-
Notifications
You must be signed in to change notification settings - Fork 381
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: New pattern
avm/ptn/authorization/resource-role-assignment
(#…
…1905) ## Description Adding new pattern `avm/ptn/authorization/resource-role-assignment` Azure/Azure-Verified-Modules#939 Migration of `modules/authorization/resource-scope-role-assignment` Closes #937 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [![avm.ptn.authorization.resource-role-assignment](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml/badge.svg?branch=resource-role-assignment)](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml) | ## Type of Change <!-- Use the check-boxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to day with the contribution guide at https://aka.ms/avm/contribute/bicep -->
- Loading branch information
Showing
12 changed files
with
917 additions
and
0 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
90 changes: 90 additions & 0 deletions
90
.github/workflows/avm.ptn.authorization.resource-role-assignment.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
name: "avm.ptn.authorization.resource-role-assignment" | ||
|
||
on: | ||
schedule: | ||
- cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) | ||
workflow_dispatch: | ||
inputs: | ||
staticValidation: | ||
type: boolean | ||
description: "Execute static validation" | ||
required: false | ||
default: true | ||
deploymentValidation: | ||
type: boolean | ||
description: "Execute deployment validation" | ||
required: false | ||
default: true | ||
removeDeployment: | ||
type: boolean | ||
description: "Remove deployed module" | ||
required: false | ||
default: true | ||
customLocation: | ||
type: string | ||
description: "Default location overwrite (e.g., eastus)" | ||
required: false | ||
push: | ||
branches: | ||
- main | ||
paths: | ||
- ".github/actions/templates/avm-**" | ||
- ".github/workflows/avm.template.module.yml" | ||
- ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml" | ||
- "avm/ptn/authorization/resource-role-assignment/**" | ||
- "avm/utilities/pipelines/**" | ||
- "!avm/utilities/pipelines/platform/**" | ||
- "!*/**/README.md" | ||
|
||
env: | ||
modulePath: "avm/ptn/authorization/resource-role-assignment" | ||
workflowPath: ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml" | ||
|
||
concurrency: | ||
group: ${{ github.workflow }} | ||
|
||
jobs: | ||
########################### | ||
# Initialize pipeline # | ||
########################### | ||
job_initialize_pipeline: | ||
runs-on: ubuntu-latest | ||
name: "Initialize pipeline" | ||
steps: | ||
- name: "Checkout" | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: "Set input parameters to output variables" | ||
id: get-workflow-param | ||
uses: ./.github/actions/templates/avm-getWorkflowInput | ||
with: | ||
workflowPath: "${{ env.workflowPath}}" | ||
- name: "Get module test file paths" | ||
id: get-module-test-file-paths | ||
uses: ./.github/actions/templates/avm-getModuleTestFiles | ||
with: | ||
modulePath: "${{ env.modulePath }}" | ||
outputs: | ||
workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} | ||
moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} | ||
psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} | ||
modulePath: "${{ env.modulePath }}" | ||
|
||
############################## | ||
# Call reusable workflow # | ||
############################## | ||
call-workflow-passing-data: | ||
name: "Run" | ||
permissions: | ||
id-token: write # For OIDC | ||
contents: write # For release tags | ||
needs: | ||
- job_initialize_pipeline | ||
uses: ./.github/workflows/avm.template.module.yml | ||
with: | ||
workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" | ||
moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" | ||
psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" | ||
modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" | ||
secrets: inherit |
259 changes: 259 additions & 0 deletions
259
avm/ptn/authorization/resource-role-assignment/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,259 @@ | ||
# Resource-scoped role assignment `[Microsoft.Authorization/resourceroleassignment]` | ||
|
||
This module deploys a Role Assignment for a specific resource. | ||
|
||
## Navigation | ||
|
||
- [Resource Types](#Resource-Types) | ||
- [Usage examples](#Usage-examples) | ||
- [Parameters](#Parameters) | ||
- [Outputs](#Outputs) | ||
- [Cross-referenced modules](#Cross-referenced-modules) | ||
- [Data Collection](#Data-Collection) | ||
|
||
## Resource Types | ||
|
||
| Resource Type | API Version | | ||
| :-- | :-- | | ||
|
||
## Usage examples | ||
|
||
The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. | ||
|
||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. | ||
>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/resource-role-assignment:<version>`. | ||
- [Resource Role Assignments](#example-1-resource-role-assignments) | ||
- [Resource Role Assignments](#example-2-resource-role-assignments) | ||
|
||
### Example 1: _Resource Role Assignments_ | ||
|
||
This module deploys a Resource Role Assignment using all parameters. | ||
|
||
|
||
<details> | ||
|
||
<summary>via Bicep module</summary> | ||
|
||
```bicep | ||
module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:<version>' = { | ||
name: 'resourceRoleAssignmentDeployment' | ||
params: { | ||
// Required parameters | ||
principalId: '<principalId>' | ||
resourceId: '<resourceId>' | ||
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' | ||
// Non-required parameters | ||
description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.' | ||
principalType: 'ServicePrincipal' | ||
roleName: 'Storage Blob Data Reader' | ||
} | ||
} | ||
``` | ||
|
||
</details> | ||
<p> | ||
|
||
<details> | ||
|
||
<summary>via JSON Parameter file</summary> | ||
|
||
```json | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
// Required parameters | ||
"principalId": { | ||
"value": "<principalId>" | ||
}, | ||
"resourceId": { | ||
"value": "<resourceId>" | ||
}, | ||
"roleDefinitionId": { | ||
"value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" | ||
}, | ||
// Non-required parameters | ||
"description": { | ||
"value": "Assign Storage Blob Data Reader role to the managed identity on the storage account." | ||
}, | ||
"principalType": { | ||
"value": "ServicePrincipal" | ||
}, | ||
"roleName": { | ||
"value": "Storage Blob Data Reader" | ||
} | ||
} | ||
} | ||
``` | ||
|
||
</details> | ||
<p> | ||
|
||
### Example 2: _Resource Role Assignments_ | ||
|
||
This module deploys a Resource Role Assignment using minimal parameters. | ||
|
||
|
||
<details> | ||
|
||
<summary>via Bicep module</summary> | ||
|
||
```bicep | ||
module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:<version>' = { | ||
name: 'resourceRoleAssignmentDeployment' | ||
params: { | ||
// Required parameters | ||
principalId: '<principalId>' | ||
resourceId: '<resourceId>' | ||
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' | ||
// Non-required parameters | ||
principalType: 'ServicePrincipal' | ||
} | ||
} | ||
``` | ||
|
||
</details> | ||
<p> | ||
|
||
<details> | ||
|
||
<summary>via JSON Parameter file</summary> | ||
|
||
```json | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
// Required parameters | ||
"principalId": { | ||
"value": "<principalId>" | ||
}, | ||
"resourceId": { | ||
"value": "<resourceId>" | ||
}, | ||
"roleDefinitionId": { | ||
"value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" | ||
}, | ||
// Non-required parameters | ||
"principalType": { | ||
"value": "ServicePrincipal" | ||
} | ||
} | ||
} | ||
``` | ||
|
||
</details> | ||
<p> | ||
|
||
|
||
## Parameters | ||
|
||
**Required parameters** | ||
|
||
| Parameter | Type | Description | | ||
| :-- | :-- | :-- | | ||
| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | | ||
| [`resourceId`](#parameter-resourceid) | string | The scope for the role assignment, fully qualified resourceId. | | ||
| [`roleDefinitionId`](#parameter-roledefinitionid) | string | The role definition ID for the role assignment. | | ||
|
||
**Optional parameters** | ||
|
||
| Parameter | Type | Description | | ||
| :-- | :-- | :-- | | ||
| [`description`](#parameter-description) | string | The description of role assignment. | | ||
| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | ||
| [`name`](#parameter-name) | string | The unique guid name for the role assignment. | | ||
| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | | ||
| [`roleName`](#parameter-rolename) | string | The name for the role, used for logging. | | ||
|
||
### Parameter: `principalId` | ||
|
||
The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | ||
|
||
- Required: Yes | ||
- Type: string | ||
|
||
### Parameter: `resourceId` | ||
|
||
The scope for the role assignment, fully qualified resourceId. | ||
|
||
- Required: Yes | ||
- Type: string | ||
|
||
### Parameter: `roleDefinitionId` | ||
|
||
The role definition ID for the role assignment. | ||
|
||
- Required: Yes | ||
- Type: string | ||
|
||
### Parameter: `description` | ||
|
||
The description of role assignment. | ||
|
||
- Required: No | ||
- Type: string | ||
- Default: `''` | ||
|
||
### Parameter: `enableTelemetry` | ||
|
||
Enable/Disable usage telemetry for module. | ||
|
||
- Required: No | ||
- Type: bool | ||
- Default: `True` | ||
|
||
### Parameter: `name` | ||
|
||
The unique guid name for the role assignment. | ||
|
||
- Required: No | ||
- Type: string | ||
- Default: `[guid(parameters('resourceId'), parameters('principalId'), if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))))]` | ||
|
||
### Parameter: `principalType` | ||
|
||
The principal type of the assigned principal ID. | ||
|
||
- Required: No | ||
- Type: string | ||
- Default: `''` | ||
- Allowed: | ||
```Bicep | ||
[ | ||
'' | ||
'Device' | ||
'ForeignGroup' | ||
'Group' | ||
'ServicePrincipal' | ||
'User' | ||
] | ||
``` | ||
|
||
### Parameter: `roleName` | ||
|
||
The name for the role, used for logging. | ||
|
||
- Required: No | ||
- Type: string | ||
- Default: `''` | ||
|
||
|
||
## Outputs | ||
|
||
| Output | Type | Description | | ||
| :-- | :-- | :-- | | ||
| `name` | string | The GUID of the Role Assignment. | | ||
| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | | ||
| `resourceId` | string | The resource ID of the Role Assignment. | | ||
| `roleName` | string | The name for the role, used for logging. | | ||
|
||
## Cross-referenced modules | ||
|
||
_None_ | ||
|
||
## Data Collection | ||
|
||
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. |
Oops, something went wrong.