This is a simple demo of how to (ab)use scoping and extension type resources in Bicep with a main.bicep that deploys at the subscription scope the option to create a role assignment at either subscription, resource group or resource scope with one template.
Depending on the type parameter the main template invokes one of three templates as modules. Note that due
to missing support (see issues #2245, #1761) of fully parametrized scoping in Bicep an ARM template is used for the role assignment on resource scope.
principalId(string): The principal (object) id of the user or serviceprincipal to assign a role forbuiltInRoleType(string): One ofOwner,ContributororReader(default)type(string): One ofresource,resourceGrouporsubscription(default)resourceGroupName(string): the name of a resource group. Only set iftype = resourceGroup.resourceId(string): the full id of a resource. Only set iftype = resource.subscriptionId(string): the guid of an subscription. Defaults to the id of the deployment scope.
az deployment sub create -n roleassignment-subscription -f main.bicep \
--parameters principalId=<id> type=subscriptionaz deployment sub create -n roleassignment-rg -f main.bicep \
--parameters principalId=<id> type=resourceGroup resourceGroupName=<rg name>az deployment sub create -n roleassignment-res -f main.bicep \
--parameters principalId=<id> type=resource resourceId=<resource ID>Disclaimer: Tested with Bicep version 0.20.4