diff --git a/docs/wiki/KnownIssues.md b/docs/wiki/KnownIssues.md index ee7769a42..dec204995 100644 --- a/docs/wiki/KnownIssues.md +++ b/docs/wiki/KnownIssues.md @@ -37,6 +37,16 @@ This page lists the known issues and limitations currently present in ALZ-Bicep. - **Status:** As our team doesn't directly own the impacted module or have control over the agents/runners, we aim to enhance flexibility to assist with such issues in the future. To achieve this, we plan to introduce a variable in the .env file, enabling version control without the need for individual additions. +## Issue 2: ALZ Default Policy Assignments Module Deployment Failure Due to Template Size + +- **Description:** The ALZ Default Policy Assignments module may fail to deploy because the compiled ARM template from the Bicep module exceeds [Azure's 4 MB limit](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices#template-limits) due to the large number of policy assignments. +- **Impact:** Deployment may fail with an error indicating that the ARM template is too large. +- **Workaround:** Consider these approaches: + - Deploy the module in smaller chunks. + - Split the policy assignments into separate modules and deploy them individually. + - If `parTelemetryOptOut` is set to `true`, comment out or remove the parameter and its associated resource declaration from the `.bicep` file. +- **Status:** We have reduced the ARM template size by condensing parameter descriptions . Refactoring the module will only be considered if necessary, particularly if additional policy assignments from a policy refresh impact deployments. We are also taking into consideration that we are currently working on transition to [Azure Verified Modules](https://github.com/Azure/ALZ-Bicep/issues/791), which will account for this issue in the long-term. + ## How to Report an Issue If you encounter an issue not listed here that would be helpful to be included or have additional information to provide, please open a [new issue](https://github.com/Azure/ALZ-Bicep/issues/new?assignees=&labels=bug&projects=&template=bug-report-issue-form.yaml&title=%5BPLACEHOLDER%5D+-+Place+a+descriptive+title+here) in the GitHub repository's issue tracker. Be sure to include detailed steps to reproduce the issue and any relevant context or screenshots. diff --git a/infra-as-code/bicep/modules/policy/assignments/README.md b/infra-as-code/bicep/modules/policy/assignments/README.md index 19e14f2c7..99b690215 100644 --- a/infra-as-code/bicep/modules/policy/assignments/README.md +++ b/infra-as-code/bicep/modules/policy/assignments/README.md @@ -9,8 +9,9 @@ If you wish to add your own additional Azure Policy Assignments please review [H ## Parameters - [Parameters for Azure Commercial Cloud](generateddocs/policyAssignmentManagementGroup.bicep.md) +- This same module can still be used in Azure China. Example parameters are in the [parameters](./parameters/) folder. -> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. +> **IMPORTANT:** Due to the size of ARM template generated from this module, we had to condense the descriptions for the parameters in certain cases. If you need more information on a parameter, please refer to the [release v0.19.0](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.19.0). Otherwise, feel free to reach out by opening an issue for additional clarification. ## Outputs diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 1fd2d5979..5677646b6 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -1,37 +1,37 @@ -metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' -metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy' +metadata name = 'ALZ Bicep - Default Policy Assignments' +metadata description = 'Assigns ALZ Default Policies to the Management Group hierarchy' type policyAssignmentSovereigntyGlobalOptionsType = { - @sys.description('Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group.') + @sys.description('Toggle to enable/disable deployment of Sovereignty Baseline - Global Policies at the intermediate root management group.') parTopLevelSovereigntyGlobalPoliciesEnable: bool - @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') + @sys.description('List of allowed locations for resource deployment. If empty, only the deployment location is allowed.') parListOfAllowedLocations: string[] - @sys.description('The effect type for the Sovereignty Baseline - Global Policies Assignment.') + @sys.description('Effect type for Sovereignty Baseline - Global Policies.') parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } type policyAssignmentSovereigntyConfidentialOptionsType = { - @sys.description('The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types.') + @sys.description('List of approved Azure resource types (e.g., Confidential Computing SKUs or those not processing customer data). Leave empty to allow all relevant types.') parAllowedResourceTypes: string[] - @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') + @sys.description('List of allowed locations for resource deployment. If empty, only the deployment location is allowed.') parListOfAllowedLocations: string[] - @sys.description('The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') + @sys.description('List of approved VM SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') parAllowedVirtualMachineSKUs: string[] - @sys.description('The effect type for the Sovereignty Baseline - Confidential Policies Assignment.') + @sys.description('Effect type for Sovereignty Baseline - Confidential Policies.') parPolicyEffect: ('Audit' | 'Deny' | 'Disabled' | 'AuditIfNotExists') } -@sys.description('Prefix used for the management group hierarchy.') +@sys.description('Prefix for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' -@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@sys.description('Optional suffix for management group names/IDs. Include a dash if needed.') @maxLength(10) param parTopLevelManagementGroupSuffix string = '' @@ -63,70 +63,70 @@ param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConf parPolicyEffect: 'Deny' } -@sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') +@sys.description('Toggle to apply platform policies to the Platform group or child groups.') param parPlatformMgAlzDefaultsEnable bool = true -@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups.') +@sys.description('Toggle to assign policies to Corp & Online Management Groups under Landing Zones.') param parLandingZoneChildrenMgAlzDefaultsEnable bool = true -@sys.description('Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups') +@sys.description('Toggle to assign policies to Confidential Corp and Online groups under Landing Zones.') param parLandingZoneMgConfidentialEnable bool = false -@sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') +@sys.description('Location of Log Analytics Workspace & Automation Account.') param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' -@sys.description('Log Analytics Workspace Resource ID.') +@sys.description('Resource ID of Log Analytics Workspace.') param parLogAnalyticsWorkspaceResourceId string = '' -@sys.description('Data Collection Rule VM Insights Resource ID.') +@sys.description('Resource ID for VM Insights Data Collection Rule.') param parDataCollectionRuleVMInsightsResourceId string = '' -@sys.description('Data Collection Rule Change Tracking Resource ID.') +@sys.description('Resource ID for Change Tracking Data Collection Rule.') param parDataCollectionRuleChangeTrackingResourceId string = '' -@sys.description('Data Collection Rule MDFC SQL Resource ID.') +@sys.description('Resource ID for MDFC SQL Data Collection Rule.') param parDataCollectionRuleMDFCSQLResourceId string = '' -@sys.description('User Assigned Managed Identity Resource ID.') +@sys.description('Resource ID for User Assigned Managed Identity.') param parUserAssignedManagedIdentityResourceId string = '' -@sys.description('Number of days of log retention for Log Analytics Workspace.') +@sys.description('Number of days to retain logs in Log Analytics Workspace.') param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' -@sys.description('Automation account name.') +@sys.description('Name of the Automation Account.') param parAutomationAccountName string = 'alz-automation-account' -@sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +@sys.description('Email address for Microsoft Defender for Cloud alerts.') param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' -@sys.description('Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET.') +@sys.description('Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not.') param parDdosEnabled bool = true -@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks.') +@sys.description('Resource ID of the DDoS Protection Plan applied to Virtual Networks.') param parDdosProtectionPlanId string = '' -@sys.description('Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.') +@sys.description('Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group.') param parPrivateDnsResourceGroupId string = '' -@sys.description('Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules.') +@sys.description('List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules.') param parPrivateDnsZonesNamesToAuditInCorp array = [] -@sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') +@sys.description('Set to true to disable enforcement of all default ALZ policies.') param parDisableAlzDefaultPolicies bool = false -@sys.description('Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce.') +@sys.description('Set to true to disable enforcement of all default sovereign policies.') param parDisableSlzDefaultPolicies bool = false -@sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') +@sys.description('Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter.') param parVmBackupExclusionTagName string = '' -@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.') +@sys.description('Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter.') param parVmBackupExclusionTagValue array = [] -@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments') +@sys.description('Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation.') param parExcludedPolicyAssignments array = [] -@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index a8c541064..fa45d547e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -1,43 +1,43 @@ -# ALZ Bicep - ALZ Default Policy Assignments +# ALZ Bicep - Default Policy Assignments -This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy +Assigns ALZ Default Policies to the Management Group hierarchy ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. -parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for management group names/IDs. Include a dash if needed. parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable` - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Global Policies Assignment. parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. - `parPolicyEffect` - The effect type for the Sovereignty Baseline - Confidential Policies Assignment. -parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. -parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. -parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups -parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. -parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. -parDataCollectionRuleVMInsightsResourceId | No | Data Collection Rule VM Insights Resource ID. -parDataCollectionRuleChangeTrackingResourceId | No | Data Collection Rule Change Tracking Resource ID. -parDataCollectionRuleMDFCSQLResourceId | No | Data Collection Rule MDFC SQL Resource ID. -parUserAssignedManagedIdentityResourceId | No | User Assigned Managed Identity Resource ID. -parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. -parAutomationAccountName | No | Automation account name. -parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. -parDdosEnabled | No | Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET. -parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. -parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. -parPrivateDnsZonesNamesToAuditInCorp | No | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. -parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. -parDisableSlzDefaultPolicies | No | Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. -parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. -parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. -parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry +parPlatformMgAlzDefaultsEnable | No | Toggle to apply platform policies to the Platform group or child groups. +parLandingZoneChildrenMgAlzDefaultsEnable | No | Toggle to assign policies to Corp & Online Management Groups under Landing Zones. +parLandingZoneMgConfidentialEnable | No | Toggle to assign policies to Confidential Corp and Online groups under Landing Zones. +parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | Location of Log Analytics Workspace & Automation Account. +parLogAnalyticsWorkspaceResourceId | No | Resource ID of Log Analytics Workspace. +parDataCollectionRuleVMInsightsResourceId | No | Resource ID for VM Insights Data Collection Rule. +parDataCollectionRuleChangeTrackingResourceId | No | Resource ID for Change Tracking Data Collection Rule. +parDataCollectionRuleMDFCSQLResourceId | No | Resource ID for MDFC SQL Data Collection Rule. +parUserAssignedManagedIdentityResourceId | No | Resource ID for User Assigned Managed Identity. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days to retain logs in Log Analytics Workspace. +parAutomationAccountName | No | Name of the Automation Account. +parMsDefenderForCloudEmailSecurityContact | No | Email address for Microsoft Defender for Cloud alerts. +parDdosEnabled | No | Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not. +parDdosProtectionPlanId | No | Resource ID of the DDoS Protection Plan applied to Virtual Networks. +parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group. +parPrivateDnsZonesNamesToAuditInCorp | No | List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules. +parDisableAlzDefaultPolicies | No | Set to true to disable enforcement of all default ALZ policies. +parDisableSlzDefaultPolicies | No | Set to true to disable enforcement of all default sovereign policies. +parVmBackupExclusionTagName | No | Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter. +parVmBackupExclusionTagValue | No | Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter. +parExcludedPolicyAssignments | No | Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation. +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. ### parTopLevelManagementGroupPrefix ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix used for the management group hierarchy. +Prefix for the management group hierarchy. - Default value: `alz` @@ -45,7 +45,7 @@ Prefix used for the management group hierarchy. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +Optional suffix for management group names/IDs. Include a dash if needed. ### parTopLevelPolicyAssignmentSovereigntyGlobal @@ -80,7 +80,7 @@ Object used to assign Sovereignty Baseline - Confidential Policies to the confid ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. +Toggle to apply platform policies to the Platform group or child groups. - Default value: `True` @@ -88,7 +88,7 @@ Management, Identity and Connectivity Management Groups beneath Platform Managem ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. +Toggle to assign policies to Corp & Online Management Groups under Landing Zones. - Default value: `True` @@ -96,7 +96,7 @@ Corp & Online Management Groups beneath Landing Zones Management Groups have bee ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups +Toggle to assign policies to Confidential Corp and Online groups under Landing Zones. - Default value: `False` @@ -104,7 +104,7 @@ Confidential Corp & Confidential Online Management Groups beneath Landing Zones ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The region where the Log Analytics Workspace & Automation Account are deployed. +Location of Log Analytics Workspace & Automation Account. - Default value: `eastus` @@ -112,37 +112,37 @@ The region where the Log Analytics Workspace & Automation Account are deployed. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Log Analytics Workspace Resource ID. +Resource ID of Log Analytics Workspace. ### parDataCollectionRuleVMInsightsResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Data Collection Rule VM Insights Resource ID. +Resource ID for VM Insights Data Collection Rule. ### parDataCollectionRuleChangeTrackingResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Data Collection Rule Change Tracking Resource ID. +Resource ID for Change Tracking Data Collection Rule. ### parDataCollectionRuleMDFCSQLResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Data Collection Rule MDFC SQL Resource ID. +Resource ID for MDFC SQL Data Collection Rule. ### parUserAssignedManagedIdentityResourceId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -User Assigned Managed Identity Resource ID. +Resource ID for User Assigned Managed Identity. ### parLogAnalyticsWorkspaceLogRetentionInDays ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Number of days of log retention for Log Analytics Workspace. +Number of days to retain logs in Log Analytics Workspace. - Default value: `365` @@ -150,7 +150,7 @@ Number of days of log retention for Log Analytics Workspace. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Automation account name. +Name of the Automation Account. - Default value: `alz-automation-account` @@ -158,7 +158,7 @@ Automation account name. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. +Email address for Microsoft Defender for Cloud alerts. - Default value: `security_contact@replace_me.com` @@ -166,7 +166,7 @@ An e-mail address that you want Microsoft Defender for Cloud alerts to be sent t ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET. +Toggle to enable/disable DDoS Network Protection deployment. True enforces the Enable-DDoS-VNET policy at connectivity or landing zone groups; false does not. - Default value: `True` @@ -174,25 +174,25 @@ Switch to enable/disable DDoS Network Protection deployment. True will enforce p ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -ID of the DdosProtectionPlan which will be applied to the Virtual Networks. +Resource ID of the DDoS Protection Plan applied to Virtual Networks. ### parPrivateDnsResourceGroupId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. +Resource ID of the Resource Group containing Private DNS Zones. Leave empty to skip assigning the Deploy-Private-DNS-Zones policy to the Corp Management Group. ### parPrivateDnsZonesNamesToAuditInCorp ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. +List of Private DNS Zones to audit if deployed in Subscriptions under the Corp Management Group. Include all zones, as this parameter overwrites default values. Retrieve names from the outPrivateDnsZonesNames output in the Hub Networking or Private DNS Zone modules. ### parDisableAlzDefaultPolicies ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +Set to true to disable enforcement of all default ALZ policies. - Default value: `False` @@ -200,7 +200,7 @@ Set Enforcement Mode of all default Policies assignments to Do Not Enforce. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enforce. +Set to true to disable enforcement of all default sovereign policies. - Default value: `False` @@ -208,25 +208,25 @@ Set Enforcement Mode of all default sovereign Policies assignments to Do Not Enf ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. +Tag name for excluding VMs from this policy’s scope. Use with the Exclusion Tag Value parameter. ### parVmBackupExclusionTagValue ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. +Tag value for excluding VMs from this policy’s scope (use a comma-separated list for multiple values). Use with the Exclusion Tag Name parameter. ### parExcludedPolicyAssignments ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments +Add assignment definition names to exclude specific policies. Find values in the Assigning Policies documentation. ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry +Set to true to opt out of deployment telemetry. - Default value: `False` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md index bb27ce5ad..734b6d223 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md @@ -1,24 +1,24 @@ # ALZ Bicep - Role Assignment to a Management Group -Module used to assign a role to Management Group +Module to assign a role to a Management Group ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parRoleAssignmentNameGuid | No | GUID for the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parRoleAssignmentNameGuid ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A GUID representing the role assignment name. +GUID for the role assignment name. - Default value: `[guid(managementGroup().name, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` @@ -26,13 +26,13 @@ A GUID representing the role assignment name. ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type of the assignee: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -40,13 +40,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry. +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -54,13 +54,13 @@ Set Parameter to true to Opt-out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md index af04f2509..2361bea2f 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md @@ -1,36 +1,36 @@ # ALZ Bicep - Role Assignment to Management Groups -Module used to assign a Role Assignment to multiple Management Groups +Module to assign a role to multiple Management Groups ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parManagementGroupIds | No | A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parManagementGroupIds | No | List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]). +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parManagementGroupIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). +List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]). ### parRoleDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -38,13 +38,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -52,13 +52,13 @@ Set Parameter to true to Opt-out of deployment telemetry ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md index ba93ba4d2..c50332b2e 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md @@ -1,24 +1,24 @@ # ALZ Bicep - Role Assignment to a Resource Group -Module used to assign a Role Assignment to a Resource Group +Module to assign a role to a Resource Group ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parRoleAssignmentNameGuid | No | GUID for the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parRoleAssignmentNameGuid ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A GUID representing the role assignment name. +GUID for the role assignment name. - Default value: `[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` @@ -26,13 +26,13 @@ A GUID representing the role assignment name. ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -40,13 +40,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ' ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry. +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -54,13 +54,13 @@ Set Parameter to true to Opt-out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md index 6bfe88517..38557ee04 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md @@ -1,36 +1,36 @@ # ALZ Bicep - Role Assignment to Resource Groups -Module used to assign a Role Assignment to multiple Resource Groups +Module to assign a role to multiple Resource Groups ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parResourceGroupIds | No | A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parResourceGroupIds | No | List of Resource Groups for role assignment in the format subscriptionId/resourceGroupName (e.g., a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parResourceGroupIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). +List of Resource Groups for role assignment in the format subscriptionId/resourceGroupName (e.g., a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). ### parRoleDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -38,13 +38,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -52,13 +52,13 @@ Set Parameter to true to Opt-out of deployment telemetry ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md index fc74ad43c..35f20e6bb 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md @@ -1,24 +1,24 @@ # ALZ Bicep - Role Assignment to a Subscription -Module used to assign a Role Assignment to a Subscription +Module to assign a role to a Subscription ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parRoleAssignmentNameGuid | No | GUID for the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parRoleAssignmentNameGuid ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A GUID representing the role assignment name. +GUID for the role assignment name. - Default value: `[guid(subscription().subscriptionId, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` @@ -26,13 +26,13 @@ A GUID representing the role assignment name. ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -40,13 +40,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ' ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry. +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -54,13 +54,13 @@ Set Parameter to true to Opt-out of deployment telemetry. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md index d7b885113..427c54975 100644 --- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md +++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md @@ -1,36 +1,36 @@ # ALZ Bicep - Role Assignment to Subscriptions -Module used to assign a Role Assignment to multiple Subscriptions +Module to assign a role to multiple Subscriptions ## Parameters Parameter name | Required | Description -------------- | -------- | ----------- -parSubscriptionIds | No | A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). -parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) -parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) -parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID -parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry -parRoleAssignmentCondition | No | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. -parRoleAssignmentConditionVersion | No | Role assignment condition version. Currently the only accepted value is '2.0' +parSubscriptionIds | No | List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). +parRoleDefinitionId | Yes | Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). +parAssigneeObjectId | Yes | Object ID of groups, service principals, or managed identities (use principal ID for managed identities). +parTelemetryOptOut | No | Set to true to opt out of deployment telemetry. +parRoleAssignmentCondition | No | Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. +parRoleAssignmentConditionVersion | No | Role assignment condition version. Only value accepted is '2.0'. ### parSubscriptionIds ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). +List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0). ### parRoleDefinitionId ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) ### parAssigneePrincipalType ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +Principal type: 'Group' (Security Group) or 'ServicePrincipal' (Service Principal/Managed Identity). - Allowed values: `Group`, `ServicePrincipal` @@ -38,13 +38,13 @@ Principal type of the assignee. Allowed values are 'Group' (Security Group) or ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) -Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +Object ID of groups, service principals, or managed identities (use principal ID for managed identities). ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Set Parameter to true to Opt-out of deployment telemetry +Set to true to opt out of deployment telemetry. - Default value: `False` @@ -52,13 +52,13 @@ Set Parameter to true to Opt-out of deployment telemetry ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator. +Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition. ### parRoleAssignmentConditionVersion ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Role assignment condition version. Currently the only accepted value is '2.0' +Role assignment condition version. Only value accepted is '2.0'. - Default value: `2.0` diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep index 5328aecd0..e6b3797dd 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep @@ -1,31 +1,31 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to a Management Group' -metadata description = 'Module used to assign a role to Management Group' +metadata description = 'Module to assign a role to a Management Group' -@sys.description('A GUID representing the role assignment name.') +@sys.description('GUID for the role assignment name.') param parRoleAssignmentNameGuid string = guid(managementGroup().name, parRoleDefinitionId, parAssigneeObjectId) -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type of the assignee: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' // Customer Usage Attribution Id diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep index 20cfb98a3..10d0616ed 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep @@ -1,31 +1,31 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to Management Groups' -metadata description = 'Module used to assign a Role Assignment to multiple Management Groups' +metadata description = 'Module to assign a role to multiple Management Groups' -@sys.description('A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]).') +@sys.description('List of management group scopes for role assignment (e.g., [alz-platform-connectivity, alz-platform-identity]).') param parManagementGroupIds array = [] -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: { diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep index 3009b77c5..fe86dd3e8 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep @@ -1,32 +1,31 @@ metadata name = 'ALZ Bicep - Role Assignment to a Resource Group' -metadata description = 'Module used to assign a Role Assignment to a Resource Group' +metadata description = 'Module to assign a role to a Resource Group' -@sys.description('A GUID representing the role assignment name.') +@sys.description('GUID for the role assignment name.') param parRoleAssignmentNameGuid string = guid(resourceGroup().id, parRoleDefinitionId, parAssigneeObjectId) -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' - // Customer Usage Attribution Id var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep index b7b241a3f..13712392a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep @@ -1,33 +1,32 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to Resource Groups' -metadata description = 'Module used to assign a Role Assignment to multiple Resource Groups' +metadata description = 'Module to assign a role to multiple Resource Groups' -@sys.description('A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01).') +@sys.description('List of Resource Groups for role assignment in the format subscriptionId/resourceGroupName (e.g., a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01).') param parResourceGroupIds array = [] -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' - module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGroupId in parResourceGroupIds: { name: 'rbac-assign-${uniqueString(resourceGroupId, parAssigneeObjectId, parRoleDefinitionId)}' scope: resourceGroup(split(resourceGroupId, '/')[0], split(resourceGroupId, '/')[1]) diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep index 2e293a931..569ec74d8 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep @@ -1,31 +1,31 @@ targetScope = 'subscription' metadata name = 'ALZ Bicep - Role Assignment to a Subscription' -metadata description = 'Module used to assign a Role Assignment to a Subscription' +metadata description = 'Module to assign a role to a Subscription' -@sys.description('A GUID representing the role assignment name.') +@sys.description('GUID for the role assignment name.') param parRoleAssignmentNameGuid string = guid(subscription().subscriptionId, parRoleDefinitionId, parAssigneeObjectId) -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' // Customer Usage Attribution Id diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep index fbb82c301..8c45b4233 100644 --- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep @@ -1,31 +1,31 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Role Assignment to Subscriptions' -metadata description = 'Module used to assign a Role Assignment to multiple Subscriptions' +metadata description = 'Module to assign a role to multiple Subscriptions' -@sys.description('A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0).') +@sys.description('List of subscription IDs for role assignment (e.g., 4f9f8765-911a-4a6d-af60-4bc0473268c0).') param parSubscriptionIds array = [] -@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +@sys.description('Role Definition Id (e.g., Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') param parRoleDefinitionId string -@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@sys.description('Principal type: \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal/Managed Identity).') @allowed([ 'Group' 'ServicePrincipal' ]) param parAssigneePrincipalType string -@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +@sys.description('Object ID of groups, service principals, or managed identities (use principal ID for managed identities).') param parAssigneeObjectId string -@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +@sys.description('Set to true to opt out of deployment telemetry.') param parTelemetryOptOut bool = false -@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.') +@sys.description('Role assignment condition (e.g., Owner, User Access Administrator). Only roles with `write` or `delete` permissions can have a condition.') param parRoleAssignmentCondition string = '' -@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'') +@sys.description('Role assignment condition version. Only value accepted is \'2.0\'.') param parRoleAssignmentConditionVersion string = '2.0' module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: {