Merge branch 'main' of https://github.com/Azure/bicep-registry-modules

Azure · Apr 30, 2024 · 83c8dfb · 83c8dfb
2 parents e175c3e + 23a2d4c
commit 83c8dfb
Show file tree

Hide file tree

Showing 9 changed files with 187 additions and 124 deletions.
diff --git a/.github/workflows/platform.deployment.history.cleanup.yml b/.github/workflows/platform.deployment.history.cleanup.yml
@@ -55,21 +55,21 @@ jobs:
     if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleSubscriptionScope == 'true' }}
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Set environment
         uses: ./.github/actions/templates/avm-setEnvironment
 
       - name: Azure Login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
           enable-AzPSSession: true
 
       - name: Remove deployments
-        uses: azure/powershell@v1
+        uses: azure/powershell@v2
         with:
           inlineScript: |
             # Load used functions
@@ -94,21 +94,21 @@ jobs:
     if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleManagementGroupScope == 'true' }}
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Set environment
         uses: ./.github/actions/templates/avm-setEnvironment
 
       - name: Azure Login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
           enable-AzPSSession: true
 
       - name: Remove deployments
-        uses: azure/powershell@v1
+        uses: azure/powershell@v2
         with:
           inlineScript: |
             # Load used functions

diff --git a/.github/workflows/platform.publish-module-index-json.yml b/.github/workflows/platform.publish-module-index-json.yml
@@ -46,6 +46,7 @@ jobs:
             moduleIndexJsonFilePath                      = 'moduleIndex.json'
             prefixForLastModuleIndexJsonFile             = 'last-'
             prefixForCurrentGeneratedModuleIndexJsonFile = 'generated-'
+            ErrorAction                                  = 'Continue'
           }
 
           Write-Verbose "Invoke task with" -Verbose

diff --git a/avm/res/managed-services/registration-definition/README.md b/avm/res/managed-services/registration-definition/README.md
@@ -5,11 +5,9 @@
 > - Only security and bug fixes are being handled by the AVM core team at present.
 > - If interested in becoming the module owner of this orphaned module (must be Microsoft FTE), please look for the related "orphaned module" GitHub issue [here](https://aka.ms/AVM/OrphanedModules)!
 
-This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')
-on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is
-assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where
-the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a
-remote/managing tenant.
+This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation') on a subscription or resource group scope.
+This type of delegation is very similar to role assignments but here the principal that is assigned a role is in a remote/managing Azure Active Directory tenant.
+The templates are run towards the tenant where the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a remote/managing tenant.
 
 ## Navigation
 
@@ -57,20 +55,18 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
     authorizations: [
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Lighthouse Contributor'
         roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
       }
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Managed Services Registration assignment Delete Role'
         roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46'
       }
     ]
     managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014'
     name: 'Component Validation - msrdmin Subscription assignment'
     registrationDescription: 'Managed by Lighthouse'
     // Non-required parameters
-    location: '<location>'
+    metadataLocation: '<metadataLocation>'
   }
 }
 ```
@@ -92,12 +88,10 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": [
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Lighthouse Contributor",
           "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
         },
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Managed Services Registration assignment Delete Role",
           "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46"
         }
       ]
@@ -112,8 +106,8 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": "Managed by Lighthouse"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
+    "metadataLocation": {
+      "value": "<metadataLocation>"
     }
   }
 }
@@ -147,12 +141,20 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
         principalIdDisplayName: 'Managed Services Registration assignment Delete Role'
         roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46'
       }
+      {
+        delegatedRoleDefinitionIds: [
+          'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+        ]
+        principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
+        roleDefinitionId: '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
+      }
     ]
     managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014'
     name: 'Component Validation - msrdmax Subscription assignment'
     registrationDescription: 'Managed by Lighthouse'
     // Non-required parameters
-    location: '<location>'
+    metadataLocation: '<metadataLocation>'
+    registrationId: '<registrationId>'
   }
 }
 ```
@@ -181,6 +183,13 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
           "principalIdDisplayName": "Managed Services Registration assignment Delete Role",
           "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46"
+        },
+        {
+          "delegatedRoleDefinitionIds": [
+            "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+          ],
+          "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
+          "roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
         }
       ]
     },
@@ -194,8 +203,11 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": "Managed by Lighthouse"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
+    "metadataLocation": {
+      "value": "<metadataLocation>"
+    },
+    "registrationId": {
+      "value": "<registrationId>"
     }
   }
 }
@@ -221,20 +233,19 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
     authorizations: [
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Lighthouse Contributor'
         roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
       }
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Managed Services Registration assignment Delete Role'
         roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46'
       }
     ]
     managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014'
     name: 'Component Validation - msrdrg Subscription assignment'
     registrationDescription: 'Managed by Lighthouse'
     // Non-required parameters
-    location: '<location>'
+    metadataLocation: '<metadataLocation>'
+    registrationId: '<registrationId>'
     resourceGroupName: '<resourceGroupName>'
   }
 }
@@ -257,12 +268,10 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": [
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Lighthouse Contributor",
           "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
         },
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Managed Services Registration assignment Delete Role",
           "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46"
         }
       ]
@@ -277,8 +286,11 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": "Managed by Lighthouse"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
+    "metadataLocation": {
+      "value": "<metadataLocation>"
+    },
+    "registrationId": {
+      "value": "<registrationId>"
     },
     "resourceGroupName": {
       "value": "<resourceGroupName>"
@@ -307,20 +319,19 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
     authorizations: [
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Lighthouse Contributor'
         roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
       }
       {
         principalId: 'ecadddf6-78c3-4516-afb2-7d30a174ea13'
-        principalIdDisplayName: 'Managed Services Registration assignment Delete Role'
         roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46'
       }
     ]
     managedByTenantId: '449fbe1d-9c99-4509-9014-4fd5cf25b014'
     name: 'Component Validation - msrdwaf Subscription assignment'
     registrationDescription: 'Managed by Lighthouse'
     // Non-required parameters
-    location: '<location>'
+    metadataLocation: '<metadataLocation>'
+    resourceGroupName: '<resourceGroupName>'
   }
 }
 ```
@@ -342,12 +353,10 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": [
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Lighthouse Contributor",
           "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
         },
         {
           "principalId": "ecadddf6-78c3-4516-afb2-7d30a174ea13",
-          "principalIdDisplayName": "Managed Services Registration assignment Delete Role",
           "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46"
         }
       ]
@@ -362,8 +371,11 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
       "value": "Managed by Lighthouse"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
+    "metadataLocation": {
+      "value": "<metadataLocation>"
+    },
+    "resourceGroupName": {
+      "value": "<resourceGroupName>"
     }
   }
 }
@@ -389,7 +401,8 @@ module registrationDefinition 'br/public:avm/res/managed-services/registration-d
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
-| [`location`](#parameter-location) | string | Location deployment metadata. |
+| [`metadataLocation`](#parameter-metadatalocation) | string | Location of the deployment metadata. |
+| [`registrationId`](#parameter-registrationid) | string | The Id (GUID) of the registration definition. |
 | [`resourceGroupName`](#parameter-resourcegroupname) | string | Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription. |
 
 ### Parameter: `authorizations`
@@ -428,14 +441,22 @@ Enable/Disable usage telemetry for module.
 - Type: bool
 - Default: `True`
 
-### Parameter: `location`
+### Parameter: `metadataLocation`
 
-Location deployment metadata.
+Location of the deployment metadata.
 
 - Required: No
 - Type: string
 - Default: `[deployment().location]`
 
+### Parameter: `registrationId`
+
+The Id (GUID) of the registration definition.
+
+- Required: No
+- Type: string
+- Default: `[if(empty(parameters('resourceGroupName')), guid(parameters('managedByTenantId'), subscription().tenantId, subscription().subscriptionId), guid(parameters('managedByTenantId'), subscription().tenantId, subscription().subscriptionId, parameters('resourceGroupName')))]`
+
 ### Parameter: `resourceGroupName`
 
 Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription.

diff --git a/avm/res/managed-services/registration-definition/main.bicep b/avm/res/managed-services/registration-definition/main.bicep
@@ -1,9 +1,7 @@
 metadata name = 'Registration Definitions'
-metadata description = '''This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation')
-on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is
-assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where
-the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a
-remote/managing tenant.'''
+metadata description = '''This module deploys a `Registration Definition` and a `Registration Assignment` (often referred to as 'Lighthouse' or 'resource delegation') on a subscription or resource group scope.
+This type of delegation is very similar to role assignments but here the principal that is assigned a role is in a remote/managing Azure Active Directory tenant.
+The templates are run towards the tenant where the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a remote/managing tenant.'''
 metadata owner = 'Azure/module-maintainers'
 
 targetScope = 'subscription'
@@ -18,25 +16,26 @@ param registrationDescription string
 param managedByTenantId string
 
 @description('Required. Specify an array of objects, containing object of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider\'s Active Directory and the principalIdDisplayName is visible to customers.')
-param authorizations array
+param authorizations authorizationType[]
 
 @description('Optional. Specify the name of the Resource Group to delegate access to. If not provided, delegation will be done on the targeted subscription.')
 param resourceGroupName string = ''
 
-@description('Optional. Location deployment metadata.')
-param location string = deployment().location
+@description('Optional. Location of the deployment metadata.')
+param metadataLocation string = deployment().location
 
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-var registrationId = empty(resourceGroupName)
+@description('Optional. The Id (GUID) of the registration definition.')
+param registrationId string = empty(resourceGroupName)
   ? guid(managedByTenantId, subscription().tenantId, subscription().subscriptionId)
   : guid(managedByTenantId, subscription().tenantId, subscription().subscriptionId, resourceGroupName)
 
 resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
   if (enableTelemetry) {
-    name: '46d3xbcp.res.managedservices-registrationdef.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
-    location: location
+    name: '46d3xbcp.res.managedservices-registrationdef.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, metadataLocation), 0, 4)}'
+    location: metadataLocation // Required in current template scope
     properties: {
       mode: 'Incremental'
       template: {
@@ -94,3 +93,21 @@ output subscriptionName string = subscription().displayName
 output assignmentResourceId string = empty(resourceGroupName)
   ? registrationAssignment_sub.id
   : registrationAssignment_rg.outputs.resourceId
+
+// ================ //
+// Definitions      //
+// ================ //
+
+type authorizationType = {
+  @description('Conditional. The list of role definition ids which define all the permissions that the user in the authorization can assign to other principals. Required if the `roleDefinitionId` refers to the User Access Administrator Role.')
+  delegatedRoleDefinitionIds: string[]?
+
+  @description('Required. The identifier of the Azure Active Directory principal.')
+  principalId: string
+
+  @description('Optional. The display name of the Azure Active Directory principal.')
+  principalIdDisplayName: string?
+
+  @description('Required. The identifier of the Azure built-in role that defines the permissions that the Azure Active Directory principal will have on the projected scope.')
+  roleDefinitionId: string
+}