feat: Added role assignment support for RGs #434
Conversation
ghost
added
the
There was a problem hiding this comment.
Looking good @DaFitRobsta, just a couple of small bits.
Do you think it may be easier to take the full resource ID for resource groups as the array entries rather than a custom input of <sub ID>/<RG Name>?
I'm cool with not changing it just wanted to pose the question. I can see you followed the current convention we use here like subscriptions and management groups so completely fine with leaving it as I say.
infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep
Outdated
Show resolved
Hide resolved
infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep
Show resolved
Hide resolved
jtracey93
added
Area: Policy
and removed
Needs: Triage 🔍
@jtracey93, I initially considered using the resource ID of the resource group, but when setting the scope of the module, it won't accept a resource ID. It expects a subscription ID, resource Group name in the resourceGroup( ). To reduce the number of additional string functions, I decided to go with a custom input. I can definitely change it, but after reviewing the other modules, they are very similar in that they don't use an official resource ID. Let me know how you would like me to proceed. |
|
Ah set scope on the module declaration to resource group in the policy module.
Sent from my iPhone
On 24 Jan 2023, at 14:23, Robert Lightner ***@***.***> wrote:
@DaFitRobsta commented on this pull request.
________________________________
In infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep<#434 (comment)>:
@@ -0,0 +1,42 @@
+targetScope = 'resourceGroup'
It appears scope is required based on how policyAssignmentManagementGroup.bicep is defined. When I removed the targetscope, I got the following errors:
`C:\repos\ALZ-Bicep\infra-as-code\bicep\modules\policy\assignments\policyAssignmentManagementGroup.bicep(111,8) : Error BCP035: The specified "module" declaration is missing the following required properties: "scope".
C:\repos\ALZ-Bicep\infra-as-code\bicep\modules\policy\assignments\policyAssignmentManagementGroup.bicep(111,121) : Error BCP134: Scope "managementGroup" is not valid for this module. Permitted scopes: "resourceGroup".`
—
Reply to this email directly, view it on GitHub<#434 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJ2BVP2TUJIFE7MJIG6CCUDWT7QUPANCNFSM6AAAAAAUCEMEFY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
/azp run validateazcloud |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Overview/Summary
Added support for Role Assignment at the Resource Group(s) level. Following the same pattern as Management Group(s) and Subscription(s) bicep modules. This is to address this feature request #376. AB#25949
This PR fixes/adds/changes/removes
Breaking Changes
No breaking change, additional feature added.
Testing Evidence
Tested policyAssignmentManagementGroup.bicep module by passing in the new parameter, parPolicyAssignmentIdentityRoleAssignmentsResourceGroups, and it successfully granted policy assignment ID to contributor rights over two resource groups in a different subscription from the management group.
Tested both modules, roleAssignmentResourceGroupMany.bicep and roleAssignmentResourceGroup.bicep, following the same parameter file structure as the existing management group and subscription parameter files. Both deployments were successful.
As part of this Pull Request I have
.bicepfile/s I am adding/editing are using the latest API version possiblemainbranch