From 9ad5ba49a3478c82decdb60caa6a8fd686fb8a78 Mon Sep 17 00:00:00 2001 From: Peter Budai Date: Wed, 15 May 2024 23:53:28 +0200 Subject: [PATCH] feat: New pattern `avm/ptn/authorization/resource-role-assignment` (#1905) ## Description Adding new pattern `avm/ptn/authorization/resource-role-assignment` https://github.com/Azure/Azure-Verified-Modules/issues/939 Migration of `modules/authorization/resource-scope-role-assignment` Closes #937 ## Pipeline Reference | Pipeline | | -------- | | [![avm.ptn.authorization.resource-role-assignment](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml/badge.svg?branch=resource-role-assignment)](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.ptn.authorization.resource-role-assignment.yml) | ## Type of Change - [ ] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/avm_module_issue.yml | 1 + ...authorization.resource-role-assignment.yml | 90 ++++++ .../resource-role-assignment/README.md | 259 ++++++++++++++++++ .../resource-role-assignment/main.bicep | 108 ++++++++ .../resource-role-assignment/main.json | 219 +++++++++++++++ .../modules/generic-role-assignment.json | 56 ++++ .../tests/e2e/all/dependencies.bicep | 28 ++ .../tests/e2e/all/main.test.bicep | 61 +++++ .../tests/e2e/defaults/dependencies.bicep | 28 ++ .../tests/e2e/defaults/main.test.bicep | 59 ++++ .../resource-role-assignment/version.json | 7 + 12 files changed, 917 insertions(+) create mode 100644 .github/workflows/avm.ptn.authorization.resource-role-assignment.yml create mode 100644 avm/ptn/authorization/resource-role-assignment/README.md create mode 100644 avm/ptn/authorization/resource-role-assignment/main.bicep create mode 100644 avm/ptn/authorization/resource-role-assignment/main.json create mode 100644 avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json create mode 100644 avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep create mode 100644 avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep create mode 100644 avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep create mode 100644 avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep create mode 100644 avm/ptn/authorization/resource-role-assignment/version.json diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 730d31af40..3829d6ef26 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,6 +4,7 @@ /avm/ @Azure/avm-core-team-technical-bicep /avm/utilities/ @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep +/avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/ptn/security/security-center/ @Azure/avm-ptn-security-securitycenter-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep @Azure/avm-core-team-technical-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 43e4d477db..ab3d0c7867 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -39,6 +39,7 @@ body: options: - "" - "avm/ptn/authorization/policy-assignment" + - "avm/ptn/authorization/resource-role-assignment" - "avm/ptn/authorization/role-assignment" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" diff --git a/.github/workflows/avm.ptn.authorization.resource-role-assignment.yml b/.github/workflows/avm.ptn.authorization.resource-role-assignment.yml new file mode 100644 index 0000000000..979d22d8df --- /dev/null +++ b/.github/workflows/avm.ptn.authorization.resource-role-assignment.yml @@ -0,0 +1,90 @@ +name: "avm.ptn.authorization.resource-role-assignment" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + customLocation: + type: string + description: "Default location overwrite (e.g., eastus)" + required: false + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml" + - "avm/ptn/authorization/resource-role-assignment/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/ptn/authorization/resource-role-assignment" + workflowPath: ".github/workflows/avm.ptn.authorization.resource-role-assignment.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/avm/ptn/authorization/resource-role-assignment/README.md b/avm/ptn/authorization/resource-role-assignment/README.md new file mode 100644 index 0000000000..3c440de225 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/README.md @@ -0,0 +1,259 @@ +# Resource-scoped role assignment `[Microsoft.Authorization/resourceroleassignment]` + +This module deploys a Role Assignment for a specific resource. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/resource-role-assignment:`. + +- [Resource Role Assignments](#example-1-resource-role-assignments) +- [Resource Role Assignments](#example-2-resource-role-assignments) + +### Example 1: _Resource Role Assignments_ + +This module deploys a Resource Role Assignment using all parameters. + + +
+ +via Bicep module + +```bicep +module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:' = { + name: 'resourceRoleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + resourceId: '' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + // Non-required parameters + description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.' + principalType: 'ServicePrincipal' + roleName: 'Storage Blob Data Reader' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "resourceId": { + "value": "" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + // Non-required parameters + "description": { + "value": "Assign Storage Blob Data Reader role to the managed identity on the storage account." + }, + "principalType": { + "value": "ServicePrincipal" + }, + "roleName": { + "value": "Storage Blob Data Reader" + } + } +} +``` + +
+

+ +### Example 2: _Resource Role Assignments_ + +This module deploys a Resource Role Assignment using minimal parameters. + + +

+ +via Bicep module + +```bicep +module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:' = { + name: 'resourceRoleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + resourceId: '' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + // Non-required parameters + principalType: 'ServicePrincipal' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "resourceId": { + "value": "" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + // Non-required parameters + "principalType": { + "value": "ServicePrincipal" + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`resourceId`](#parameter-resourceid) | string | The scope for the role assignment, fully qualified resourceId. | +| [`roleDefinitionId`](#parameter-roledefinitionid) | string | The role definition ID for the role assignment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | The description of role assignment. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`name`](#parameter-name) | string | The unique guid name for the role assignment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`roleName`](#parameter-rolename) | string | The name for the role, used for logging. | + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `resourceId` + +The scope for the role assignment, fully qualified resourceId. + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionId` + +The role definition ID for the role assignment. + +- Required: Yes +- Type: string + +### Parameter: `description` + +The description of role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `name` + +The unique guid name for the role assignment. + +- Required: No +- Type: string +- Default: `[guid(parameters('resourceId'), parameters('principalId'), if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))))]` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `roleName` + +The name for the role, used for logging. + +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `roleName` | string | The name for the role, used for logging. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/resource-role-assignment/main.bicep b/avm/ptn/authorization/resource-role-assignment/main.bicep new file mode 100644 index 0000000000..37e0afe82b --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/main.bicep @@ -0,0 +1,108 @@ +metadata name = 'Resource-scoped role assignment' +metadata description = 'This module deploys a Role Assignment for a specific resource.' +metadata owner = 'Azure/module-maintainers' + +@sys.description('Required. The scope for the role assignment, fully qualified resourceId.') +param resourceId string + +@sys.description('Optional. The unique guid name for the role assignment.') +param name string = guid( + resourceId, + principalId, + contains(roleDefinitionId, '/providers/Microsoft.Authorization/roleDefinitions/') + ? roleDefinitionId + : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) +) + +@sys.description('Required. The role definition ID for the role assignment.') +param roleDefinitionId string + +@sys.description('Optional. The name for the role, used for logging.') +param roleName string = '' + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of role assignment.') +param description string = '' + +@sys.description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +// =============== // +// Definitions // +// =============== // + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.ptn.authorization-resourceroleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +resource resourceRoleAssignment 'Microsoft.Resources/deployments@2023-07-01' = { + name: '${guid(resourceId, principalId, roleDefinitionId)}-ResourceRoleAssignment' + properties: { + mode: 'Incremental' + expressionEvaluationOptions: { + scope: 'Outer' + } + template: loadJsonContent('modules/generic-role-assignment.json') + parameters: { + scope: { + value: resourceId + } + name: { + value: name + } + roleDefinitionId: { + value: contains(roleDefinitionId, '/providers/Microsoft.Authorization/roleDefinitions/') + ? roleDefinitionId + : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) + } + principalId: { + value: principalId + } + principalType: { + value: principalType + } + description: { + value: description + } + } + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = name + +@sys.description('The name for the role, used for logging.') +output roleName string = roleName + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = resourceRoleAssignment.properties.outputs.roleAssignmentId.value + +@sys.description('The name of the resource group the role assignment was applied at.') +output resourceGroupName string = resourceGroup().name diff --git a/avm/ptn/authorization/resource-role-assignment/main.json b/avm/ptn/authorization/resource-role-assignment/main.json new file mode 100644 index 0000000000..f576453bd9 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/main.json @@ -0,0 +1,219 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "17107961067773605935" + }, + "name": "Resource-scoped role assignment", + "description": "This module deploys a Role Assignment for a specific resource.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The scope for the role assignment, fully qualified resourceId." + } + }, + "name": { + "type": "string", + "defaultValue": "[guid(parameters('resourceId'), parameters('principalId'), if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))))]", + "metadata": { + "description": "Optional. The unique guid name for the role assignment." + } + }, + "roleDefinitionId": { + "type": "string", + "metadata": { + "description": "Required. The role definition ID for the role assignment." + } + }, + "roleName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name for the role, used for logging." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of role assignment." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "$fxv#0": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string" + }, + "name": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[[parameters('scope')]", + "name": "[[parameters('name')]", + "properties": { + "roleDefinitionId": "[[parameters('roleDefinitionId')]", + "principalId": "[[parameters('principalId')]", + "principalType": "[[parameters('principalType')]", + "description": "[[parameters('description')]" + } + } + ], + "outputs": { + "roleAssignmentId": { + "type": "string", + "value": "[[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]" + } + } + } + }, + "resources": [ + { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.ptn.authorization-resourceroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('principalId'), parameters('roleDefinitionId')))]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "Outer" + }, + "template": "[variables('$fxv#0')]", + "parameters": { + "scope": { + "value": "[parameters('resourceId')]" + }, + "name": { + "value": "[parameters('name')]" + }, + "roleDefinitionId": { + "value": "[if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId')))]" + }, + "principalId": { + "value": "[parameters('principalId')]" + }, + "principalType": { + "value": "[parameters('principalType')]" + }, + "description": { + "value": "[parameters('description')]" + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[parameters('name')]" + }, + "roleName": { + "type": "string", + "metadata": { + "description": "The name for the role, used for logging." + }, + "value": "[parameters('roleName')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('principalId'), parameters('roleDefinitionId')))), '2023-07-01').outputs.roleAssignmentId.value]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[resourceGroup().name]" + } + } +} diff --git a/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json b/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json new file mode 100644 index 0000000000..2e18bcc955 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "scope": { + "type": "string" + }, + "name": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User", + "" + ], + "defaultValue": "", + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[parameters('scope')]", + "name": "[parameters('name')]", + "properties": { + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "description": "[parameters('description')]" + } + } + ], + "outputs": { + "roleAssignmentId": { + "type": "string", + "value": "[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep new file mode 100644 index 0000000000..195c02ed8a --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep new file mode 100644 index 0000000000..2bc06f024d --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep @@ -0,0 +1,61 @@ +targetScope = 'subscription' +metadata name = 'Resource Role Assignments' +metadata description = 'This module deploys a Resource Role Assignment using all parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.resourceroleassignment-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arraall' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${guid(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + scope: resourceGroup + params: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + roleName: 'Storage Blob Data Reader' + description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.' + } + } +] diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep new file mode 100644 index 0000000000..ac2fbefc47 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..252442bc34 --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,59 @@ +targetScope = 'subscription' +metadata name = 'Resource Role Assignments' +metadata description = 'This module deploys a Resource Role Assignment using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.resourceroleassignment-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arramin' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${guid(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + scope: resourceGroup + params: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader + } + } +] diff --git a/avm/ptn/authorization/resource-role-assignment/version.json b/avm/ptn/authorization/resource-role-assignment/version.json new file mode 100644 index 0000000000..8def869ede --- /dev/null +++ b/avm/ptn/authorization/resource-role-assignment/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +}