-
Notifications
You must be signed in to change notification settings - Fork 381
/
resource-group.bicep
88 lines (71 loc) · 3.73 KB
/
resource-group.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
metadata name = 'Role Assignments (Resource Group scope)'
metadata description = 'This module deploys a Role Assignment at a Resource Group scope.'
metadata owner = 'Azure/module-maintainers'
targetScope = 'resourceGroup'
@sys.description('Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleDefinitionIdOrName string
@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).')
param principalId string
@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param resourceGroupName string = resourceGroup().name
@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. ID of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.')
param condition string = ''
@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string
var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Role Based Access Control Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
)
'User Access Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
)
}
var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName)
? builtInRoleNames[roleDefinitionIdOrName]
: roleDefinitionIdOrName)
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscriptionId, resourceGroupName, roleDefinitionIdVar, principalId)
properties: {
roleDefinitionId: roleDefinitionIdVar
principalId: principalId
description: !empty(description) ? description : null
principalType: !empty(principalType) ? any(principalType) : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId)
? delegatedManagedIdentityResourceId
: null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
condition: !empty(condition) ? condition : null
}
}
@sys.description('The GUID of the Role Assignment.')
output name string = roleAssignment.name
@sys.description('The resource ID of the Role Assignment.')
output resourceId string = roleAssignment.id
@sys.description('The name of the resource group the role assignment was applied at.')
output resourceGroupName string = resourceGroup().name
@sys.description('The scope this Role Assignment applies to.')
output scope string = resourceGroup().id