Skip to content

Commit

Permalink
feat: New pattern avm/ptn/authorization/resource-role-assignment (#…
Browse files Browse the repository at this point in the history
…1905)

## Description

Adding new pattern `avm/ptn/authorization/resource-role-assignment`

Azure/Azure-Verified-Modules#939

Migration of `modules/authorization/resource-scope-role-assignment`

Closes #937

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.ptn.authorization.resource-role-assignment](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml/badge.svg?branch=resource-role-assignment)](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml)
|

## Type of Change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utlities (Non-module effecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to day with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
  • Loading branch information
peterbud authored May 15, 2024
1 parent b2790c0 commit 9ad5ba4
Show file tree
Hide file tree
Showing 12 changed files with 917 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
/avm/ @Azure/avm-core-team-technical-bicep
/avm/utilities/ @Azure/avm-core-team-technical-bicep
/avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep
/avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep
/avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep
/avm/ptn/security/security-center/ @Azure/avm-ptn-security-securitycenter-module-owners-bicep @Azure/avm-core-team-technical-bicep
/avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep @Azure/avm-core-team-technical-bicep
Expand Down
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/avm_module_issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ body:
options:
- ""
- "avm/ptn/authorization/policy-assignment"
- "avm/ptn/authorization/resource-role-assignment"
- "avm/ptn/authorization/role-assignment"
# - "avm/ptn/avd-lza/insights"
# - "avm/ptn/avd-lza/management-plane"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: "avm.ptn.authorization.resource-role-assignment"

on:
schedule:
- cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month)
workflow_dispatch:
inputs:
staticValidation:
type: boolean
description: "Execute static validation"
required: false
default: true
deploymentValidation:
type: boolean
description: "Execute deployment validation"
required: false
default: true
removeDeployment:
type: boolean
description: "Remove deployed module"
required: false
default: true
customLocation:
type: string
description: "Default location overwrite (e.g., eastus)"
required: false
push:
branches:
- main
paths:
- ".github/actions/templates/avm-**"
- ".github/workflows/avm.template.module.yml"
- ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml"
- "avm/ptn/authorization/resource-role-assignment/**"
- "avm/utilities/pipelines/**"
- "!avm/utilities/pipelines/platform/**"
- "!*/**/README.md"

env:
modulePath: "avm/ptn/authorization/resource-role-assignment"
workflowPath: ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml"

concurrency:
group: ${{ github.workflow }}

jobs:
###########################
# Initialize pipeline #
###########################
job_initialize_pipeline:
runs-on: ubuntu-latest
name: "Initialize pipeline"
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Set input parameters to output variables"
id: get-workflow-param
uses: ./.github/actions/templates/avm-getWorkflowInput
with:
workflowPath: "${{ env.workflowPath}}"
- name: "Get module test file paths"
id: get-module-test-file-paths
uses: ./.github/actions/templates/avm-getModuleTestFiles
with:
modulePath: "${{ env.modulePath }}"
outputs:
workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }}
psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }}
modulePath: "${{ env.modulePath }}"

##############################
# Call reusable workflow #
##############################
call-workflow-passing-data:
name: "Run"
permissions:
id-token: write # For OIDC
contents: write # For release tags
needs:
- job_initialize_pipeline
uses: ./.github/workflows/avm.template.module.yml
with:
workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}"
moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}"
psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}"
modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}"
secrets: inherit
259 changes: 259 additions & 0 deletions avm/ptn/authorization/resource-role-assignment/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,259 @@
# Resource-scoped role assignment `[Microsoft.Authorization/resourceroleassignment]`

This module deploys a Role Assignment for a specific resource.

## Navigation

- [Resource Types](#Resource-Types)
- [Usage examples](#Usage-examples)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)
- [Data Collection](#Data-Collection)

## Resource Types

| Resource Type | API Version |
| :-- | :-- |

## Usage examples

The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository.

>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/resource-role-assignment:<version>`.
- [Resource Role Assignments](#example-1-resource-role-assignments)
- [Resource Role Assignments](#example-2-resource-role-assignments)

### Example 1: _Resource Role Assignments_

This module deploys a Resource Role Assignment using all parameters.


<details>

<summary>via Bicep module</summary>

```bicep
module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:<version>' = {
name: 'resourceRoleAssignmentDeployment'
params: {
// Required parameters
principalId: '<principalId>'
resourceId: '<resourceId>'
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
// Non-required parameters
description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.'
principalType: 'ServicePrincipal'
roleName: 'Storage Blob Data Reader'
}
}
```

</details>
<p>

<details>

<summary>via JSON Parameter file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"principalId": {
"value": "<principalId>"
},
"resourceId": {
"value": "<resourceId>"
},
"roleDefinitionId": {
"value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
},
// Non-required parameters
"description": {
"value": "Assign Storage Blob Data Reader role to the managed identity on the storage account."
},
"principalType": {
"value": "ServicePrincipal"
},
"roleName": {
"value": "Storage Blob Data Reader"
}
}
}
```

</details>
<p>

### Example 2: _Resource Role Assignments_

This module deploys a Resource Role Assignment using minimal parameters.


<details>

<summary>via Bicep module</summary>

```bicep
module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:<version>' = {
name: 'resourceRoleAssignmentDeployment'
params: {
// Required parameters
principalId: '<principalId>'
resourceId: '<resourceId>'
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
// Non-required parameters
principalType: 'ServicePrincipal'
}
}
```

</details>
<p>

<details>

<summary>via JSON Parameter file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"principalId": {
"value": "<principalId>"
},
"resourceId": {
"value": "<resourceId>"
},
"roleDefinitionId": {
"value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
},
// Non-required parameters
"principalType": {
"value": "ServicePrincipal"
}
}
}
```

</details>
<p>


## Parameters

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). |
| [`resourceId`](#parameter-resourceid) | string | The scope for the role assignment, fully qualified resourceId. |
| [`roleDefinitionId`](#parameter-roledefinitionid) | string | The role definition ID for the role assignment. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`description`](#parameter-description) | string | The description of role assignment. |
| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
| [`name`](#parameter-name) | string | The unique guid name for the role assignment. |
| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. |
| [`roleName`](#parameter-rolename) | string | The name for the role, used for logging. |

### Parameter: `principalId`

The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).

- Required: Yes
- Type: string

### Parameter: `resourceId`

The scope for the role assignment, fully qualified resourceId.

- Required: Yes
- Type: string

### Parameter: `roleDefinitionId`

The role definition ID for the role assignment.

- Required: Yes
- Type: string

### Parameter: `description`

The description of role assignment.

- Required: No
- Type: string
- Default: `''`

### Parameter: `enableTelemetry`

Enable/Disable usage telemetry for module.

- Required: No
- Type: bool
- Default: `True`

### Parameter: `name`

The unique guid name for the role assignment.

- Required: No
- Type: string
- Default: `[guid(parameters('resourceId'), parameters('principalId'), if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))))]`

### Parameter: `principalType`

The principal type of the assigned principal ID.

- Required: No
- Type: string
- Default: `''`
- Allowed:
```Bicep
[
''
'Device'
'ForeignGroup'
'Group'
'ServicePrincipal'
'User'
]
```

### Parameter: `roleName`

The name for the role, used for logging.

- Required: No
- Type: string
- Default: `''`


## Outputs

| Output | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The GUID of the Role Assignment. |
| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. |
| `resourceId` | string | The resource ID of the Role Assignment. |
| `roleName` | string | The name for the role, used for logging. |

## Cross-referenced modules

_None_

## Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
Loading

0 comments on commit 9ad5ba4

Please sign in to comment.