of the resource. | | [`visibility`](#parameter-visibility) | string | Gets or sets the visibility of the configuration. The default value is 'Custom'. | @@ -502,7 +506,7 @@ Gets or sets namespace of the resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -515,7 +519,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -563,7 +567,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/maintenance/maintenance-configuration/main.bicep b/modules/maintenance/maintenance-configuration/main.bicep index d3cf44d377..8a885c291f 100644 --- a/modules/maintenance/maintenance-configuration/main.bicep +++ b/modules/maintenance/maintenance-configuration/main.bicep @@ -38,7 +38,7 @@ param maintenanceWindow object = {} @description('Optional. Gets or sets namespace of the resource.') param namespace string = '' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Gets or sets tags of the resource.') @@ -106,7 +106,7 @@ resource maintenanceConfiguration_lock 'Microsoft.Authorization/locks@2020-05-01 resource maintenanceConfiguration_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(maintenanceConfiguration.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -146,7 +146,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/maintenance/maintenance-configuration/main.json b/modules/maintenance/maintenance-configuration/main.json index 783f5211ae..4876cc4f59 100644 --- a/modules/maintenance/maintenance-configuration/main.json +++ b/modules/maintenance/maintenance-configuration/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17577108209638713488" + "templateHash": "11566518301977789457" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -171,7 +171,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -265,7 +265,7 @@ "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep index 27067531c7..dc3d91a268 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/max/main.test.bicep @@ -67,7 +67,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep index 69183f0070..19697a964c 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -65,13 +65,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] maintenanceScope: 'InGuestPatch' maintenanceWindow: { duration: '03:00' diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index c2e921ae09..5cf66b9f42 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -104,7 +104,17 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -157,7 +167,17 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide name: 'myCustomLockName' } name: 'miuaiwaf001' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -256,15 +269,6 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide "name": { "value": "miuaiwaf001" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -291,7 +295,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the User Assigned Identity. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -351,7 +355,7 @@ Name of the User Assigned Identity. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -364,7 +368,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -412,7 +416,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index ff35c43d96..19afb3549c 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -14,7 +14,7 @@ param federatedIdentityCredentials array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -77,7 +77,7 @@ module userMsi_federatedIdentityCredentials 'federated-identity-credential/main. resource userMsi_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(userAssignedIdentity.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -119,7 +119,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index c4e94ee69a..b143e7a16b 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5498176834182987595" + "templateHash": "13454855788862691467" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -136,7 +136,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -212,7 +212,7 @@ "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index 1f0bb1dc8e..f633bc4d28 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -69,7 +69,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index f2ab92ca67..17904d21b4 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -67,13 +67,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' subject: 'system:serviceaccount:default:workload-identity-sa' } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/net-app/net-app-account/README.md b/modules/net-app/net-app-account/README.md index f80c9ca0cf..934610d17a 100644 --- a/modules/net-app/net-app-account/README.md +++ b/modules/net-app/net-app-account/README.md @@ -164,7 +164,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -275,7 +285,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -392,7 +412,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -514,7 +544,17 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -559,7 +599,7 @@ module netAppAccount 'br:bicep/modules/net-app.net-app-account:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | [`tags`](#parameter-tags) | object | Tags for all resources. | @@ -672,7 +712,7 @@ The name of the NetApp account. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -685,7 +725,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -733,7 +773,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md index 376ed58ced..5b2c659aec 100644 --- a/modules/net-app/net-app-account/capacity-pool/README.md +++ b/modules/net-app/net-app-account/capacity-pool/README.md @@ -41,7 +41,7 @@ This module deploys an Azure NetApp Files Capacity Pool. | [`encryptionType`](#parameter-encryptiontype) | string | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | | [`location`](#parameter-location) | string | Location of the pool volume. | | [`qosType`](#parameter-qostype) | string | The qos type of the pool. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. | | [`tags`](#parameter-tags) | object | Tags for all resources. | | [`volumes`](#parameter-volumes) | array | List of volumnes to create in the capacity pool. | @@ -109,7 +109,7 @@ The qos type of the pool. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -122,7 +122,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -170,7 +170,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep index 654d1e8af8..213245ba7e 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/main.bicep @@ -39,7 +39,7 @@ param volumes array = [] @description('Optional. If enabled (true) the pool can contain cool Access enabled volumes.') param coolAccess bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.') @@ -114,7 +114,7 @@ module capacityPool_volumes 'volume/main.bicep' = [for (volume, index) in volume resource capacityPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(capacityPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -141,7 +141,7 @@ output location string = capacityPool.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/capacity-pool/main.json b/modules/net-app/net-app-account/capacity-pool/main.json index 0582a97c81..464a90fcd8 100644 --- a/modules/net-app/net-app-account/capacity-pool/main.json +++ b/modules/net-app/net-app-account/capacity-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5973731463189380166" + "version": "0.23.1.45101", + "templateHash": "15353329491336313807" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -154,7 +154,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "encryptionType": { @@ -234,7 +234,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -298,8 +298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15651177191996280153" + "version": "0.23.1.45101", + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -314,7 +314,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -448,7 +448,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -525,7 +525,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/capacity-pool/volume/README.md b/modules/net-app/net-app-account/capacity-pool/volume/README.md index ebfb90556a..fd898c8faf 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/README.md +++ b/modules/net-app/net-app-account/capacity-pool/volume/README.md @@ -42,7 +42,7 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. | | [`location`](#parameter-location) | string | Location of the pool volume. | | [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. | ### Parameter: `capacityPoolName` @@ -100,7 +100,7 @@ Set of protocol types. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -113,7 +113,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -161,7 +161,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep index 71e47b1ad4..5870382621 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.bicep +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.bicep @@ -38,7 +38,7 @@ param subnetResourceId string @description('Optional. Export policy rules.') param exportPolicyRules array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -91,7 +91,7 @@ resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-0 resource volume_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(volume.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -118,7 +118,7 @@ output location string = volume.location // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/capacity-pool/volume/main.json b/modules/net-app/net-app-account/capacity-pool/volume/main.json index ac86c91c85..5e0f1b20ef 100644 --- a/modules/net-app/net-app-account/capacity-pool/volume/main.json +++ b/modules/net-app/net-app-account/capacity-pool/volume/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15651177191996280153" + "version": "0.23.1.45101", + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -155,7 +155,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -232,7 +232,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/main.bicep b/modules/net-app/net-app-account/main.bicep index cdb0ed0768..2fc4c5833d 100644 --- a/modules/net-app/net-app-account/main.bicep +++ b/modules/net-app/net-app-account/main.bicep @@ -30,7 +30,7 @@ param capacityPools array = [] @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Location for all resources.') @@ -107,7 +107,7 @@ resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(netAppAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -166,7 +166,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/net-app/net-app-account/main.json b/modules/net-app/net-app-account/main.json index 71e7b63ee3..862b3c67db 100644 --- a/modules/net-app/net-app-account/main.json +++ b/modules/net-app/net-app-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14030600332300784655" + "templateHash": "8081072067801758787" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -185,7 +185,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "location": { @@ -288,7 +288,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -347,7 +347,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1846961475837822728" + "templateHash": "15353329491336313807" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -362,7 +362,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -495,7 +495,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "encryptionType": { @@ -575,7 +575,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}', parameters('netAppAccountName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -640,7 +640,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3333217353540724741" + "templateHash": "3662331312918191126" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -655,7 +655,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -789,7 +789,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -866,7 +866,7 @@ "scope": "[format('Microsoft.NetApp/netAppAccounts/{0}/capacityPools/{1}/volumes/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep index e1a7ed7917..dc2b95f9b3 100644 --- a/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs3/main.test.bicep @@ -118,7 +118,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep index 4b8bc76afa..a751b084cc 100644 --- a/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep +++ b/modules/net-app/net-app-account/tests/e2e/nfs41/main.test.bicep @@ -124,7 +124,17 @@ module testDeployment '../../../main.bicep' = { ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index e337338c52..3f9491ef5b 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -427,7 +427,17 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'WAF_v2' @@ -906,7 +916,17 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1357,13 +1377,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'WAF_v2' sslCertificates: [ { @@ -1835,15 +1848,6 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "WAF_v2" }, @@ -1943,7 +1947,7 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = | [`redirectConfigurations`](#parameter-redirectconfigurations) | array | Redirect configurations of the application gateway resource. | | [`requestRoutingRules`](#parameter-requestroutingrules) | array | Request routing rules of the application gateway resource. | | [`rewriteRuleSets`](#parameter-rewriterulesets) | array | Rewrite rules for the application gateway resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`routingRules`](#parameter-routingrules) | array | Routing rules of the application gateway resource. | | [`sku`](#parameter-sku) | string | The name of the SKU for the Application Gateway. | | [`sslCertificates`](#parameter-sslcertificates) | array | SSL certificates of the application gateway resource. | @@ -2292,7 +2296,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2444,7 +2448,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2507,7 +2511,7 @@ Rewrite rules for the application gateway resource. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2520,7 +2524,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2568,7 +2572,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/application-gateway/main.bicep b/modules/network/application-gateway/main.bicep index 99e2acb087..ddcb2e145b 100644 --- a/modules/network/application-gateway/main.bicep +++ b/modules/network/application-gateway/main.bicep @@ -195,7 +195,7 @@ var enableReferencedModulesTelemetry = false @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -358,7 +358,7 @@ module applicationGateway_privateEndpoints '../../network/private-endpoint/main. resource applicationGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(applicationGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -399,7 +399,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -476,7 +476,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/network/application-gateway/main.json b/modules/network/application-gateway/main.json index 0c9f3e9049..c2301f3546 100644 --- a/modules/network/application-gateway/main.json +++ b/modules/network/application-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17602945870289276113" + "templateHash": "12788892286757802636" }, "name": "Network Application Gateways", "description": "This module deploys a Network Application Gateway.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -265,7 +265,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -743,7 +743,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -866,7 +866,7 @@ "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/applicationGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/application-gateway/tests/e2e/max/main.test.bicep b/modules/network/application-gateway/tests/e2e/max/main.test.bicep index 895da7a68c..eed5a5bb44 100644 --- a/modules/network/application-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/max/main.test.bicep @@ -417,7 +417,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index 52253dd7c9..be6d16d560 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -415,13 +415,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sku: 'WAF_v2' sslCertificates: [ { diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 362a0f108d..fc21701695 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -54,7 +54,17 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -97,7 +107,17 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -136,13 +156,6 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -178,15 +191,6 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -217,7 +221,7 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -269,7 +273,7 @@ Name of the Application Security Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -282,7 +286,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -330,7 +334,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/application-security-group/main.bicep b/modules/network/application-security-group/main.bicep index 55bacf2d7e..61539b0fba 100644 --- a/modules/network/application-security-group/main.bicep +++ b/modules/network/application-security-group/main.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -59,7 +59,7 @@ resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2020-05-01 resource applicationSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(applicationSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -95,7 +95,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/application-security-group/main.json b/modules/network/application-security-group/main.json index 81e7562d2c..96b1855d26 100644 --- a/modules/network/application-security-group/main.json +++ b/modules/network/application-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4261949823005751944" + "templateHash": "10321097929330960711" }, "name": "Application Security Groups (ASG)", "description": "This module deploys an Application Security Group (ASG).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -202,7 +202,7 @@ "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/application-security-group/tests/e2e/max/main.test.bicep b/modules/network/application-security-group/tests/e2e/max/main.test.bicep index 1c6db275ed..8adbe4a43e 100644 --- a/modules/network/application-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep index 37d595cd4f..b4cec250c2 100644 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 1a29630003..ccb0cb3de8 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -567,7 +567,17 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -720,7 +730,17 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -865,13 +885,6 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { } ] publicIPResourceID: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -1017,15 +1030,6 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { "publicIPResourceID": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -1085,7 +1089,7 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { | [`networkRuleCollections`](#parameter-networkrulecollections) | array | Collection of network rule collections used by Azure Firewall. | | [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by the Firewall, if no existing public IP was provided. | | [`publicIPResourceID`](#parameter-publicipresourceid) | string | The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the Azure Firewall resource. | | [`threatIntelMode`](#parameter-threatintelmode) | string | The operation mode for Threat Intel. | | [`zones`](#parameter-zones) | array | Zone numbers e.g. 1,2,3. | @@ -1344,7 +1348,7 @@ The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, the ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1357,7 +1361,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1405,7 +1409,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/azure-firewall/main.bicep b/modules/network/azure-firewall/main.bicep index d6e785f395..4e804feab2 100644 --- a/modules/network/azure-firewall/main.bicep +++ b/modules/network/azure-firewall/main.bicep @@ -75,7 +75,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the Azure Firewall resource.') @@ -269,7 +269,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings resource azureFirewall_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureFirewall.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -320,7 +320,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/azure-firewall/main.json b/modules/network/azure-firewall/main.json index 7d62269841..2b0ceaa962 100644 --- a/modules/network/azure-firewall/main.json +++ b/modules/network/azure-firewall/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13795244529737704006" + "templateHash": "11269425307217554818" }, "name": "Azure Firewalls", "description": "This module deploys an Azure Firewall.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -361,7 +361,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -479,7 +479,7 @@ "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep index 22a9bd66d0..6952eb7b58 100644 --- a/modules/network/azure-firewall/tests/e2e/max/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/max/main.test.bicep @@ -172,7 +172,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep index eb3d525802..12b95314ae 100644 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -170,13 +170,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] zones: [ '1' '2' diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 5524340559..583131bb54 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -254,7 +254,17 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scaleUnits: 4 @@ -328,7 +338,17 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -388,13 +408,6 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scaleUnits: 4 skuName: 'Standard' tags: { @@ -461,15 +474,6 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scaleUnits": { "value": 4 }, @@ -515,7 +519,7 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. | | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -718,7 +722,7 @@ Specifies the properties of the Public IP to create and be used by Azure Bastion ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -731,7 +735,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -779,7 +783,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/bastion-host/main.bicep b/modules/network/bastion-host/main.bicep index 8877a5af1d..6c04ffdd8d 100644 --- a/modules/network/bastion-host/main.bicep +++ b/modules/network/bastion-host/main.bicep @@ -50,7 +50,7 @@ param enableShareableLink bool = false @description('Optional. The scale units for the Bastion Host resource.') param scaleUnits int = 2 -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -176,7 +176,7 @@ resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ resource azureBastion_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(azureBastion.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -215,7 +215,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/bastion-host/main.json b/modules/network/bastion-host/main.json index e767ea151b..6e0ee971c0 100644 --- a/modules/network/bastion-host/main.json +++ b/modules/network/bastion-host/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18247198571712055537" + "templateHash": "7116007649539447611" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -297,7 +297,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -400,7 +400,7 @@ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/bastionHosts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/bastion-host/tests/e2e/max/main.test.bicep b/modules/network/bastion-host/tests/e2e/max/main.test.bicep index 2623cdb0d2..f7b87a0177 100644 --- a/modules/network/bastion-host/tests/e2e/max/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep index c94cc48d12..a8095f58e2 100644 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] scaleUnits: 4 skuName: 'Standard' tags: { diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 0a82054e08..583e7a2350 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -103,7 +103,17 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -146,7 +156,17 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -185,13 +205,6 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -227,15 +240,6 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -266,7 +270,7 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -318,7 +322,7 @@ Name of the DDoS protection plan to assign the VNET to. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -331,7 +335,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -379,7 +383,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/ddos-protection-plan/main.bicep b/modules/network/ddos-protection-plan/main.bicep index 71111c0e8f..3f9b8b415d 100644 --- a/modules/network/ddos-protection-plan/main.bicep +++ b/modules/network/ddos-protection-plan/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -60,7 +60,7 @@ resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource ddosProtectionPlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(ddosProtectionPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -96,7 +96,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/ddos-protection-plan/main.json b/modules/network/ddos-protection-plan/main.json index 8aaaa921fd..3d92c7a798 100644 --- a/modules/network/ddos-protection-plan/main.json +++ b/modules/network/ddos-protection-plan/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10546222584302877653" + "version": "0.23.1.45101", + "templateHash": "13726158545733724947" }, "name": "DDoS Protection Plans", "description": "This module deploys a DDoS Protection Plan.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -129,7 +129,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -203,7 +203,7 @@ "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep index 5ef4541d51..e020dc11a8 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/max/main.test.bicep @@ -58,7 +58,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep index 8bdf24f0bd..593e44c39b 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -56,13 +56,6 @@ module testDeployment '../../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 1a35356326..6f7e013b74 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -134,7 +134,17 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuFamily: 'MeteredData' @@ -207,7 +217,17 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -270,13 +290,6 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuFamily: 'MeteredData' skuTier: 'Standard' tags: { @@ -342,15 +355,6 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuFamily": { "value": "MeteredData" }, @@ -399,7 +403,7 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0 | [`peering`](#parameter-peering) | bool | Enabled BGP peering type for the Circuit. | | [`peeringType`](#parameter-peeringtype) | string | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | | [`primaryPeerAddressPrefix`](#parameter-primarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link1. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`secondaryPeerAddressPrefix`](#parameter-secondarypeeraddressprefix) | string | A /30 subnet used to configure IP addresses for interfaces on Link2. | | [`sharedKey`](#parameter-sharedkey) | string | The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required. | | [`skuFamily`](#parameter-skufamily) | string | Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families. | @@ -646,7 +650,7 @@ A /30 subnet used to configure IP addresses for interfaces on Link1. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -659,7 +663,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -707,7 +711,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/express-route-circuit/main.bicep b/modules/network/express-route-circuit/main.bicep index 8318922213..523d957700 100644 --- a/modules/network/express-route-circuit/main.bicep +++ b/modules/network/express-route-circuit/main.bicep @@ -75,7 +75,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -182,7 +182,7 @@ resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticS resource expressRouteCircuits_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(expressRouteCircuits.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -221,7 +221,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/express-route-circuit/main.json b/modules/network/express-route-circuit/main.json index 482950e671..bc213c59d2 100644 --- a/modules/network/express-route-circuit/main.json +++ b/modules/network/express-route-circuit/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6315579544397323393" + "templateHash": "5050638438810286539" }, "name": "ExpressRoute Circuits", "description": "This module deploys an Express Route Circuit.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -362,7 +362,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -489,7 +489,7 @@ "scope": "[format('Microsoft.Network/expressRouteCircuits/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/expressRouteCircuits', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep index 015786939d..705af9e25a 100644 --- a/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/max/main.test.bicep @@ -90,7 +90,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep index d3509c0c8d..afcdd32c69 100644 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -88,13 +88,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] skuFamily: 'MeteredData' skuTier: 'Standard' allowClassicOperations: true diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index 1804fe9a3f..152fbd6875 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -110,7 +110,17 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -161,7 +171,17 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -202,13 +222,6 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { hello: 'world' 'hidden-title': 'This is visible in the resource name' @@ -252,15 +265,6 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hello": "world", @@ -295,7 +299,7 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0 | [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | ### Parameter: `allowNonVirtualWanTraffic` @@ -375,7 +379,7 @@ Name of the Express Route Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -388,7 +392,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -436,7 +440,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep index 811d433d11..3c092e14f1 100644 --- a/modules/network/express-route-gateway/main.bicep +++ b/modules/network/express-route-gateway/main.bicep @@ -26,7 +26,7 @@ param expressRouteConnections array = [] @description('Required. Resource ID of the Virtual Wan Hub.') param virtualHubId string -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -87,7 +87,7 @@ resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i resource expressRouteGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(expressRouteGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -123,7 +123,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/express-route-gateway/main.json b/modules/network/express-route-gateway/main.json index 6be627532b..96877d8514 100644 --- a/modules/network/express-route-gateway/main.json +++ b/modules/network/express-route-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13411012748796915951" + "templateHash": "17235076450976067211" }, "name": "Express Route Gateways", "description": "This module deploys an Express Route Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -163,7 +163,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -249,7 +249,7 @@ "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep index 42867d94f4..1939d49a61 100644 --- a/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -67,7 +67,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index e95b805cb0..81e988ca2d 100644 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -65,12 +65,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index 45170239e9..c62511aad4 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -165,7 +165,17 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'Premium_AzureFrontDoor' @@ -277,7 +287,17 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -381,13 +401,6 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo mode: 'Prevention' redirectUrl: 'http://www.bing.com' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'Premium_AzureFrontDoor' tags: { Environment: 'Non-Prod' @@ -492,15 +505,6 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo "redirectUrl": "http://www.bing.com" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "Premium_AzureFrontDoor" }, @@ -537,7 +541,7 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedRules`](#parameter-managedrules) | object | Describes the managedRules structure. | | [`policySettings`](#parameter-policysettings) | object | The PolicySettings for policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The pricing tier of the WAF profile. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -659,7 +663,7 @@ The PolicySettings for policy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -672,7 +676,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -720,7 +724,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/front-door-web-application-firewall-policy/main.bicep b/modules/network/front-door-web-application-firewall-policy/main.bicep index 2cf41330a7..27bfa8e63d 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.bicep +++ b/modules/network/front-door-web-application-firewall-policy/main.bicep @@ -72,7 +72,7 @@ param policySettings object = { @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -121,7 +121,7 @@ resource frontDoorWAFPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource frontDoorWAFPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(frontDoorWAFPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -157,7 +157,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/front-door-web-application-firewall-policy/main.json b/modules/network/front-door-web-application-firewall-policy/main.json index deff6d2c90..578eff792e 100644 --- a/modules/network/front-door-web-application-firewall-policy/main.json +++ b/modules/network/front-door-web-application-firewall-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4704133430078422281" + "templateHash": "12618111004267812285" }, "name": "Front Door Web Application Firewall (WAF) Policies", "description": "This module deploys a Front Door Web Application Firewall (WAF) Policy.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -215,7 +215,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -282,7 +282,7 @@ "scope": "[format('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep index 835ce7f757..99bdd66dea 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/max/main.test.bicep @@ -127,7 +127,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 4248cdace9..67e8b06778 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -125,12 +125,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 75bd27f5d6..b86171346b 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -360,7 +360,17 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sendRecvTimeoutSeconds: 10 @@ -504,7 +514,17 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -634,13 +654,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sendRecvTimeoutSeconds: 10 tags: { Environment: 'Non-Prod' @@ -777,15 +790,6 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sendRecvTimeoutSeconds": { "value": 10 }, @@ -828,7 +832,7 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { | [`friendlyName`](#parameter-friendlyname) | string | Friendly name of the frontdoor resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sendRecvTimeoutSeconds`](#parameter-sendrecvtimeoutseconds) | int | Certificate name check time of the frontdoor resource. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -1041,7 +1045,7 @@ The name of the frontDoor. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1054,7 +1058,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1102,7 +1106,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/front-door/main.bicep b/modules/network/front-door/main.bicep index f9cc41e08a..bcaa533984 100644 --- a/modules/network/front-door/main.bicep +++ b/modules/network/front-door/main.bicep @@ -13,7 +13,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -131,7 +131,7 @@ resource frontDoor_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@202 resource frontDoor_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(frontDoor.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -164,7 +164,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/front-door/main.json b/modules/network/front-door/main.json index 3b20f006ef..394c56eb8a 100644 --- a/modules/network/front-door/main.json +++ b/modules/network/front-door/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18065323177030790685" + "templateHash": "12127605503670931788" }, "name": "Azure Front Doors", "description": "This module deploys an Azure Front Door.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -236,7 +236,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -411,7 +411,7 @@ "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/frontDoors', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/front-door/tests/e2e/max/main.test.bicep b/modules/network/front-door/tests/e2e/max/main.test.bicep index c94b99aa79..4d954197e7 100644 --- a/modules/network/front-door/tests/e2e/max/main.test.bicep +++ b/modules/network/front-door/tests/e2e/max/main.test.bicep @@ -148,7 +148,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' sendRecvTimeoutSeconds: 10 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep index 93650d477c..3652f40fa1 100644 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -146,13 +146,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } ] sendRecvTimeoutSeconds: 10 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index d9706dfeb2..a5ac16bc08 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -107,7 +107,17 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -156,7 +166,17 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -199,13 +219,6 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -247,15 +260,6 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -287,7 +291,7 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { | [`ipAddresses`](#parameter-ipaddresses) | array | IpAddresses/IpAddressPrefixes in the IpGroups resource. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | ### Parameter: `enableDefaultTelemetry` @@ -346,7 +350,7 @@ The name of the ipGroups. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -359,7 +363,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -407,7 +411,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/ip-group/main.bicep b/modules/network/ip-group/main.bicep index 3e14ba223f..08a30eee33 100644 --- a/modules/network/ip-group/main.bicep +++ b/modules/network/ip-group/main.bicep @@ -15,7 +15,7 @@ param ipAddresses array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -66,7 +66,7 @@ resource ipGroup_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource ipGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(ipGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -102,7 +102,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/ip-group/main.json b/modules/network/ip-group/main.json index f286f1deb9..ccf8f4d058 100644 --- a/modules/network/ip-group/main.json +++ b/modules/network/ip-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16568387528687642838" + "templateHash": "12288057031488744578" }, "name": "IP Groups", "description": "This module deploys an IP Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -136,7 +136,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -213,7 +213,7 @@ "scope": "[format('Microsoft.Network/ipGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/ipGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/ip-group/tests/e2e/max/main.test.bicep b/modules/network/ip-group/tests/e2e/max/main.test.bicep index 5e9c862414..06bb71dc3b 100644 --- a/modules/network/ip-group/tests/e2e/max/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/max/main.test.bicep @@ -63,7 +63,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep index 6636c832de..e8767a2291 100644 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -61,13 +61,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index 2b5cac74a2..f2fb425a1a 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -121,7 +121,17 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -178,7 +188,17 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -223,13 +243,6 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -279,15 +292,6 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -324,7 +328,7 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0 | [`localPeerWeight`](#parameter-localpeerweight) | string | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -416,7 +420,7 @@ Name of the Local Network Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -429,7 +433,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -477,7 +481,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/local-network-gateway/main.bicep b/modules/network/local-network-gateway/main.bicep index 766ac4eb10..0d7877dc43 100644 --- a/modules/network/local-network-gateway/main.bicep +++ b/modules/network/local-network-gateway/main.bicep @@ -27,7 +27,7 @@ param localPeerWeight string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -92,7 +92,7 @@ resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = i resource localNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(localNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -128,7 +128,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/local-network-gateway/main.json b/modules/network/local-network-gateway/main.json index da3cea4c2d..5fc6a78848 100644 --- a/modules/network/local-network-gateway/main.json +++ b/modules/network/local-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18232422639786183281" + "templateHash": "15135056201876239825" }, "name": "Local Network Gateways", "description": "This module deploys a Local Network Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -162,7 +162,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -256,7 +256,7 @@ "scope": "[format('Microsoft.Network/localNetworkGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/localNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep index 93352e6ce5..150660fecf 100644 --- a/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/max/main.test.bicep @@ -65,7 +65,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep index 4c3d7522ce..a407b64c98 100644 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -63,13 +63,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index b764e57c4d..48343f3c1b 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -90,7 +90,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -167,7 +177,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -229,7 +249,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -295,7 +325,17 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -366,13 +406,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -442,15 +475,6 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -486,7 +510,7 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { | [`publicIPPrefixObjects`](#parameter-publicipprefixobjects) | array | Specifies the properties of the Public IP Prefixes to create and be used by the NAT Gateway. | | [`publicIPPrefixResourceIds`](#parameter-publicipprefixresourceids) | array | Existing Public IP Prefixes resource IDs to use for the NAT Gateway. | | [`publicIpResourceIds`](#parameter-publicipresourceids) | array | Existing Public IP Address resource IDs to use for the NAT Gateway. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags for the resource. | | [`zones`](#parameter-zones) | array | A list of availability zones denoting the zone in which Nat Gateway should be deployed. | @@ -572,7 +596,7 @@ Existing Public IP Address resource IDs to use for the NAT Gateway. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -585,7 +609,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -633,7 +657,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/nat-gateway/main.bicep b/modules/network/nat-gateway/main.bicep index b3aab1a660..8e958da2d7 100644 --- a/modules/network/nat-gateway/main.bicep +++ b/modules/network/nat-gateway/main.bicep @@ -29,7 +29,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags for the resource.') @@ -139,7 +139,7 @@ resource natGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource natGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(natGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -175,7 +175,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/nat-gateway/main.json b/modules/network/nat-gateway/main.json index 496bdfff0a..5f0044c21c 100644 --- a/modules/network/nat-gateway/main.json +++ b/modules/network/nat-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9381387795158980533" + "templateHash": "4790906560512983645" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -276,7 +276,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -364,7 +364,7 @@ "scope": "[format('Microsoft.Network/natGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/natGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1022,7 +1022,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9244193973447540175" + "templateHash": "11282022059497213596" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -1062,7 +1062,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1153,7 +1153,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -1242,7 +1242,7 @@ "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep index 7fc011d550..e6adb9a978 100644 --- a/modules/network/nat-gateway/tests/e2e/max/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/max/main.test.bicep @@ -105,7 +105,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep index d874324327..caceef126b 100644 --- a/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/prefixCombined/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep index 9f155e50f0..15c733767d 100644 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -103,13 +103,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 896d0bd79c..8460d85457 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -125,7 +125,17 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scopeConnections: [ @@ -352,7 +362,17 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -571,13 +591,6 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] scopeConnections: [ { description: 'description of the scope connection' @@ -797,15 +810,6 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "scopeConnections": { "value": [ { diff --git a/modules/network/network-manager/main.bicep b/modules/network/network-manager/main.bicep index 4fc57260bd..c867dd3d0c 100644 --- a/modules/network/network-manager/main.bicep +++ b/modules/network/network-manager/main.bicep @@ -142,7 +142,7 @@ resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource networkManager_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkManager.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType diff --git a/modules/network/network-manager/main.json b/modules/network/network-manager/main.json index 24d0104710..038c02d2e2 100644 --- a/modules/network/network-manager/main.json +++ b/modules/network/network-manager/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7208377569507005040" + "templateHash": "10987132052882747001" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", @@ -258,7 +258,7 @@ "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -303,10 +303,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3787957853488500608" + "templateHash": "9383612824689647197" }, "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", + "description": "This module deploys a Network Manager Network Group.\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -409,10 +409,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6119539562042886994" + "templateHash": "6270695242836306169" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -572,10 +572,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16434535140284685195" + "templateHash": "9661323239609366787" }, "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", + "description": "This module deploys a Network Manager Connectivity Configuration.\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -751,10 +751,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5036358037363252898" + "templateHash": "15324552358719749208" }, "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", + "description": "This module deploys a Network Manager Scope Connection.\nCreate a cross-tenant connection to manage a resource from another tenant.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -890,10 +890,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11083461428572717010" + "templateHash": "220686347521741612" }, "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Network Manager Security Admin Configuration.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1012,10 +1012,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17187717862116828818" + "templateHash": "10245325643114384455" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1147,10 +1147,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "144106033297451553" + "templateHash": "6215293821297223443" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-manager/tests/e2e/max/main.test.bicep b/modules/network/network-manager/tests/e2e/max/main.test.bicep index 1fb6b04824..d0e1fd2393 100644 --- a/modules/network/network-manager/tests/e2e/max/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/max/main.test.bicep @@ -66,7 +66,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep index 1d94d18ba7..630be8e2bc 100644 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -64,13 +64,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] networkManagerScopeAccesses: [ 'Connectivity' 'SecurityAdmin' diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index 416644df15..f0672acbff 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -114,7 +114,17 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityRules: [ @@ -232,7 +242,17 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -346,13 +366,6 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityRules: [ { name: 'Specific' @@ -463,15 +476,6 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityRules": { "value": [ { @@ -570,7 +574,7 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0 | [`flushConnection`](#parameter-flushconnection) | bool | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. Network Security Group connection flushing is not available in all regions. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityRules`](#parameter-securityrules) | array | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | [`tags`](#parameter-tags) | object | Tags of the NSG resource. | @@ -725,7 +729,7 @@ Name of the Network Security Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -738,7 +742,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -786,7 +790,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/network-security-group/main.bicep b/modules/network/network-security-group/main.bicep index 83928e9024..83266cb10a 100644 --- a/modules/network/network-security-group/main.bicep +++ b/modules/network/network-security-group/main.bicep @@ -20,7 +20,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the NSG resource.') @@ -136,7 +136,7 @@ resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticS resource networkSecurityGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkSecurityGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -172,7 +172,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/network-security-group/main.json b/modules/network/network-security-group/main.json index 5a078217ce..c6f01814cd 100644 --- a/modules/network/network-security-group/main.json +++ b/modules/network/network-security-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "750109442263573618" + "templateHash": "15234016184111184785" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -236,7 +236,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -362,7 +362,7 @@ "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/network-security-group/tests/e2e/max/main.test.bicep b/modules/network/network-security-group/tests/e2e/max/main.test.bicep index 24664977f4..b0cae014bc 100644 --- a/modules/network/network-security-group/tests/e2e/max/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/max/main.test.bicep @@ -83,7 +83,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep index 0a6ccc8de6..cb46477554 100644 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -81,13 +81,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] securityRules: [ { name: 'Specific' diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index 84b24a7db1..c8263f21d9 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -165,7 +165,17 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -276,7 +286,17 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -379,13 +399,6 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { ] location: '' name: '' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -489,15 +502,6 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { "name": { "value": "" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -525,7 +529,7 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`name`](#parameter-name) | string | Name of the Network Watcher resource (hidden). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `connectionMonitors` @@ -592,7 +596,7 @@ Name of the Network Watcher resource (hidden). ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -605,7 +609,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -653,7 +657,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/network-watcher/main.bicep b/modules/network/network-watcher/main.bicep index 6ee4903f61..4cde8cc540 100644 --- a/modules/network/network-watcher/main.bicep +++ b/modules/network/network-watcher/main.bicep @@ -18,7 +18,7 @@ param flowLogs array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -69,7 +69,7 @@ resource networkWatcher_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource networkWatcher_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(networkWatcher.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -135,7 +135,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/network-watcher/main.json b/modules/network/network-watcher/main.json index af0b8f4ed7..aa3112d351 100644 --- a/modules/network/network-watcher/main.json +++ b/modules/network/network-watcher/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16212234798998363097" + "templateHash": "10879972113485324121" }, "name": "Network Watchers", "description": "This module deploys a Network Watcher.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -144,7 +144,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -220,7 +220,7 @@ "scope": "[format('Microsoft.Network/networkWatchers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/networkWatchers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -457,10 +457,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13019883939201211211" + "templateHash": "2197507893118006956" }, "name": "NSG Flow Logs", - "description": "This module controls the Network Security Group Flow Logs and analytics settings.\r\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", + "description": "This module controls the Network Security Group Flow Logs and analytics settings.\n**Note: this module must be run on the Resource Group where Network Watcher is deployed**", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/network/network-watcher/tests/e2e/max/main.test.bicep b/modules/network/network-watcher/tests/e2e/max/main.test.bicep index 578321530e..c453c48b8d 100644 --- a/modules/network/network-watcher/tests/e2e/max/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/max/main.test.bicep @@ -145,7 +145,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep index b940f74c67..0753347fd0 100644 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -143,13 +143,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index a2ba040a35..5d295b3fc2 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -459,7 +459,7 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' | [`loadBalancerFrontendIpConfigurations`](#parameter-loadbalancerfrontendipconfigurations) | array | An array of references to the load balancer IP configurations. The Private Link service is tied to the frontend IP address of a Standard Load Balancer. All traffic destined for the service will reach the frontend of the SLB. You can configure SLB rules to direct this traffic to appropriate backend pools where your applications are running. Load balancer frontend IP configurations are different than NAT IP configurations. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags to be applied on all resources/resource groups in this deployment. | | [`visibility`](#parameter-visibility) | object | Controls the exposure settings for your Private Link service. Service providers can choose to limit the exposure to their service to subscriptions with Azure role-based access control (Azure RBAC) permissions, a restricted set of subscriptions, or all Azure subscriptions. | @@ -554,7 +554,7 @@ Name of the private link service to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -567,7 +567,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -615,7 +615,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/private-link-service/main.bicep b/modules/network/private-link-service/main.bicep index 6146a225bf..7f8f61068e 100644 --- a/modules/network/private-link-service/main.bicep +++ b/modules/network/private-link-service/main.bicep @@ -38,7 +38,7 @@ param visibility object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -93,7 +93,7 @@ resource privateLinkService_lock 'Microsoft.Authorization/locks@2020-05-01' = if resource privateLinkService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkService.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -129,7 +129,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/private-link-service/main.json b/modules/network/private-link-service/main.json index 2b7574b6aa..5490f7706a 100644 --- a/modules/network/private-link-service/main.json +++ b/modules/network/private-link-service/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1799801226722953083" + "templateHash": "7895931636672414166" }, "name": "Private Link Services", "description": "This module deploys a Private Link Service.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -191,7 +191,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -264,7 +264,7 @@ "scope": "[format('Microsoft.Network/privateLinkServices/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/privateLinkServices', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index 315a9026fd..8f34b55130 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -108,7 +108,17 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -154,7 +164,17 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -194,13 +214,6 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -239,15 +252,6 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -280,7 +284,7 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `customIPPrefix` @@ -345,7 +349,7 @@ Length of the Public IP Prefix. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -358,7 +362,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -406,7 +410,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/public-ip-prefix/main.bicep b/modules/network/public-ip-prefix/main.bicep index 5261690b6d..97b513f893 100644 --- a/modules/network/public-ip-prefix/main.bicep +++ b/modules/network/public-ip-prefix/main.bicep @@ -17,7 +17,7 @@ param prefixLength int @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -76,7 +76,7 @@ resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource publicIpPrefix_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(publicIpPrefix.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -112,7 +112,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/public-ip-prefix/main.json b/modules/network/public-ip-prefix/main.json index d327e41009..b8010113ed 100644 --- a/modules/network/public-ip-prefix/main.json +++ b/modules/network/public-ip-prefix/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "9244193973447540175" + "templateHash": "11282022059497213596" }, "name": "Public IP Prefixes", "description": "This module deploys a Public IP Prefix.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -137,7 +137,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -226,7 +226,7 @@ "scope": "[format('Microsoft.Network/publicIPPrefixes/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/publicIPPrefixes', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep index 2a0444770e..04bc42d4e9 100644 --- a/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/max/main.test.bicep @@ -60,7 +60,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep index cc31fc6d98..9081c0314b 100644 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -58,13 +58,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index e8797a413c..b8a16af871 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -103,7 +103,17 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] serviceEndpointPolicyDefinitions: [ @@ -159,7 +169,17 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -213,13 +233,6 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] serviceEndpointPolicyDefinitions: [ { name: 'Storage.ServiceEndpoint' @@ -268,15 +281,6 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "serviceEndpointPolicyDefinitions": { "value": [ { @@ -323,7 +327,7 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serviceAlias`](#parameter-servicealias) | string | The alias indicating if the policy belongs to a service. | | [`serviceEndpointPolicyDefinitions`](#parameter-serviceendpointpolicydefinitions) | array | An Array of service endpoint policy definitions. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -384,7 +388,7 @@ The Service Endpoint Policy name. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -397,7 +401,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -445,7 +449,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/service-endpoint-policy/main.bicep b/modules/network/service-endpoint-policy/main.bicep index c0183b63f9..9d9b83348d 100644 --- a/modules/network/service-endpoint-policy/main.bicep +++ b/modules/network/service-endpoint-policy/main.bicep @@ -20,7 +20,7 @@ param serviceAlias string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -73,7 +73,7 @@ resource serviceEndpointPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = resource serviceEndpointPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceEndpointPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -109,7 +109,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/service-endpoint-policy/main.json b/modules/network/service-endpoint-policy/main.json index 0901fb297c..0e6f729e47 100644 --- a/modules/network/service-endpoint-policy/main.json +++ b/modules/network/service-endpoint-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8576779256610363047" + "templateHash": "11859236081077741465" }, "name": "Service Endpoint Policies", "description": "This module deploys a Service Endpoint Policy.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -149,7 +149,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -228,7 +228,7 @@ "scope": "[format('Microsoft.Network/serviceEndpointPolicies/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/serviceEndpointPolicies', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep index 8ad3addf74..271bf7e24a 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep index ab52288ff9..ba10f48947 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 01f22925a2..c7d12328ee 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -124,7 +124,17 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -186,7 +196,17 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -240,13 +260,6 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -301,15 +314,6 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -345,7 +349,7 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0 | [`maxReturn`](#parameter-maxreturn) | int | Maximum number of endpoints to be returned for MultiValue routing type. | | [`monitorConfig`](#parameter-monitorconfig) | object | The endpoint monitoring settings of the Traffic Manager profile. | | [`profileStatus`](#parameter-profilestatus) | string | The status of the Traffic Manager profile. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | | [`trafficRoutingMethod`](#parameter-trafficroutingmethod) | string | The traffic routing method of the Traffic Manager profile. | | [`trafficViewEnrollmentStatus`](#parameter-trafficviewenrollmentstatus) | string | Indicates whether Traffic View is 'Enabled' or 'Disabled' for the Traffic Manager profile. Null, indicates 'Disabled'. Enabling this feature will increase the cost of the Traffic Manage profile. | @@ -556,7 +560,7 @@ The relative DNS name provided by this Traffic Manager profile. This value is co ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -569,7 +573,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -617,7 +621,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/trafficmanagerprofile/main.bicep b/modules/network/trafficmanagerprofile/main.bicep index 66238ec4dd..0b8890079e 100644 --- a/modules/network/trafficmanagerprofile/main.bicep +++ b/modules/network/trafficmanagerprofile/main.bicep @@ -56,7 +56,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -143,7 +143,7 @@ resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnostic resource trafficManagerProfile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(trafficManagerProfile.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -176,7 +176,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/trafficmanagerprofile/main.json b/modules/network/trafficmanagerprofile/main.json index b70a6f3e81..76f4462e01 100644 --- a/modules/network/trafficmanagerprofile/main.json +++ b/modules/network/trafficmanagerprofile/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11095049412788663057" + "templateHash": "16146918790976496656" }, "name": "Traffic Manager Profiles", "description": "This module deploys a Traffic Manager Profile.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -309,7 +309,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -419,7 +419,7 @@ "scope": "[format('Microsoft.Network/trafficmanagerprofiles/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/trafficmanagerprofiles', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep index b937b8d2af..997d876567 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/max/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep index bddc3fdf32..850a5be046 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -86,13 +86,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/network/virtual-network-gateway/README.md b/modules/network/virtual-network-gateway/README.md index c43561c8b2..7a0a2b9daa 100644 --- a/modules/network/virtual-network-gateway/README.md +++ b/modules/network/virtual-network-gateway/README.md @@ -81,7 +81,17 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -176,7 +186,17 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -643,7 +663,7 @@ module virtualNetworkGateway 'br:bicep/modules/network.virtual-network-gateway:1 | [`publicIpDiagnosticSettings`](#parameter-publicipdiagnosticsettings) | array | The diagnostic settings of the Public IP. | | [`publicIPPrefixResourceId`](#parameter-publicipprefixresourceid) | string | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | | [`publicIpZones`](#parameter-publicipzones) | array | Specifies the zones of the Public IP address. Basic IP SKU does not support Availability Zones. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnClientAadConfiguration`](#parameter-vpnclientaadconfiguration) | object | Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided. | | [`vpnClientAddressPoolPrefix`](#parameter-vpnclientaddresspoolprefix) | string | The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network. | @@ -1068,7 +1088,7 @@ Specifies the zones of the Public IP address. Basic IP SKU does not support Avai ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1081,7 +1101,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1129,7 +1149,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network-gateway/main.bicep b/modules/network/virtual-network-gateway/main.bicep index b561f87fac..ec6385b67c 100644 --- a/modules/network/virtual-network-gateway/main.bicep +++ b/modules/network/virtual-network-gateway/main.bicep @@ -118,7 +118,7 @@ param publicIpDiagnosticSettings diagnosticSettingType @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -374,7 +374,7 @@ resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnostic resource virtualNetworkGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetworkGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -416,7 +416,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network-gateway/main.json b/modules/network/virtual-network-gateway/main.json index 6ed43a2056..7180fe35f6 100644 --- a/modules/network/virtual-network-gateway/main.json +++ b/modules/network/virtual-network-gateway/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2357059360379446061" + "templateHash": "15357828351524045583" }, "name": "Virtual Network Gateways", "description": "This module deploys a Virtual Network Gateway.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -437,7 +437,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -593,7 +593,7 @@ "scope": "[format('Microsoft.Network/virtualNetworkGateways/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep index 95dfbe06d2..a6e2410992 100644 --- a/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep +++ b/modules/network/virtual-network-gateway/tests/e2e/aadvpn/main.test.bicep @@ -97,7 +97,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 8f8acb2d0d..33dd1bb7cd 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -138,7 +138,17 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] subnets: [ @@ -256,7 +266,17 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -471,13 +491,6 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] subnets: [ { addressPrefix: '' @@ -588,15 +601,6 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "subnets": { "value": [ { @@ -680,7 +684,7 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`peerings`](#parameter-peerings) | array | Virtual Network Peerings configurations. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`subnets`](#parameter-subnets) | array | An Array of subnets to deploy to the Virtual Network. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vnetEncryption`](#parameter-vnetencryption) | bool | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. Requires the EnableVNetEncryption feature to be registered for the subscription and a supported region to use this property. | @@ -884,7 +888,7 @@ Virtual Network Peerings configurations. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -897,7 +901,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -945,7 +949,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network/main.bicep b/modules/network/virtual-network/main.bicep index 0a4003d1e5..59201d89b2 100644 --- a/modules/network/virtual-network/main.bicep +++ b/modules/network/virtual-network/main.bicep @@ -43,7 +43,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -226,7 +226,7 @@ resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSetting resource virtualNetwork_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualNetwork.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -268,7 +268,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network/main.json b/modules/network/virtual-network/main.json index 0de7bba004..532eb7a1ed 100644 --- a/modules/network/virtual-network/main.json +++ b/modules/network/virtual-network/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17480456503748802804" + "templateHash": "13961908066049055170" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -300,7 +300,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -437,7 +437,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -496,7 +496,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10049142602469906602" + "templateHash": "17336277691652716048" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -511,7 +511,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -679,7 +679,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -753,7 +753,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network/subnet/README.md b/modules/network/virtual-network/subnet/README.md index d981e06cfc..fbe94623e8 100644 --- a/modules/network/virtual-network/subnet/README.md +++ b/modules/network/virtual-network/subnet/README.md @@ -45,7 +45,7 @@ This module deploys a Virtual Network Subnet. | [`networkSecurityGroupId`](#parameter-networksecuritygroupid) | string | The resource ID of the network security group to assign to the subnet. | | [`privateEndpointNetworkPolicies`](#parameter-privateendpointnetworkpolicies) | string | enable or disable apply network policies on private endpoint in the subnet. | | [`privateLinkServiceNetworkPolicies`](#parameter-privatelinkservicenetworkpolicies) | string | enable or disable apply network policies on private link service in the subnet. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`routeTableId`](#parameter-routetableid) | string | The resource ID of the route table to assign to the subnet. | | [`serviceEndpointPolicies`](#parameter-serviceendpointpolicies) | array | An array of service endpoint policies. | | [`serviceEndpoints`](#parameter-serviceendpoints) | array | The service endpoints to enable on the subnet. | @@ -143,7 +143,7 @@ enable or disable apply network policies on private link service in the subnet. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -156,7 +156,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -204,7 +204,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-network/subnet/main.bicep b/modules/network/virtual-network/subnet/main.bicep index 5f0fadf82e..3e8d129499 100644 --- a/modules/network/virtual-network/subnet/main.bicep +++ b/modules/network/virtual-network/subnet/main.bicep @@ -54,7 +54,7 @@ param ipAllocations array = [] @description('Optional. An array of service endpoint policies.') param serviceEndpointPolicies array = [] -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -113,7 +113,7 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = { resource subnet_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(subnet.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -143,7 +143,7 @@ output subnetAddressPrefixes array = !empty(addressPrefixes) ? subnet.properties // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-network/subnet/main.json b/modules/network/virtual-network/subnet/main.json index c7f51d4570..dd6acc468b 100644 --- a/modules/network/virtual-network/subnet/main.json +++ b/modules/network/virtual-network/subnet/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10049142602469906602" + "templateHash": "17336277691652716048" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -189,7 +189,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -263,7 +263,7 @@ "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-network/tests/e2e/max/main.test.bicep b/modules/network/virtual-network/tests/e2e/max/main.test.bicep index 5a84c91f10..7181d9a40f 100644 --- a/modules/network/virtual-network/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/max/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = { } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep index 58a38a9530..c2702cfe9f 100644 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -94,13 +94,6 @@ module testDeployment '../../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] flowTimeoutInMinutes: 20 subnets: [ { diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 63d33bf1aa..2cb16b518d 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -106,7 +106,17 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -159,7 +169,17 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -256,15 +269,6 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -301,7 +305,7 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`location`](#parameter-location) | string | Location where all resources will be created. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`type`](#parameter-type) | string | The type of the Virtual WAN. | @@ -375,7 +379,7 @@ Name of the Virtual WAN. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -388,7 +392,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -436,7 +440,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/virtual-wan/main.bicep b/modules/network/virtual-wan/main.bicep index 6d3f3fe0b0..b108e4573b 100644 --- a/modules/network/virtual-wan/main.bicep +++ b/modules/network/virtual-wan/main.bicep @@ -24,7 +24,7 @@ param allowVnetToVnetTraffic bool = false @description('Optional. VPN encryption to be disabled or not.') param disableVpnEncryption bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -81,7 +81,7 @@ resource virtualWan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource virtualWan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(virtualWan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -117,7 +117,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/virtual-wan/main.json b/modules/network/virtual-wan/main.json index 73f79cbc33..99e7a9e7ca 100644 --- a/modules/network/virtual-wan/main.json +++ b/modules/network/virtual-wan/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4189892179924911704" + "templateHash": "3497109504339292909" }, "name": "Virtual WANs", "description": "This module deploys a Virtual WAN.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -154,7 +154,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -240,7 +240,7 @@ "scope": "[format('Microsoft.Network/virtualWans/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/virtualWans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep index 3642b75961..9079c1e718 100644 --- a/modules/network/virtual-wan/tests/e2e/max/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/max/main.test.bicep @@ -62,7 +62,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep index 290a115237..7bccc274c5 100644 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -60,13 +60,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] type: 'Basic' tags: { 'hidden-title': 'This is visible in the resource name' diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 0db53524cd..d905533985 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -131,7 +131,17 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -221,7 +231,17 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -303,13 +323,6 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { optimize: true } } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' tagA: 'valueA' @@ -392,15 +405,6 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { } } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hidden-title": "This is visible in the resource name", @@ -475,7 +479,7 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { | [`location`](#parameter-location) | string | Location where all resources will be created. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`o365Policy`](#parameter-o365policy) | object | The Office365 breakout policy. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`vpnSiteLinks`](#parameter-vpnsitelinks) | array | List of all VPN site links. | @@ -570,7 +574,7 @@ The Office365 breakout policy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -583,7 +587,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -631,7 +635,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/network/vpn-site/main.bicep b/modules/network/vpn-site/main.bicep index cb5c422359..182a3ef359 100644 --- a/modules/network/vpn-site/main.bicep +++ b/modules/network/vpn-site/main.bicep @@ -41,7 +41,7 @@ param vpnSiteLinks array = [] @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var builtInRoleNames = { @@ -97,7 +97,7 @@ resource vpnSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource vpnSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(vpnSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -133,7 +133,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/network/vpn-site/main.json b/modules/network/vpn-site/main.json index 0a32dfa9f5..f7300ea789 100644 --- a/modules/network/vpn-site/main.json +++ b/modules/network/vpn-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12353107767353318428" + "templateHash": "3174704764297333181" }, "name": "VPN Sites", "description": "This module deploys a VPN Site.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -197,7 +197,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -269,7 +269,7 @@ "scope": "[format('Microsoft.Network/vpnSites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Network/vpnSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/network/vpn-site/tests/e2e/max/main.test.bicep b/modules/network/vpn-site/tests/e2e/max/main.test.bicep index 629bdd1bd9..d57e267bbb 100644 --- a/modules/network/vpn-site/tests/e2e/max/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/max/main.test.bicep @@ -106,7 +106,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep index 62ed03a40d..3b996255bc 100644 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -104,12 +104,5 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' default: true } } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } }] diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 2ef08134de..a77bb25aa2 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -174,7 +174,17 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] storageBlobPrivateEndpoints: [ @@ -325,7 +335,17 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -460,13 +480,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { } ] publicNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] storageBlobPrivateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -610,15 +623,6 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { "publicNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "storageBlobPrivateEndpoints": { "value": [ { @@ -688,7 +692,7 @@ module account 'br:bicep/modules/purview.account:1.0.0' = { | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`storageBlobPrivateEndpoints`](#parameter-storageblobprivateendpoints) | array | Configuration details for Purview Managed Storage Account blob private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'blob'. | | [`storageQueuePrivateEndpoints`](#parameter-storagequeueprivateendpoints) | array | Configuration details for Purview Managed Storage Account queue private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'queue'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -918,7 +922,7 @@ Whether or not public network access is allowed for this resource. For security ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -931,7 +935,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -979,7 +983,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/purview/account/main.bicep b/modules/purview/account/main.bicep index 73cd7a3c1e..b93675e30d 100644 --- a/modules/purview/account/main.bicep +++ b/modules/purview/account/main.bicep @@ -30,7 +30,7 @@ param publicNetworkAccess string = 'NotSpecified' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for Purview Account private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to \'account\'.') @@ -257,7 +257,7 @@ module eventHub_privateEndpoints '../../network/private-endpoint/main.bicep' = [ resource account_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(account.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -313,7 +313,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/purview/account/main.json b/modules/purview/account/main.json index 169ab57dbd..e18390b358 100644 --- a/modules/purview/account/main.json +++ b/modules/purview/account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11685222895702986348" + "templateHash": "5819351942554123276" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -283,7 +283,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "accountPrivateEndpoints": { @@ -425,7 +425,7 @@ "scope": "[format('Microsoft.Purview/accounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Purview/accounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/purview/account/tests/e2e/max/main.test.bicep b/modules/purview/account/tests/e2e/max/main.test.bicep index 576acece67..5f09f48e2e 100644 --- a/modules/purview/account/tests/e2e/max/main.test.bicep +++ b/modules/purview/account/tests/e2e/max/main.test.bicep @@ -96,7 +96,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index f58261b0a9..50ff6aa700 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -94,13 +94,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] accountPrivateEndpoints: [ { privateDnsZoneResourceIds: [ diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index ee3cf09b77..8eb9e2c57d 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -574,7 +574,17 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securitySettings: { @@ -924,7 +934,17 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1256,13 +1276,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { locale: 'en-US' sendToOwners: 'Send' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securitySettings: { immutabilitySettings: { state: 'Unlocked' @@ -1605,15 +1618,6 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { "sendToOwners": "Send" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securitySettings": { "value": { "immutabilitySettings": { @@ -1663,7 +1667,7 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { | [`replicationAlertSettings`](#parameter-replicationalertsettings) | object | Replication alert settings. | | [`replicationFabrics`](#parameter-replicationfabrics) | array | List of all replication fabrics. | | [`replicationPolicies`](#parameter-replicationpolicies) | array | List of all replication policies. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securitySettings`](#parameter-securitysettings) | object | Security Settings of the vault. | | [`tags`](#parameter-tags) | object | Tags of the Recovery Service Vault resource. | @@ -1903,7 +1907,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2055,7 +2059,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2125,7 +2129,7 @@ List of all replication policies. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2138,7 +2142,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2186,7 +2190,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/recovery-services/vault/main.bicep b/modules/recovery-services/vault/main.bicep index ec25f0ce5d..276f4850c4 100644 --- a/modules/recovery-services/vault/main.bicep +++ b/modules/recovery-services/vault/main.bicep @@ -38,7 +38,7 @@ param replicationAlertSettings object = {} @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The lock settings of the service.') @@ -269,7 +269,7 @@ module rsv_privateEndpoints '../../network/private-endpoint/main.bicep' = [for ( resource rsv_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(rsv.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -316,7 +316,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -393,7 +393,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/recovery-services/vault/main.json b/modules/recovery-services/vault/main.json index ba9780ebf9..c7129f3aef 100644 --- a/modules/recovery-services/vault/main.json +++ b/modules/recovery-services/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7312689804634982287" + "templateHash": "995975405658769372" }, "name": "Recovery Services Vaults", "description": "This module deploys a Recovery Services Vault.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -491,7 +491,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "lock": { @@ -642,7 +642,7 @@ "scope": "[format('Microsoft.RecoveryServices/vaults/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.RecoveryServices/vaults', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -687,10 +687,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18045555589113818401" + "templateHash": "141571686653146888" }, "name": "Recovery Services Vault Replication Fabrics", - "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\r\n\r\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", + "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -793,10 +793,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3783488076539662325" + "templateHash": "10595314903369272974" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Containers", - "description": "This module deploys a Recovery Services Vault Replication Protection Container.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -903,10 +903,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "14373191902278145406" + "templateHash": "13334445778984042102" }, "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings", - "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -1136,10 +1136,10 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "5176653698082479064" + "templateHash": "7511225868129156252" }, "name": "Recovery Services Vault Replication Policies", - "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\r\n\r\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", + "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.", "owner": "Azure/module-maintainers" }, "parameters": { diff --git a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep index a95ea0b468..0e78cb6064 100644 --- a/modules/recovery-services/vault/tests/e2e/max/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/max/main.test.bicep @@ -352,7 +352,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index 67c8e9c39b..005293b717 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -350,13 +350,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] monitoringSettings: { azureMonitorAlertSettings: { alertsForAllJobFailures: 'Enabled' diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index 0e0ec1776b..32864ab014 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -193,7 +193,17 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Standard' @@ -340,7 +350,17 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -566,13 +586,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] skuName: 'Standard' tags: { Environment: 'Non-Prod' @@ -712,15 +725,6 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "skuName": { "value": "Standard" }, @@ -774,7 +778,7 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`networkRuleSets`](#parameter-networkrulesets) | object | Configure networking options for Relay. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuName`](#parameter-skuname) | string | Name of this SKU. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`wcfRelays`](#parameter-wcfrelays) | array | The wcf relays to create in the relay namespace. | @@ -994,7 +998,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1146,7 +1150,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1174,7 +1178,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1187,7 +1191,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1235,7 +1239,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/hybrid-connection/README.md b/modules/relay/namespace/hybrid-connection/README.md index b243f4adc7..338d271c3d 100644 --- a/modules/relay/namespace/hybrid-connection/README.md +++ b/modules/relay/namespace/hybrid-connection/README.md @@ -41,7 +41,7 @@ This module deploys a Relay Namespace Hybrid Connection. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this hybrid connection requires client authorization. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `authorizationRules` @@ -129,7 +129,7 @@ A value indicating if this hybrid connection requires client authorization. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -142,7 +142,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -190,7 +190,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/hybrid-connection/main.bicep b/modules/relay/namespace/hybrid-connection/main.bicep index 26c75f7734..fcda242bda 100644 --- a/modules/relay/namespace/hybrid-connection/main.bicep +++ b/modules/relay/namespace/hybrid-connection/main.bicep @@ -45,7 +45,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -112,7 +112,7 @@ resource hybridConnection_lock 'Microsoft.Authorization/locks@2020-05-01' = if ( resource hybridConnection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(hybridConnection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -145,7 +145,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/relay/namespace/hybrid-connection/main.json b/modules/relay/namespace/hybrid-connection/main.json index 1e8f46af01..b3ba439423 100644 --- a/modules/relay/namespace/hybrid-connection/main.json +++ b/modules/relay/namespace/hybrid-connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7588969568395991504" + "version": "0.23.1.45101", + "templateHash": "10713076217261186547" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -172,7 +172,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -253,7 +253,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -299,8 +299,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2105813068659609285" + "version": "0.23.1.45101", + "templateHash": "8614944991526016585" }, "name": "Hybrid Connection Authorization Rules", "description": "This module deploys a Hybrid Connection Authorization Rule.", diff --git a/modules/relay/namespace/main.bicep b/modules/relay/namespace/main.bicep index 6f02fe6c2f..3ffa30c756 100644 --- a/modules/relay/namespace/main.bicep +++ b/modules/relay/namespace/main.bicep @@ -34,7 +34,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -241,7 +241,7 @@ module namespace_privateEndpoints '../../network/private-endpoint/main.bicep' = resource namespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(namespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -277,7 +277,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -354,7 +354,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/relay/namespace/main.json b/modules/relay/namespace/main.json index d8b196fe7e..1c9ac35781 100644 --- a/modules/relay/namespace/main.json +++ b/modules/relay/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2022191670394485396" + "templateHash": "5535628605331543748" }, "name": "Relay Namespaces", "description": "This module deploys a Relay Namespace", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -443,7 +443,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -574,7 +574,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -884,7 +884,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "4576720448388714998" + "templateHash": "10713076217261186547" }, "name": "Relay Namespace Hybrid Connections", "description": "This module deploys a Relay Namespace Hybrid Connection.", @@ -924,7 +924,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1050,7 +1050,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1131,7 +1131,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/hybridConnections/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/hybridConnections', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1345,7 +1345,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7252195436240071963" + "templateHash": "15802304453622016892" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -1385,7 +1385,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1529,7 +1529,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1612,7 +1612,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/relay/namespace/tests/e2e/max/main.test.bicep b/modules/relay/namespace/tests/e2e/max/main.test.bicep index 9615d7ad26..ef21d1c6bc 100644 --- a/modules/relay/namespace/tests/e2e/max/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/max/main.test.bicep @@ -80,7 +80,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep index b8527deec2..f4d56ac66e 100644 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -78,13 +78,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Environment: 'Non-Prod' Role: 'DeploymentValidation' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] networkRuleSets: { defaultAction: 'Deny' trustedServiceAccessEnabled: true diff --git a/modules/relay/namespace/wcf-relay/README.md b/modules/relay/namespace/wcf-relay/README.md index d79d0ecc46..9fd1f1fa89 100644 --- a/modules/relay/namespace/wcf-relay/README.md +++ b/modules/relay/namespace/wcf-relay/README.md @@ -42,7 +42,7 @@ This module deploys a Relay Namespace WCF Relay. | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`requiresClientAuthorization`](#parameter-requiresclientauthorization) | bool | A value indicating if this relay requires client authorization. | | [`requiresTransportSecurity`](#parameter-requirestransportsecurity) | bool | A value indicating if this relay requires transport security. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`userMetadata`](#parameter-usermetadata) | string | User-defined string data for the WCF Relay. | ### Parameter: `authorizationRules` @@ -151,7 +151,7 @@ A value indicating if this relay requires transport security. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -164,7 +164,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -212,7 +212,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/relay/namespace/wcf-relay/main.bicep b/modules/relay/namespace/wcf-relay/main.bicep index b550e525f9..f5a030cfa5 100644 --- a/modules/relay/namespace/wcf-relay/main.bicep +++ b/modules/relay/namespace/wcf-relay/main.bicep @@ -55,7 +55,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -124,7 +124,7 @@ resource wcfRelay_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(l resource wcfRelay_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(wcfRelay.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -157,7 +157,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/relay/namespace/wcf-relay/main.json b/modules/relay/namespace/wcf-relay/main.json index b03f789e67..bbe1de970b 100644 --- a/modules/relay/namespace/wcf-relay/main.json +++ b/modules/relay/namespace/wcf-relay/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2747029204512692072" + "version": "0.23.1.45101", + "templateHash": "15802304453622016892" }, "name": "Relay Namespace WCF Relays", "description": "This module deploys a Relay Namespace WCF Relay.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -190,7 +190,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -273,7 +273,7 @@ "scope": "[format('Microsoft.Relay/namespaces/{0}/wcfRelays/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Relay/namespaces/wcfRelays', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -319,8 +319,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "9905508445063497603" + "version": "0.23.1.45101", + "templateHash": "5333168181360876794" }, "name": "WCF Relay Authorization Rules", "description": "This module deploys a WCF Relay Authorization Rule.", diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index b9d4187d55..6060bb18ea 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -109,7 +109,17 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -158,7 +168,17 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -199,13 +219,6 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { name: 'myCustomLockName' } queryDescription: 'An example query to list first 10 resources in the subscription.' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -247,15 +260,6 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { "queryDescription": { "value": "An example query to list first 10 resources in the subscription." }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -288,7 +292,7 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`queryDescription`](#parameter-querydescription) | string | The description of a graph query. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -353,7 +357,7 @@ The description of a graph query. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -366,7 +370,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -414,7 +418,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/resource-graph/query/main.bicep b/modules/resource-graph/query/main.bicep index e4e5472ea4..229c82e68c 100644 --- a/modules/resource-graph/query/main.bicep +++ b/modules/resource-graph/query/main.bicep @@ -11,7 +11,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -68,7 +68,7 @@ resource rgQuery_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource rgQuery_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(rgQuery.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -104,7 +104,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/resource-graph/query/main.json b/modules/resource-graph/query/main.json index 74b82c908c..f267077d80 100644 --- a/modules/resource-graph/query/main.json +++ b/modules/resource-graph/query/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8296730698201438039" + "templateHash": "11112562742135242475" }, "name": "Resource Graph Queries", "description": "This module deploys a Resource Graph Query.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -218,7 +218,7 @@ "scope": "[format('Microsoft.ResourceGraph/queries/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ResourceGraph/queries', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/resource-graph/query/tests/e2e/max/main.test.bicep b/modules/resource-graph/query/tests/e2e/max/main.test.bicep index 25ac98145e..93f3005086 100644 --- a/modules/resource-graph/query/tests/e2e/max/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/max/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep index 1209174e7c..893732aaee 100644 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -57,13 +57,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index 6e0fab2365..7f77ff124e 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -103,7 +103,17 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -146,7 +156,17 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -185,13 +205,6 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -227,15 +240,6 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -267,7 +271,7 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { | [`location`](#parameter-location) | string | Location of the Resource Group. It uses the deployment's location when not provided. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedBy`](#parameter-managedby) | string | The ID of the resource that manages this resource group. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the storage account resource. | ### Parameter: `enableDefaultTelemetry` @@ -326,7 +330,7 @@ The name of the Resource Group. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -339,7 +343,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -387,7 +391,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep index b4d65b905a..7bb4f4cc20 100644 --- a/modules/resources/resource-group/main.bicep +++ b/modules/resources/resource-group/main.bicep @@ -13,7 +13,7 @@ param location string = deployment().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the storage account resource.') @@ -71,7 +71,7 @@ module resourceGroup_lock 'modules/nested_lock.bicep' = if (!empty(lock ?? {}) & resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(resourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -103,7 +103,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json index 245ce057e8..eccb25088a 100644 --- a/modules/resources/resource-group/main.json +++ b/modules/resources/resource-group/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3578190975032336788" + "templateHash": "4157027857802113569" }, "name": "Resource Groups", "description": "This module deploys a Resource Group.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -128,7 +128,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -201,7 +201,7 @@ "apiVersion": "2022-04-01", "name": "[guid(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/resources/resource-group/tests/e2e/max/main.test.bicep b/modules/resources/resource-group/tests/e2e/max/main.test.bicep index a110f2a5f4..e5d862b927 100644 --- a/modules/resources/resource-group/tests/e2e/max/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/max/main.test.bicep @@ -58,7 +58,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep index 5818c0052f..27d87dc197 100644 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -56,13 +56,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 09d052abaf..5c16abffb6 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -157,7 +157,17 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Premium' @@ -251,7 +261,17 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1176,7 +1196,7 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`queues`](#parameter-queues) | array | The queues to create in the service bus namespace. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`skuCapacity`](#parameter-skucapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. | | [`skuName`](#parameter-skuname) | string | Name of this SKU. - Basic, Standard, Premium. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -1509,7 +1529,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1661,7 +1681,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1719,7 +1739,7 @@ Enable infrastructure encryption (double encryption). Note, this setting require ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1732,7 +1752,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1780,7 +1800,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/main.bicep b/modules/service-bus/namespace/main.bicep index 4daedd1379..04d5cc64a3 100644 --- a/modules/service-bus/namespace/main.bicep +++ b/modules/service-bus/namespace/main.bicep @@ -72,7 +72,7 @@ param lock lockType @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentitiesType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @@ -365,7 +365,7 @@ module serviceBusNamespace_privateEndpoints '../../network/private-endpoint/main resource serviceBusNamespace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceBusNamespace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -412,7 +412,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -489,7 +489,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/service-bus/namespace/main.json b/modules/service-bus/namespace/main.json index d24d8680d9..473e54d7b7 100644 --- a/modules/service-bus/namespace/main.json +++ b/modules/service-bus/namespace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11924265008092294292" + "templateHash": "15999404248309451971" }, "name": "Service Bus Namespaces", "description": "This module deploys a Service Bus Namespace.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -567,7 +567,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "publicNetworkAccess": { @@ -777,7 +777,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1379,7 +1379,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "16361123354606932948" + "templateHash": "11801990742718728628" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -1419,7 +1419,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1645,7 +1645,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -1740,7 +1740,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1963,7 +1963,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17834121031858727476" + "templateHash": "15417348357364247690" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -2003,7 +2003,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -2194,7 +2194,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -2284,7 +2284,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/service-bus/namespace/queue/README.md b/modules/service-bus/namespace/queue/README.md index a99b09cfd8..852c05c23f 100644 --- a/modules/service-bus/namespace/queue/README.md +++ b/modules/service-bus/namespace/queue/README.md @@ -54,7 +54,7 @@ This module deploys a Service Bus Namespace Queue. | [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | | [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this queue requires duplicate detection. | | [`requiresSession`](#parameter-requiressession) | bool | A value that indicates whether the queue supports the concept of sessions. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | ### Parameter: `authorizationRules` @@ -231,7 +231,7 @@ A value that indicates whether the queue supports the concept of sessions. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -244,7 +244,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -292,7 +292,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/queue/main.bicep b/modules/service-bus/namespace/queue/main.bicep index a4ab68d0ba..2f111f109e 100644 --- a/modules/service-bus/namespace/queue/main.bicep +++ b/modules/service-bus/namespace/queue/main.bicep @@ -88,7 +88,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -169,7 +169,7 @@ resource queue_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -202,7 +202,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-bus/namespace/queue/main.json b/modules/service-bus/namespace/queue/main.json index 266d6b0ba3..ec18685913 100644 --- a/modules/service-bus/namespace/queue/main.json +++ b/modules/service-bus/namespace/queue/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7820306070042751113" + "version": "0.23.1.45101", + "templateHash": "11801990742718728628" }, "name": "Service Bus Namespace Queue", "description": "This module deploys a Service Bus Namespace Queue.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -272,7 +272,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -367,7 +367,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/queues/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/queues', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -413,8 +413,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4578845431207793137" + "version": "0.23.1.45101", + "templateHash": "17590031156732651952" }, "name": "Service Bus Namespace Queue Authorization Rules", "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.", diff --git a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep index 745b38b64b..4bc6f9d364 100644 --- a/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/encr/main.test.bicep @@ -59,7 +59,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' skuName: 'Premium' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/service-bus/namespace/topic/README.md b/modules/service-bus/namespace/topic/README.md index 0e2bfa7837..69c13d5acf 100644 --- a/modules/service-bus/namespace/topic/README.md +++ b/modules/service-bus/namespace/topic/README.md @@ -48,7 +48,7 @@ This module deploys a Service Bus Namespace Topic. | [`maxMessageSizeInKilobytes`](#parameter-maxmessagesizeinkilobytes) | int | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | | [`maxSizeInMegabytes`](#parameter-maxsizeinmegabytes) | int | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | | [`requiresDuplicateDetection`](#parameter-requiresduplicatedetection) | bool | A value indicating if this topic requires duplicate detection. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`status`](#parameter-status) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. | | [`supportOrdering`](#parameter-supportordering) | bool | Value that indicates whether the topic supports ordering. | @@ -184,7 +184,7 @@ A value indicating if this topic requires duplicate detection. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -197,7 +197,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -245,7 +245,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-bus/namespace/topic/main.bicep b/modules/service-bus/namespace/topic/main.bicep index 7aba25aa34..9ff8bdcb06 100644 --- a/modules/service-bus/namespace/topic/main.bicep +++ b/modules/service-bus/namespace/topic/main.bicep @@ -73,7 +73,7 @@ param authorizationRules array = [ @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -149,7 +149,7 @@ resource topic_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock resource topic_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(topic.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -182,7 +182,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-bus/namespace/topic/main.json b/modules/service-bus/namespace/topic/main.json index e1787bdfb8..4b0e2d0904 100644 --- a/modules/service-bus/namespace/topic/main.json +++ b/modules/service-bus/namespace/topic/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14755107204839231715" + "version": "0.23.1.45101", + "templateHash": "15417348357364247690" }, "name": "Service Bus Namespace Topic", "description": "This module deploys a Service Bus Namespace Topic.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -237,7 +237,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -327,7 +327,7 @@ "scope": "[format('Microsoft.ServiceBus/namespaces/{0}/topics/{1}', parameters('namespaceName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceBus/namespaces/topics', parameters('namespaceName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -373,8 +373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3590235297575239025" + "version": "0.23.1.45101", + "templateHash": "1333107238814449885" }, "name": "Service Bus Namespace Topic Authorization Rules", "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.", diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index e24432c80e..15c49a3dcc 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -391,7 +391,17 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -609,7 +619,17 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -801,13 +821,6 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { ] } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { clusterName: 'sfcwaf001' 'hidden-title': 'This is visible in the resource name' @@ -1018,15 +1031,6 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "clusterName": "sfcwaf001", @@ -1099,7 +1103,7 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { | [`notifications`](#parameter-notifications) | array | Indicates a list of notification channels for cluster events. | | [`reverseProxyCertificate`](#parameter-reverseproxycertificate) | object | Describes the certificate details. | | [`reverseProxyCertificateCommonNames`](#parameter-reverseproxycertificatecommonnames) | object | Describes a list of server certificates referenced by common name that are used to secure the cluster. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sfZonalUpgradeMode`](#parameter-sfzonalupgrademode) | string | This property controls the logical grouping of VMs in upgrade domains (UDs). This property cannot be modified if a node type with multiple Availability Zones is already present in the cluster. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`upgradeDescription`](#parameter-upgradedescription) | object | Describes the policy used when upgrading the cluster. | @@ -1309,7 +1313,7 @@ Describes a list of server certificates referenced by common name that are used ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1322,7 +1326,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1370,7 +1374,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/service-fabric/cluster/main.bicep b/modules/service-fabric/cluster/main.bicep index 86f0780b18..b49631e5e7 100644 --- a/modules/service-fabric/cluster/main.bicep +++ b/modules/service-fabric/cluster/main.bicep @@ -128,7 +128,7 @@ param vmssZonalUpgradeMode string = 'Hierarchical' @description('Optional. Boolean to pause automatic runtime version upgrades to the cluster.') param waveUpgradePaused bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Array of Service Fabric cluster application types.') @@ -300,7 +300,7 @@ resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = resource serviceFabricCluster_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(serviceFabricCluster.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -350,7 +350,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/service-fabric/cluster/main.json b/modules/service-fabric/cluster/main.json index 5295769ffa..f23067b513 100644 --- a/modules/service-fabric/cluster/main.json +++ b/modules/service-fabric/cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18205764020383874033" + "templateHash": "5275013787596152510" }, "name": "Service Fabric Clusters", "description": "This module deploys a Service Fabric Cluster.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -358,7 +358,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "applicationTypes": { @@ -513,7 +513,7 @@ "scope": "[format('Microsoft.ServiceFabric/clusters/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ServiceFabric/clusters', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep index ed86853a2b..cb3ffc3d41 100644 --- a/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/max/main.test.bicep @@ -212,7 +212,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' vmImage: 'Linux' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep index e54b21fd94..4cc334c475 100644 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -210,13 +210,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } vmImage: 'Linux' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] applicationTypes: [ { name: 'WordCount' // not idempotent diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 88a6f92780..a50cb51919 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -492,7 +492,7 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | The SKU of the service. | | [`tags`](#parameter-tags) | object | The tags of the resource. | | [`upstreamTemplatesToEnable`](#parameter-upstreamtemplatestoenable) | array | Upstream templates to enable. For more information, see https://learn.microsoft.com/en-us/azure/templates/microsoft.signalrservice/2022-02-01/signalr?pivots=deployment-language-bicep#upstreamtemplate. | @@ -660,7 +660,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -812,7 +812,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -875,7 +875,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -888,7 +888,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -936,7 +936,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/signal-r-service/signal-r/main.bicep b/modules/signal-r-service/signal-r/main.bicep index 59510d3f23..651e8d9707 100644 --- a/modules/signal-r-service/signal-r/main.bicep +++ b/modules/signal-r-service/signal-r/main.bicep @@ -95,7 +95,7 @@ param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -211,7 +211,7 @@ resource signalR_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lo resource signalR_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(signalR.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -247,7 +247,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -324,7 +324,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/signal-r-service/signal-r/main.json b/modules/signal-r-service/signal-r/main.json index 11fb90c5b6..050a462238 100644 --- a/modules/signal-r-service/signal-r/main.json +++ b/modules/signal-r-service/signal-r/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "2894209744845511778" + "templateHash": "17822146109821250505" }, "name": "SignalR Service SignalR", "description": "This module deploys a SignalR Service SignalR.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -251,7 +251,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -446,7 +446,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -563,7 +563,7 @@ "scope": "[format('Microsoft.SignalRService/signalR/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.SignalRService/signalR', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index 93c9eff877..db8dd5f45c 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -591,7 +591,7 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`resourceLogConfigurationsToEnable`](#parameter-resourcelogconfigurationstoenable) | array | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Pricing tier of the resource. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -723,7 +723,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -875,7 +875,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -938,7 +938,7 @@ Control permission for data plane traffic coming from public networks while priv ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -951,7 +951,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -999,7 +999,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/signal-r-service/web-pub-sub/main.bicep b/modules/signal-r-service/web-pub-sub/main.bicep index 141b8dbb59..7590254f7a 100644 --- a/modules/signal-r-service/web-pub-sub/main.bicep +++ b/modules/signal-r-service/web-pub-sub/main.bicep @@ -14,7 +14,7 @@ param privateEndpoints privateEndpointType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -168,7 +168,7 @@ resource webPubSub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource webPubSub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(webPubSub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -227,7 +227,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -304,7 +304,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/signal-r-service/web-pub-sub/main.json b/modules/signal-r-service/web-pub-sub/main.json index 1eb5855175..b3cfca3ae4 100644 --- a/modules/signal-r-service/web-pub-sub/main.json +++ b/modules/signal-r-service/web-pub-sub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10050729733452360096" + "templateHash": "9704119963251935464" }, "name": "SignalR Web PubSub Services", "description": "This module deploys a SignalR Web PubSub Service.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -332,7 +332,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -522,7 +522,7 @@ "scope": "[format('Microsoft.SignalRService/webPubSub/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.SignalRService/webPubSub', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 68e213b0e0..1a70895914 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -187,7 +187,17 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityAlertPoliciesObj: { @@ -340,7 +350,17 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -588,13 +608,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { primaryUserAssignedIdentityId: '' proxyOverride: 'Proxy' publicDataEndpointEnabled: false - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' @@ -740,15 +753,6 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { "publicDataEndpointEnabled": { "value": false }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityAlertPoliciesObj": { "value": { "emailAccountAdmins": true, @@ -840,7 +844,7 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { | [`publicDataEndpointEnabled`](#parameter-publicdataendpointenabled) | bool | Whether or not the public data endpoint is enabled. | | [`requestedBackupStorageRedundancy`](#parameter-requestedbackupstorageredundancy) | string | The storage account type used to store backups for this database. | | [`restorePointInTime`](#parameter-restorepointintime) | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityAlertPoliciesObj`](#parameter-securityalertpoliciesobj) | object | The security alert policy configuration. | | [`servicePrincipal`](#parameter-serviceprincipal) | string | Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal. | | [`skuName`](#parameter-skuname) | string | The name of the SKU, typically, a letter + Number code, e.g. P3. | @@ -1207,7 +1211,7 @@ Specifies the point in time (ISO8601 format) of the source database that will be ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1220,7 +1224,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1268,7 +1272,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/sql/managed-instance/main.bicep b/modules/sql/managed-instance/main.bicep index 71e9246b15..955174b9e9 100644 --- a/modules/sql/managed-instance/main.bicep +++ b/modules/sql/managed-instance/main.bicep @@ -92,7 +92,7 @@ param diagnosticSettings diagnosticSettingType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -253,7 +253,7 @@ resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticSettin resource managedInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(managedInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -390,7 +390,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/sql/managed-instance/main.json b/modules/sql/managed-instance/main.json index 89f34c4545..01d4fc7e31 100644 --- a/modules/sql/managed-instance/main.json +++ b/modules/sql/managed-instance/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7480252808079342861" + "templateHash": "3344803418636007926" }, "name": "SQL Managed Instances", "description": "This module deploys a SQL Managed Instance.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -417,7 +417,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -634,7 +634,7 @@ "scope": "[format('Microsoft.Sql/managedInstances/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Sql/managedInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep index 6fd22ed422..62ecd613a7 100644 --- a/modules/sql/managed-instance/tests/e2e/max/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/max/main.test.bicep @@ -141,7 +141,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicDataEndpointEnabled: false roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index 1627c8cc0c..9f69895001 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -139,13 +139,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId proxyOverride: 'Proxy' publicDataEndpointEnabled: false - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] securityAlertPoliciesObj: { emailAccountAdmins: true name: 'default' diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index cb747eaee9..c9aff2d0db 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -214,7 +214,17 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] securityAlertPolicies: [ @@ -380,7 +390,17 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -837,13 +857,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { } ] restrictOutboundNetworkAccess: 'Disabled' - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] securityAlertPolicies: [ { emailAccountAdmins: true @@ -1002,15 +1015,6 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { "restrictOutboundNetworkAccess": { "value": "Disabled" }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "securityAlertPolicies": { "value": [ { @@ -1090,7 +1094,7 @@ module server 'br:bicep/modules/sql.server:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | | [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. | @@ -1267,7 +1271,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1419,7 +1423,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1477,7 +1481,7 @@ Whether or not to restrict outbound network access for this server. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1490,7 +1494,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1538,7 +1542,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/sql/server/main.bicep b/modules/sql/server/main.bicep index 10704ba9fa..c3654e9520 100644 --- a/modules/sql/server/main.bicep +++ b/modules/sql/server/main.bicep @@ -24,7 +24,7 @@ param primaryUserAssignedIdentityId string = '' @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -159,7 +159,7 @@ resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(loc resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -373,7 +373,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -450,7 +450,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/sql/server/main.json b/modules/sql/server/main.json index 87256e1cb5..362e1a67bd 100644 --- a/modules/sql/server/main.json +++ b/modules/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "17532070601905880257" + "templateHash": "13872952382016158092" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -353,7 +353,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -552,7 +552,7 @@ "scope": "[format('Microsoft.Sql/servers/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Sql/servers', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/sql/server/tests/e2e/max/main.test.bicep b/modules/sql/server/tests/e2e/max/main.test.bicep index 4de18a90ed..a71f7575a2 100644 --- a/modules/sql/server/tests/e2e/max/main.test.bicep +++ b/modules/sql/server/tests/e2e/max/main.test.bicep @@ -84,7 +84,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' location: location roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index 298ab514b7..c72c12cfee 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -82,13 +82,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' administratorLogin: 'adminUserName' administratorLoginPassword: password location: location - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] vulnerabilityAssessmentsObj: { name: 'default' emailSubscriptionAdmins: true diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 0356684d3c..d6d27552a8 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -300,7 +300,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -374,7 +384,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] shareQuota: 5120 @@ -503,7 +523,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -518,7 +548,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sasExpirationPeriod: '180.00:00:00' @@ -587,7 +627,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -673,7 +723,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ], "shareQuota": 5120 @@ -818,7 +878,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -837,7 +907,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -935,7 +1015,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] skuName: 'Premium_LRS' @@ -1020,7 +1110,17 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -1354,13 +1454,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { ] } requireInfrastructureEncryption: true - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sasExpirationPeriod: '180.00:00:00' skuName: 'Standard_LRS' tableServices: { @@ -1672,15 +1765,6 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { "requireInfrastructureEncryption": { "value": true }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sasExpirationPeriod": { "value": "180.00:00:00" }, @@ -1773,7 +1857,7 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set. | | [`queueServices`](#parameter-queueservices) | object | Queue service and queues to create. | | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sasExpirationPeriod`](#parameter-sasexpirationperiod) | string | The SAS expiration period. DD.HH:MM:SS. | | [`skuName`](#parameter-skuname) | string | Storage Account Sku Name. | | [`supportsHttpsTrafficOnly`](#parameter-supportshttpstrafficonly) | bool | Allows HTTPS traffic only to storage service if sets to true. | @@ -2205,7 +2289,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -2357,7 +2441,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -2414,7 +2498,7 @@ A Boolean indicating whether or not the service applies a secondary layer of enc ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -2427,7 +2511,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -2475,7 +2559,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/blob-service/container/README.md b/modules/storage/storage-account/blob-service/container/README.md index edaa79f02b..8090c24588 100644 --- a/modules/storage/storage-account/blob-service/container/README.md +++ b/modules/storage/storage-account/blob-service/container/README.md @@ -45,7 +45,7 @@ This module deploys a Storage Account Blob Container. | [`immutableStorageWithVersioningEnabled`](#parameter-immutablestoragewithversioningenabled) | bool | This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process. | | [`metadata`](#parameter-metadata) | object | A name-value pair to associate with the container as metadata. | | [`publicAccess`](#parameter-publicaccess) | string | Specifies whether data in the container may be accessed publicly and the level of access. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `defaultEncryptionScope` @@ -133,7 +133,7 @@ Specifies whether data in the container may be accessed publicly and the level o ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -146,7 +146,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -194,7 +194,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/blob-service/container/main.bicep b/modules/storage/storage-account/blob-service/container/main.bicep index 7326ed40c4..2515388344 100644 --- a/modules/storage/storage-account/blob-service/container/main.bicep +++ b/modules/storage/storage-account/blob-service/container/main.bicep @@ -41,7 +41,7 @@ param metadata object = {} @description('Optional. Specifies whether data in the container may be accessed publicly and the level of access.') param publicAccess string = 'None' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -125,7 +125,7 @@ module immutabilityPolicy 'immutability-policy/main.bicep' = if (!empty(immutabi resource container_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(container.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -149,7 +149,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/blob-service/container/main.json b/modules/storage/storage-account/blob-service/container/main.json index c3e17f7ae9..6965e07fc0 100644 --- a/modules/storage/storage-account/blob-service/container/main.json +++ b/modules/storage/storage-account/blob-service/container/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11413707823135400961" + "templateHash": "679743391871280708" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -165,7 +165,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -260,7 +260,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/file-service/share/README.md b/modules/storage/storage-account/file-service/share/README.md index 7ca6ac07bd..5be390f912 100644 --- a/modules/storage/storage-account/file-service/share/README.md +++ b/modules/storage/storage-account/file-service/share/README.md @@ -38,7 +38,7 @@ This module deploys a Storage Account File Share. | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | | [`enabledProtocols`](#parameter-enabledprotocols) | string | The authentication protocol that is used for the file share. Can only be specified when creating a share. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`rootSquash`](#parameter-rootsquash) | string | Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | | [`shareQuota`](#parameter-sharequota) | int | The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB). | @@ -94,7 +94,7 @@ The name of the file share to create. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -107,7 +107,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -155,7 +155,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/file-service/share/main.bicep b/modules/storage/storage-account/file-service/share/main.bicep index 656058fb92..554464fc4a 100644 --- a/modules/storage/storage-account/file-service/share/main.bicep +++ b/modules/storage/storage-account/file-service/share/main.bicep @@ -39,7 +39,7 @@ param enabledProtocols string = 'SMB' @description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.') param rootSquash string = 'NoRootSquash' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -104,7 +104,7 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-0 resource fileShare_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -128,7 +128,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/file-service/share/main.json b/modules/storage/storage-account/file-service/share/main.json index a3fcfe5179..09244c51ff 100644 --- a/modules/storage/storage-account/file-service/share/main.json +++ b/modules/storage/storage-account/file-service/share/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15538733704323873805" + "templateHash": "9132955781190739589" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -147,7 +147,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -238,7 +238,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/main.bicep b/modules/storage/storage-account/main.bicep index 2c8f1cdacb..81f8427eda 100644 --- a/modules/storage/storage-account/main.bicep +++ b/modules/storage/storage-account/main.bicep @@ -9,7 +9,7 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The managed identity definition for this resource.') @@ -330,7 +330,7 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource storageAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(storageAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -497,7 +497,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -574,7 +574,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/storage/storage-account/main.json b/modules/storage/storage-account/main.json index 1eb678c07d..489d9444ee 100644 --- a/modules/storage/storage-account/main.json +++ b/modules/storage/storage-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "7782694235197058482" + "templateHash": "3619035184821404610" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -273,7 +273,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -432,7 +432,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "managedIdentities": { @@ -907,7 +907,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1869,7 +1869,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "18255279964987657305" + "templateHash": "7804367921688111066" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -2246,7 +2246,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "11413707823135400961" + "templateHash": "679743391871280708" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2261,7 +2261,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -2405,7 +2405,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -2500,7 +2500,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}/containers/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -2740,7 +2740,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6280006322501716234" + "templateHash": "14917534017717518918" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -3006,7 +3006,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15538733704323873805" + "templateHash": "9132955781190739589" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -3021,7 +3021,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -3147,7 +3147,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -3238,7 +3238,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/fileServices/{1}/shares/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -3341,7 +3341,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "1159938655127712786" + "templateHash": "13348116021204111185" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -3575,7 +3575,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6271299191275064402" + "templateHash": "1310506738440238472" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -3590,7 +3590,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -3673,7 +3673,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -3761,7 +3761,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/queue-service/queue/README.md b/modules/storage/storage-account/queue-service/queue/README.md index 80f73fb29e..5932d7872e 100644 --- a/modules/storage/storage-account/queue-service/queue/README.md +++ b/modules/storage/storage-account/queue-service/queue/README.md @@ -36,7 +36,7 @@ This module deploys a Storage Account Queue. | Parameter | Type | Description | | :-- | :-- | :-- | | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | ### Parameter: `enableDefaultTelemetry` @@ -60,7 +60,7 @@ The name of the storage queue to deploy. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -73,7 +73,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -121,7 +121,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/storage/storage-account/queue-service/queue/main.bicep b/modules/storage/storage-account/queue-service/queue/main.bicep index bb2ee92dcd..8394d222c7 100644 --- a/modules/storage/storage-account/queue-service/queue/main.bicep +++ b/modules/storage/storage-account/queue-service/queue/main.bicep @@ -12,7 +12,7 @@ param name string @description('Required. A name-value pair that represents queue metadata.') param metadata object = {} -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') @@ -74,7 +74,7 @@ resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2021-09-0 resource queue_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(queue.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -98,7 +98,7 @@ output resourceGroupName string = resourceGroup().name // =============== // type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/storage/storage-account/queue-service/queue/main.json b/modules/storage/storage-account/queue-service/queue/main.json index 46144b8293..374952345c 100644 --- a/modules/storage/storage-account/queue-service/queue/main.json +++ b/modules/storage/storage-account/queue-service/queue/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6271299191275064402" + "templateHash": "1310506738440238472" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -21,7 +21,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -104,7 +104,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "enableDefaultTelemetry": { @@ -192,7 +192,7 @@ "scope": "[format('Microsoft.Storage/storageAccounts/{0}/queueServices/{1}/queues/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/storage/storage-account/tests/e2e/max/main.test.bicep b/modules/storage/storage-account/tests/e2e/max/main.test.bicep index db2803d5f3..8f1a304088 100644 --- a/modules/storage/storage-account/tests/e2e/max/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/max/main.test.bicep @@ -150,7 +150,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' publicAccess: 'None' roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -195,7 +205,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' shareQuota: 5120 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -251,7 +271,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } @@ -272,7 +302,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep index 4c3fb2ad5a..59e23e6707 100644 --- a/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/nfs/main.test.bicep @@ -88,7 +88,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index cd06ed1f80..1ceb919f76 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -270,13 +270,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] diagnosticSettings: [ { name: 'customSetting' diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index c023d34f2e..7b95540281 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -349,7 +349,7 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { | [`location`](#parameter-location) | string | The geo-location where the resource lives. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `enableDefaultTelemetry` @@ -419,7 +419,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -571,7 +571,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -599,7 +599,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -612,7 +612,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -660,7 +660,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/synapse/private-link-hub/main.bicep b/modules/synapse/private-link-hub/main.bicep index 63beeebac2..bd100e3ab1 100644 --- a/modules/synapse/private-link-hub/main.bicep +++ b/modules/synapse/private-link-hub/main.bicep @@ -17,7 +17,7 @@ param lock lockType @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -65,7 +65,7 @@ resource privateLinkHub_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource privateLinkHub_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(privateLinkHub.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -203,7 +203,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/synapse/private-link-hub/main.json b/modules/synapse/private-link-hub/main.json index 08bd584f4e..789ade5675 100644 --- a/modules/synapse/private-link-hub/main.json +++ b/modules/synapse/private-link-hub/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "13641263936979099332" + "templateHash": "8159099394121602956" }, "name": "Azure Synapse Analytics", "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -250,7 +250,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -316,7 +316,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -382,7 +382,7 @@ "scope": "[format('Microsoft.Synapse/privateLinkHubs/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Synapse/privateLinkHubs', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index cc322cb201..0573d4ba92 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -404,7 +404,17 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] } @@ -501,7 +511,17 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] } @@ -576,13 +596,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] } } ``` @@ -671,15 +684,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } } ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] } } } @@ -723,7 +727,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Enable or Disable public network access to workspace. | | [`purviewResourceID`](#parameter-purviewresourceid) | string | Purview Resource ID. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | @@ -1032,7 +1036,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | Yes | string | Required. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1184,7 +1188,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1233,7 +1237,7 @@ Purview Resource ID. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1246,7 +1250,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1294,7 +1298,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index 8f3a6081b1..5071d3792b 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -82,7 +82,7 @@ param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') @@ -244,7 +244,7 @@ resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty( resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(workspace.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -336,7 +336,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -413,7 +413,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index 921607a393..992c7ee7a8 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "15054643166708760026" + "templateHash": "11432454877578684886" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -61,7 +61,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -265,7 +265,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -585,7 +585,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { @@ -719,7 +719,7 @@ "scope": "[format('Microsoft.Synapse/workspaces/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Synapse/workspaces', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index 7161f6dfc7..b94327be00 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -79,7 +79,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index abf7d8b7c8..ddc6aaef1c 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -77,13 +77,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' nestedDependencies.outputs.managedIdentityResourceId ] } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] privateEndpoints: [ { subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index d58507d074..94be45115b 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -164,7 +164,17 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sigImageDefinitionId: '' @@ -249,7 +259,17 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -332,13 +352,6 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 } managedImageName: 'mi-vmiitwaf-001' osDiskSizeGB: 127 - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sigImageDefinitionId: '' sigImageVersion: '' stagingResourceGroup: '' @@ -416,15 +429,6 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 "osDiskSizeGB": { "value": 127 }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sigImageDefinitionId": { "value": "" }, @@ -489,7 +493,7 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0 | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedImageName`](#parameter-managedimagename) | string | Name of the managed image that will be created in the AIB resourcegroup. | | [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sigImageDefinitionId`](#parameter-sigimagedefinitionid) | string | Resource ID of Shared Image Gallery to distribute image to, e.g.: /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images/. | | [`sigImageVersion`](#parameter-sigimageversion) | string | Version of the Shared Image Gallery Image. Supports the following Version Syntax: Major.Minor.Build (i.e., '1.1.1' or '10.1.2'). | | [`stagingResourceGroup`](#parameter-stagingresourcegroup) | string | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.

If this field is empty, a resource group with a random name will be created.

If the resource group specified in this field doesn't exist, it will be created with the same name.

If the resource group specified exists, it must be empty and in the same region as the image template.

The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,

but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. | @@ -610,7 +614,7 @@ Specifies the size of OS disk. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -623,7 +627,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -671,7 +675,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/virtual-machine-images/image-template/main.bicep b/modules/virtual-machine-images/image-template/main.bicep index fe3615ab8a..bf152429d2 100644 --- a/modules/virtual-machine-images/image-template/main.bicep +++ b/modules/virtual-machine-images/image-template/main.bicep @@ -77,7 +77,7 @@ param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType var managedImageNameVar = '${managedImageName}-${baseTime}' @@ -197,7 +197,7 @@ resource imageTemplate_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!em resource imageTemplate_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(imageTemplate.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -239,7 +239,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/virtual-machine-images/image-template/main.json b/modules/virtual-machine-images/image-template/main.json index db5fe986d1..735a4da338 100644 --- a/modules/virtual-machine-images/image-template/main.json +++ b/modules/virtual-machine-images/image-template/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "11391151747567689793" + "version": "0.23.1.45101", + "templateHash": "10277577540639461484" }, "name": "Virtual Machine Image Templates", "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -271,7 +271,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } } }, @@ -407,7 +407,7 @@ "scope": "[format('Microsoft.VirtualMachineImages/imageTemplates/{0}', format('{0}-{1}', parameters('name'), parameters('baseTime')))]", "name": "[guid(resourceId('Microsoft.VirtualMachineImages/imageTemplates', format('{0}-{1}', parameters('name'), parameters('baseTime'))), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep index 254fadcce6..cc579a73df 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = { osDiskSizeGB: 127 roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep index 7e2e523fee..4c43082a0b 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -92,13 +92,6 @@ module testDeployment '../../../main.bicep' = { } managedImageName: '${namePrefix}-mi-${serviceShort}-001' osDiskSizeGB: 127 - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId sigImageVersion: sigImageVersion subnetId: nestedDependencies.outputs.subnetId diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index 682936b91b..e05f020df9 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -58,7 +58,17 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -109,7 +119,17 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -152,13 +172,6 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -202,15 +215,6 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -246,7 +250,7 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`nonSecretParameterValues`](#parameter-nonsecretparametervalues) | object | Dictionary of nonsecret parameter values. | | [`parameterValues`](#parameter-parametervalues) | secureObject | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`statuses`](#parameter-statuses) | array | Status of the connection. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`testLinks`](#parameter-testlinks) | array | Links to test the API connection. | @@ -334,7 +338,7 @@ Connection strings or access keys for connection. Example: 'accountName' and 'ac ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -347,7 +351,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -395,7 +399,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/connection/main.bicep b/modules/web/connection/main.bicep index 96bb44f427..833405ad8a 100644 --- a/modules/web/connection/main.bicep +++ b/modules/web/connection/main.bicep @@ -28,7 +28,7 @@ param nonSecretParameterValues object = {} @secure() param parameterValues object = {} -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Status of the connection.') @@ -90,7 +90,7 @@ resource connection_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource connection_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(connection.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -126,7 +126,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/connection/main.json b/modules/web/connection/main.json index 679bd8421b..99018cbb1c 100644 --- a/modules/web/connection/main.json +++ b/modules/web/connection/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "6835685979701514548" + "templateHash": "12952997110880403069" }, "name": "API Connections", "description": "This module deploys an Azure API Connection.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -163,7 +163,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "statuses": { @@ -258,7 +258,7 @@ "scope": "[format('Microsoft.Web/connections/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/connections', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/connection/tests/e2e/max/main.test.bicep b/modules/web/connection/tests/e2e/max/main.test.bicep index d57a2503f7..6a482325ae 100644 --- a/modules/web/connection/tests/e2e/max/main.test.bicep +++ b/modules/web/connection/tests/e2e/max/main.test.bicep @@ -64,7 +64,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep index a8d11dca02..9718e758f7 100644 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -62,13 +62,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/hosting-environment/README.md b/modules/web/hosting-environment/README.md index 734fd524e6..1f8855f1a6 100644 --- a/modules/web/hosting-environment/README.md +++ b/modules/web/hosting-environment/README.md @@ -79,7 +79,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -164,7 +174,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -235,7 +255,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -336,7 +366,17 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -396,7 +436,7 @@ module hostingEnvironment 'br:bicep/modules/web.hosting-environment:1.0.0' = { | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`multiSize`](#parameter-multisize) | string | Frontend VM size. Cannot be used when kind is set to ASEv3. | | [`remoteDebugEnabled`](#parameter-remotedebugenabled) | bool | Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set to ASEv2. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | | [`upgradePreference`](#parameter-upgradepreference) | string | Specify preference for when and how the planned maintenance is applied. | | [`userWhitelistedIpRanges`](#parameter-userwhitelistedipranges) | array | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | @@ -717,7 +757,7 @@ Property to enable and disable Remote Debug on ASEv3. Ignored when kind is set t ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -730,7 +770,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -778,7 +818,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/hosting-environment/main.bicep b/modules/web/hosting-environment/main.bicep index 9088e0474d..6119f42ebe 100644 --- a/modules/web/hosting-environment/main.bicep +++ b/modules/web/hosting-environment/main.bicep @@ -12,7 +12,7 @@ param location string = resourceGroup().location @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Resource tags.') @@ -225,7 +225,7 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -269,7 +269,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/hosting-environment/main.json b/modules/web/hosting-environment/main.json index b53284c51d..c74528106b 100644 --- a/modules/web/hosting-environment/main.json +++ b/modules/web/hosting-environment/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10962869599499139784" + "templateHash": "13887067591224249437" }, "name": "App Service Environments", "description": "This module deploys an App Service Environment.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -240,7 +240,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -534,7 +534,7 @@ "scope": "[format('Microsoft.Web/hostingEnvironments/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/hostingEnvironments', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep index 455dba1779..36c5157724 100644 --- a/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev2/main.test.bicep @@ -73,7 +73,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep index ac50975bc3..93269c7e3b 100644 --- a/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep +++ b/modules/web/hosting-environment/tests/e2e/asev3/main.test.bicep @@ -75,7 +75,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 9e93d77498..79c2341050 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -76,7 +76,17 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] tags: { @@ -144,7 +154,17 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -204,13 +224,6 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -271,15 +284,6 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { "name": "myCustomLockName" } }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -321,7 +325,7 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maximumElasticWorkerCount`](#parameter-maximumelasticworkercount) | int | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | | [`perSiteScaling`](#parameter-persitescaling) | bool | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Tags of the resource. | | [`targetWorkerCount`](#parameter-targetworkercount) | int | Scaling worker count. | | [`targetWorkerSize`](#parameter-targetworkersize) | int | The instance size of the hosting plan (small, medium, or large). | @@ -492,7 +496,7 @@ Defaults to false when creating Windows/app App Service Plan. Required if creati ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -505,7 +509,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -553,7 +557,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/serverfarm/main.bicep b/modules/web/serverfarm/main.bicep index d5bc0cd954..81f5bb336a 100644 --- a/modules/web/serverfarm/main.bicep +++ b/modules/web/serverfarm/main.bicep @@ -45,7 +45,7 @@ param targetWorkerSize int = 0 @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') @@ -136,7 +136,7 @@ resource appServicePlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e resource appServicePlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appServicePlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -175,7 +175,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') diff --git a/modules/web/serverfarm/main.json b/modules/web/serverfarm/main.json index 74be015ae5..9402f8697b 100644 --- a/modules/web/serverfarm/main.json +++ b/modules/web/serverfarm/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "10832175948195959384" + "templateHash": "8141689023365328842" }, "name": "App Service Plans", "description": "This module deploys an App Service Plan.", @@ -46,7 +46,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -270,7 +270,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -391,7 +391,7 @@ "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/serverfarm/tests/e2e/max/main.test.bicep b/modules/web/serverfarm/tests/e2e/max/main.test.bicep index ce1c1ea9c1..7eadba7f28 100644 --- a/modules/web/serverfarm/tests/e2e/max/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/max/main.test.bicep @@ -94,7 +94,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep index 24e51db825..f784e6761a 100644 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -92,13 +92,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 8722de026a..f5c22619c5 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -185,7 +185,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] setAzureWebJobsDashboard: true @@ -372,7 +382,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -531,7 +551,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] scmSiteAlsoStopped: true @@ -723,7 +753,17 @@ module site 'br:bicep/modules/web.site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -924,7 +964,7 @@ module site 'br:bicep/modules/web.site:1.0.0' = { | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`scmSiteAlsoStopped`](#parameter-scmsitealsostopped) | bool | Stop SCM (KUDU) site when the app is stopped. | | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`siteConfig`](#parameter-siteconfig) | object | The site config object. | @@ -1302,7 +1342,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -1454,7 +1494,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -1514,7 +1554,7 @@ Site redundancy mode. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -1527,7 +1567,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -1575,7 +1615,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 6440c271b1..78c7f41c6c 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -87,7 +87,7 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -349,7 +349,7 @@ resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 resource app_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(app.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -432,7 +432,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -509,7 +509,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 27cc961134..211a57eeee 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8821774728735377657" + "templateHash": "6627371400613258723" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -596,7 +596,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -833,7 +833,7 @@ "scope": "[format('Microsoft.Web/sites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", @@ -1206,7 +1206,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3288853087979845666" + "templateHash": "16876460167630133410" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -1269,7 +1269,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -1474,7 +1474,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -1768,7 +1768,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -2034,7 +2034,7 @@ "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/site/slot/README.md b/modules/web/site/slot/README.md index 952f9bec31..ea3d48350f 100644 --- a/modules/web/site/slot/README.md +++ b/modules/web/site/slot/README.md @@ -70,7 +70,7 @@ This module deploys a Web or Function App Deployment Slot. | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Allow or block all public traffic. | | [`redundancyMode`](#parameter-redundancymode) | string | Site redundancy mode. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`serverFarmResourceId`](#parameter-serverfarmresourceid) | string | The resource ID of the app service plan to use for the slot. | | [`setAzureWebJobsDashboard`](#parameter-setazurewebjobsdashboard) | bool | For function apps. If true the app settings "AzureWebJobsDashboard" will be set. If false not. In case you use Application Insights it can make sense to not set it for performance reasons. | | [`siteConfig`](#parameter-siteconfig) | object | The site config object. | @@ -453,7 +453,7 @@ Configuration details for private endpoints. | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -605,7 +605,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -665,7 +665,7 @@ Site redundancy mode. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -678,7 +678,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -726,7 +726,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/site/slot/main.bicep b/modules/web/site/slot/main.bicep index 49722f7eef..dd2199d0bd 100644 --- a/modules/web/site/slot/main.bicep +++ b/modules/web/site/slot/main.bicep @@ -75,7 +75,7 @@ param tags object? @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. The diagnostic settings of the service.') @@ -305,7 +305,7 @@ resource slot_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- resource slot_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(slot.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -376,7 +376,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -453,7 +453,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/site/slot/main.json b/modules/web/site/slot/main.json index efe7f4d81a..d108d20bcd 100644 --- a/modules/web/site/slot/main.json +++ b/modules/web/site/slot/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "3288853087979845666" + "templateHash": "16876460167630133410" }, "name": "Web/Function App Deployment Slots", "description": "This module deploys a Web or Function App Deployment Slot.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -568,7 +568,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "diagnosticSettings": { @@ -834,7 +834,7 @@ "scope": "[format('Microsoft.Web/sites/{0}/slots/{1}', parameters('appName'), parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/sites/slots', parameters('appName'), parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep index eb682196f8..5abbca04b8 100644 --- a/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/functionAppCommon/main.test.bicep @@ -184,7 +184,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep index fbb4e0cf1d..4fea3485cd 100644 --- a/modules/web/site/tests/e2e/webAppCommon/main.test.bicep +++ b/modules/web/site/tests/e2e/webAppCommon/main.test.bicep @@ -175,7 +175,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index 6eaa86c579..c4dbc50149 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -140,7 +140,17 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { { principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' } ] sku: 'Standard' @@ -231,7 +241,17 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { { "principalId": "", "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" + "roleDefinitionIdOrName": "Owner" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" } ] }, @@ -308,13 +328,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' tags: { @@ -398,15 +411,6 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { } ] }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "sku": { "value": "Standard" }, @@ -456,7 +460,7 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { | [`provider`](#parameter-provider) | string | The provider that submitted the last deployment to the primary environment of the static site. | | [`repositoryToken`](#parameter-repositorytoken) | securestring | The Personal Access Token for accessing the GitHub repository. | | [`repositoryUrl`](#parameter-repositoryurl) | string | The name of the GitHub repository. | -| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`sku`](#parameter-sku) | string | Type of static site to deploy. | | [`stagingEnvironmentPolicy`](#parameter-stagingenvironmentpolicy) | string | State indicating whether staging environments are allowed or not allowed for a static web app. | | [`tags`](#parameter-tags) | object | Tags of the resource. | @@ -620,7 +624,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | No | string | Optional. The name of the private endpoint. | | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | No | string | Optional. The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. | | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | No | array | Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | -| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleAssignments`](#parameter-privateendpointsroleassignments) | No | array | Optional. Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | No | string | Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob". | | [`subnetResourceId`](#parameter-privateendpointssubnetresourceid) | Yes | string | Required. Resource ID of the subnet where the endpoint needs to be created. | | [`tags`](#parameter-privateendpointstags) | No | object | Optional. Tags to be applied on all resources/resource groups in this deployment. | @@ -772,7 +776,7 @@ Optional. The private DNS zone groups to associate the private endpoint with. A ### Parameter: `privateEndpoints.roleAssignments` -Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Optional. Array of role assignments to create. - Required: No - Type: array @@ -821,7 +825,7 @@ The name of the GitHub repository. ### Parameter: `roleAssignments` -Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +Array of role assignments to create. - Required: No - Type: array @@ -834,7 +838,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | | [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | -| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | ### Parameter: `roleAssignments.condition` @@ -882,7 +886,7 @@ Optional. The principal type of the assigned principal ID. ### Parameter: `roleAssignments.roleDefinitionIdOrName` -Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. +Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/modules/web/static-site/main.bicep b/modules/web/static-site/main.bicep index 6ca47ca5ec..704cebbe70 100644 --- a/modules/web/static-site/main.bicep +++ b/modules/web/static-site/main.bicep @@ -70,7 +70,7 @@ param tags object? @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType @description('Optional. Object with "resourceId" and "location" of the a user defined function app.') @@ -190,7 +190,7 @@ resource staticSite_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty resource staticSite_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(staticSite.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -264,7 +264,7 @@ type lockType = { }? type roleAssignmentType = { - @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') roleDefinitionIdOrName: string @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') @@ -341,7 +341,7 @@ type privateEndpointType = { @description('Optional. Specify the type of lock.') lock: lockType - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + @description('Optional. Array of role assignments to create.') roleAssignments: roleAssignmentType @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') diff --git a/modules/web/static-site/main.json b/modules/web/static-site/main.json index fc659eef34..850eea7879 100644 --- a/modules/web/static-site/main.json +++ b/modules/web/static-site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "12660101708954592641" + "templateHash": "1972191621448105734" }, "name": "Static Web Apps", "description": "This module deploys a Static Web App.", @@ -69,7 +69,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -274,7 +274,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "tags": { @@ -438,7 +438,7 @@ "roleAssignments": { "$ref": "#/definitions/roleAssignmentType", "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Optional. Array of role assignments to create." } }, "linkedBackend": { @@ -546,7 +546,7 @@ "scope": "[format('Microsoft.Web/staticSites/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.Web/staticSites', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", diff --git a/modules/web/static-site/tests/e2e/max/main.test.bicep b/modules/web/static-site/tests/e2e/max/main.test.bicep index 8bc7cecf8d..8181fac011 100644 --- a/modules/web/static-site/tests/e2e/max/main.test.bicep +++ b/modules/web/static-site/tests/e2e/max/main.test.bicep @@ -77,7 +77,17 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ] roleAssignments: [ { - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: 'Owner' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' } diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index afe97a5d32..183fa819ef 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -75,13 +75,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' } } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' managedIdentities: {