diff --git a/infra-as-code/bicep/modules/roleAssignments/README.md b/infra-as-code/bicep/modules/roleAssignments/README.md index db998d5fa..d49577b9f 100644 --- a/infra-as-code/bicep/modules/roleAssignments/README.md +++ b/infra-as-code/bicep/modules/roleAssignments/README.md @@ -183,3 +183,38 @@ New-AzManagementGroupDeployment @inputObject ### Many Resource Group Role Assignments ![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments") + +## Role assignment delegation + +For each module, you can add a role assignment condition to securely delegate role assignments to others. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: (Owner, User Access Administrator and Role Based Access Control Administrator). To generate the condition code: + +- Create a role assignemnt with a condition from the portal for the privileged role that will be assigned. +- Select the code view from the advanced editor and copy the condition's code. +- Remove all newlines from the condition code. +- Escape any single quote using a backslash (only in Bicep, no need in JSON parameters file). + +Example: + +```json +"parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +}, +"parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +}, +"parAssigneePrincipalType": { + "value": "ServicePrincipal" +}, +"parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +}, +"parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" +}, +"parRoleAssignmentConditionVersion": { + "value": "2.0" +}, +"parTelemetryOptOut": { + "value": false +} +``` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md index af6de7559..bb27ce5ad 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parRoleAssignmentNameGuid @@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry. - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry. }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md index 1eb63f050..af04f2509 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parManagementGroupIds @@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md index a317f14e5..ba93ba4d2 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parRoleAssignmentNameGuid @@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry. - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry. }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md index b8925e290..6bfe88517 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parResourceGroupIds @@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md index c92df34e9..fc74ad43c 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parRoleAssignmentNameGuid @@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry. - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry. }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md index c88f10498..d7b885113 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md @@ -11,6 +11,8 @@ parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Defi parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' ### parSubscriptionIds @@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry - Default value: `False` +### parRoleAssignmentCondition + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. + +### parRoleAssignmentConditionVersion + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Role assignment condition version. Currently the only accepted value is '2.0' + +- Default value: `2.0` + ## Snippets ### Parameter file @@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry }, "parTelemetryOptOut": { "value": false + }, + "parRoleAssignmentCondition": { + "value": "" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" } } } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json index 12c90c3de..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json index 8851ff752..fc7d7d59a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json index 12c90c3de..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json index 1e52c0bdd..c836a5047 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json index 11fd45b44..d8938d9c1 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json index 1e52c0bdd..c836a5047 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json index 391a338c7..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json index c5d868fb0..fc7d7d59a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json index 391a338c7..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json index b710c3995..beccef2b0 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json index 84825a5f8..d530a1ce3 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json index b710c3995..beccef2b0 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json index 12c90c3de..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json index 8851ff752..fc7d7d59a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json index 12c90c3de..3201d58ca 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json index bae222003..6f4cc4877 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json index 034a798b5..e88dd8f10 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json index bae222003..6f4cc4877 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep index 49be41b56..5328aecd0 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep @@ -22,6 +22,12 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + // Customer Usage Attribution Id var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' @@ -31,6 +37,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) principalId: parAssigneeObjectId principalType: parAssigneePrincipalType + condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } } diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep index 8479cdc1f..20cfb98a3 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep @@ -22,6 +22,12 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: { name: 'rbac-assign-${uniqueString(parManagementGroupId, parAssigneeObjectId, parRoleDefinitionId)}' scope: managementGroup(parManagementGroupId) @@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagem parAssigneePrincipalType: parAssigneePrincipalType parRoleDefinitionId: parRoleDefinitionId parTelemetryOptOut: parTelemetryOptOut + parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } }] diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep index a849ffa75..3009b77c5 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep @@ -20,6 +20,13 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + + // Customer Usage Attribution Id var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' @@ -29,6 +36,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) principalId: parAssigneeObjectId principalType: parAssigneePrincipalType + condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } } diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep index 46dae5dc6..b7b241a3f 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep @@ -22,6 +22,12 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGroupId in parResourceGroupIds: { name: 'rbac-assign-${uniqueString(resourceGroupId, parAssigneeObjectId, parRoleDefinitionId)}' scope: resourceGroup(split(resourceGroupId, '/')[0], split(resourceGroupId, '/')[1]) @@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGrou parAssigneePrincipalType: parAssigneePrincipalType parRoleDefinitionId: parRoleDefinitionId parTelemetryOptOut: parTelemetryOptOut + parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } }] diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep index a8b5a4dda..2e293a931 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep @@ -22,6 +22,12 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + // Customer Usage Attribution Id var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' @@ -31,6 +37,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) principalId: parAssigneeObjectId principalType: parAssigneePrincipalType + condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } } diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep index 3da103f0e..fbb82c301 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep @@ -22,6 +22,12 @@ param parAssigneeObjectId string @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false +@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +param parRoleAssignmentCondition string = '' + +@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +param parRoleAssignmentConditionVersion string = '2.0' + module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: { name: 'rbac-assign-${uniqueString(subscriptionId, parAssigneeObjectId, parRoleDefinitionId)}' scope: subscription(subscriptionId) @@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionI parAssigneePrincipalType: parAssigneePrincipalType parRoleDefinitionId: parRoleDefinitionId parTelemetryOptOut: parTelemetryOptOut + parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null + parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null } }]