feat: Added role assignment support for RGs

infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md

@@ -18,6 +18,7 @@ parPolicyAssignmentEnforcementMode | No       | The enforcement mode for the pol
 parPolicyAssignmentIdentityType | No       | The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects.
 parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | No       | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ].
 parPolicyAssignmentIdentityRoleAssignmentsSubs | No       | An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ].
+parPolicyAssignmentIdentityRoleAssignmentsResourceGroups | No       | An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ].
 parPolicyAssignmentIdentityRoleDefinitionIds | No       | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'].
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
 
@@ -101,6 +102,12 @@ An array containing a list of additional Management Group IDs (as the Management
 
 An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ].
 
+### parPolicyAssignmentIdentityRoleAssignmentsResourceGroups
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ].
+
 ### parPolicyAssignmentIdentityRoleDefinitionIds
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -163,6 +170,9 @@ Set Parameter to true to Opt-out of deployment telemetry
         "parPolicyAssignmentIdentityRoleAssignmentsSubs": {
             "value": []
         },
+        "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": {
+            "value": []
+        },
         "parPolicyAssignmentIdentityRoleDefinitionIds": {
             "value": []
         },

infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json

@@ -59,6 +59,9 @@
         "parPolicyAssignmentIdentityRoleAssignmentsSubs": {
             "value": []
         },
+        "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": {
+          "value": []
+        },
         "parPolicyAssignmentIdentityRoleDefinitionIds": {
             "value": [
                 "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
@@ -68,4 +71,4 @@
             "value": false
         }
     }
-}
+}

infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json

@@ -38,11 +38,14 @@
         "parPolicyAssignmentIdentityRoleAssignmentsSubs": {
             "value": []
         },
+        "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": {
+          "value": []
+        },
         "parPolicyAssignmentIdentityRoleDefinitionIds": {
             "value": []
         },
         "parTelemetryOptOut": {
             "value": false
         }
     }
-}
+}

infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json

@@ -83,6 +83,9 @@
         "parPolicyAssignmentIdentityRoleAssignmentsSubs": {
             "value": []
         },
+        "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": {
+          "value": []
+        },
         "parPolicyAssignmentIdentityRoleDefinitionIds": {
             "value": [
                 "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
@@ -92,4 +95,4 @@
             "value": false
         }
     }
-}
+}

infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep

@@ -49,6 +49,9 @@ param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs array = []
 @sys.description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d\' ].')
 param parPolicyAssignmentIdentityRoleAssignmentsSubs array = []
 
+@sys.description('An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02\' ].')
+param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups array = []
+
 @sys.description('An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. [\'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\'].')
 param parPolicyAssignmentIdentityRoleDefinitionIds array = []
 
@@ -104,6 +107,17 @@ module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssign
   }
 }]
 
+// Handle Managed Identity RBAC Assignments to Resource Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required.
+module modPolicyIdentityRoleAssignmentResourceGroupMany '../../roleAssignments/roleAssignmentResourceGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsResourceGroups)) {
+  name: 'rbac-assign-rg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}'
+  params: {
+    parResourceGroupIds: parPolicyAssignmentIdentityRoleAssignmentsResourceGroups
+    parAssigneeObjectId: resPolicyAssignment.identity.principalId
+    parAssigneePrincipalType: 'ServicePrincipal'
+    parRoleDefinitionId: roles
+  }
+}]
+
 // Optional Deployment for Customer Usage Attribution
 module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
   #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information

infra-as-code/bicep/modules/roleAssignments/README.md

@@ -14,6 +14,8 @@ This module contains 4 Bicep templates, you may optionally choose one of these m
 | roleAssignmentManagementGroupMany.bicep | Performs role assignment on one or more management groups.  This template uses `roleAssignmentManagementGroup.bicep` for the deployments. | Management Group |
 | roleAssignmentSubscription.bicep        | Performs role assignment on one subscription                                                                                              | Subscription     |
 | roleAssignmentSubscriptionMany.bicep    | Performs role assignment on one or more subscriptions.  This template uses `roleAssignmentSubscription.bicep` for the deployments.        | Management Group |
+| roleAssignmentResourceGroup.bicep       | Performs role assignment on one resource group                                                                                            | Resource Group   |
+| roleAssignmentResourceGroupMany.bicep   | Performs role assignment on one or more resource groups.  This template uses `roleAssignmentResourceGroup.bicep` for the deployments.     | Management Group |
 
 ## Parameters
 
@@ -80,6 +82,14 @@ Connect-AzureAD
 
 - [Link to Parameters](generateddocs/roleAssignmentSubscriptionMany.bicep.md)
 
+### roleAssignmentResourceGroup.bicep
+
+- [Link to Parameters](generateddocs/roleAssignmentResourceGroup.bicep.md)
+
+### roleAssignmentResourceGroupMany.bicep
+
+- [Link to Parameters](generateddocs/roleAssignmentResourceGroupMany.bicep.md)
+
 ## Outputs
 
 *This module does not produce any outputs.*
@@ -165,3 +175,11 @@ New-AzManagementGroupDeployment @inputObject
 ### Many Subscription Role Assignments
 
 ![Bicep Visualizer - Many Subscription Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Subscription Role Assignments")
+
+### Single Resource Group Role Assignment
+
+![Bicep Visualizer - Single Resource Group Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Resource Group Role Assignment")
+
+### Many Resource Group Role Assignments
+
+![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments")

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md

@@ -0,0 +1,80 @@
+# ALZ Bicep - Role Assignment to a Resource Group
+
+Module used to assign a Role Assignment to a Resource Group
+
+## Parameters
+
+Parameter name | Required | Description
+-------------- | -------- | -----------
+parRoleAssignmentNameGuid | No       | A GUID representing the role assignment name.
+parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)
+parAssigneePrincipalType | Yes      | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
+parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
+parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+
+### parRoleAssignmentNameGuid
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+A GUID representing the role assignment name.
+
+- Default value: `[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]`
+
+### parRoleDefinitionId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)
+
+### parAssigneePrincipalType
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
+
+- Allowed values: `Group`, `ServicePrincipal`
+
+### parAssigneeObjectId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
+
+### parTelemetryOptOut
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Set Parameter to true to Opt-out of deployment telemetry.
+
+- Default value: `False`
+
+## Snippets
+
+### Parameter file
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.json"
+    },
+    "parameters": {
+        "parRoleAssignmentNameGuid": {
+            "value": "[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]"
+        },
+        "parRoleDefinitionId": {
+            "value": ""
+        },
+        "parAssigneePrincipalType": {
+            "value": ""
+        },
+        "parAssigneeObjectId": {
+            "value": ""
+        },
+        "parTelemetryOptOut": {
+            "value": false
+        }
+    }
+}
+```

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md

@@ -0,0 +1,78 @@
+# ALZ Bicep - Role Assignment to Resource Groups
+
+Module used to assign a Role Assignment to multiple Resource Groups
+
+## Parameters
+
+Parameter name | Required | Description
+-------------- | -------- | -----------
+parResourceGroupIds | No       | A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01).
+parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Definition ID:  acdd72a7-3385-48ef-bd42-f606fba81ae7)
+parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
+parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
+parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+
+### parResourceGroupIds
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01).
+
+### parRoleDefinitionId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Role Definition Id (i.e. GUID, Reader Role Definition ID:  acdd72a7-3385-48ef-bd42-f606fba81ae7)
+
+### parAssigneePrincipalType
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
+
+- Allowed values: `Group`, `ServicePrincipal`
+
+### parAssigneeObjectId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
+
+### parTelemetryOptOut
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Set Parameter to true to Opt-out of deployment telemetry
+
+- Default value: `False`
+
+## Snippets
+
+### Parameter file
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.json"
+    },
+    "parameters": {
+        "parResourceGroupIds": {
+            "value": []
+        },
+        "parRoleDefinitionId": {
+            "value": ""
+        },
+        "parAssigneePrincipalType": {
+            "value": ""
+        },
+        "parAssigneeObjectId": {
+            "value": ""
+        },
+        "parTelemetryOptOut": {
+            "value": false
+        }
+    }
+}
+```

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parRoleAssignmentNameGuid": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parRoleDefinitionId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parAssigneePrincipalType": {
+      "value": "ServicePrincipal"
+    },
+    "parAssigneeObjectId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parRoleDefinitionId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parAssigneePrincipalType": {
+      "value": "ServicePrincipal"
+    },
+    "parAssigneeObjectId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parRoleAssignmentNameGuid": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parRoleDefinitionId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parAssigneePrincipalType": {
+      "value": "Group"
+    },
+    "parAssigneeObjectId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parRoleDefinitionId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parAssigneePrincipalType": {
+      "value": "Group"
+    },
+    "parAssigneeObjectId": {
+      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+    },
+    "parTelemetryOptOut": {
+      "value": false
+    }
+  }
+}