feat: Add Sub & RG Scope support for MG scoped Policy Assignments (#3921

) ## Description Add Sub & RG Scope support for MG scoped Policy Assignments ## Pipeline Reference  | Pipeline | | -------- | | [![avm.ptn.authorization.policy-assignment](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.policy-assignment.yml/badge.svg?branch=users%2Fjtracey93%2Ffeat%2Fadd-sub-rg-scope-support)](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.policy-assignment.yml) | ## Type of Change  - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings
Azure · Dec 11, 2024 · b23659a · b23659a
1 parent eb9065c
commit b23659a
Show file tree

Hide file tree

Showing 10 changed files with 574 additions and 18 deletions.
diff --git a/avm/ptn/authorization/policy-assignment/README.md b/avm/ptn/authorization/policy-assignment/README.md
@@ -132,6 +132,12 @@ module policyAssignment 'br/public:avm/ptn/authorization/policy-assignment:<vers
     additionalManagementGroupsIDsToAssignRbacTo: [
       '<name>'
     ]
+    additionalResourceGroupResourceIDsToAssignRbacTo: [
+      '<resourceId>'
+    ]
+    additionalSubscriptionIDsToAssignRbacTo: [
+      '<subscriptionId>'
+    ]
     description: '[Description] Policy Assignment at the management group scope'
     displayName: '[Display Name] Policy Assignment at the management group scope'
     enforcementMode: 'DoNotEnforce'
@@ -149,7 +155,7 @@ module policyAssignment 'br/public:avm/ptn/authorization/policy-assignment:<vers
       }
     ]
     notScopes: [
-      '/subscriptions/<value>/resourceGroups/validation-rg'
+      '<resourceId>'
     ]
     overrides: [
       {
@@ -225,6 +231,16 @@ module policyAssignment 'br/public:avm/ptn/authorization/policy-assignment:<vers
         "<name>"
       ]
     },
+    "additionalResourceGroupResourceIDsToAssignRbacTo": {
+      "value": [
+        "<resourceId>"
+      ]
+    },
+    "additionalSubscriptionIDsToAssignRbacTo": {
+      "value": [
+        "<subscriptionId>"
+      ]
+    },
     "description": {
       "value": "[Description] Policy Assignment at the management group scope"
     },
@@ -259,7 +275,7 @@ module policyAssignment 'br/public:avm/ptn/authorization/policy-assignment:<vers
     },
     "notScopes": {
       "value": [
-        "/subscriptions/<value>/resourceGroups/validation-rg"
+        "<resourceId>"
       ]
     },
     "overrides": {
@@ -336,6 +352,12 @@ param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefiniti
 param additionalManagementGroupsIDsToAssignRbacTo = [
   '<name>'
 ]
+param additionalResourceGroupResourceIDsToAssignRbacTo = [
+  '<resourceId>'
+]
+param additionalSubscriptionIDsToAssignRbacTo = [
+  '<subscriptionId>'
+]
 param description = '[Description] Policy Assignment at the management group scope'
 param displayName = '[Display Name] Policy Assignment at the management group scope'
 param enforcementMode = 'DoNotEnforce'
@@ -353,7 +375,7 @@ param nonComplianceMessages = [
   }
 ]
 param notScopes = [
-  '/subscriptions/<value>/resourceGroups/validation-rg'
+  '<resourceId>'
 ]
 param overrides = [
   {
@@ -1179,6 +1201,8 @@ param userAssignedIdentityId = '<userAssignedIdentityId>'
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`additionalManagementGroupsIDsToAssignRbacTo`](#parameter-additionalmanagementgroupsidstoassignrbacto) | array | An array of additional management group IDs to assign RBAC to for the policy assignment if it has an identity. |
+| [`additionalResourceGroupResourceIDsToAssignRbacTo`](#parameter-additionalresourcegroupresourceidstoassignrbacto) | array | An array of additional Resource Group Resource IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments. |
+| [`additionalSubscriptionIDsToAssignRbacTo`](#parameter-additionalsubscriptionidstoassignrbacto) | array | An array of additional Subscription IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments. |
 | [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. |
 | [`displayName`](#parameter-displayname) | string | The display name of the policy assignment. Maximum length is 128 characters. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
@@ -1219,6 +1243,22 @@ An array of additional management group IDs to assign RBAC to for the policy ass
 - Type: array
 - Default: `[]`
 
+### Parameter: `additionalResourceGroupResourceIDsToAssignRbacTo`
+
+An array of additional Resource Group Resource IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments.
+
+- Required: No
+- Type: array
+- Default: `[]`
+
+### Parameter: `additionalSubscriptionIDsToAssignRbacTo`
+
+An array of additional Subscription IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments.
+
+- Required: No
+- Type: array
+- Default: `[]`
+
 ### Parameter: `description`
 
 This message will be part of response in case of policy violation.

diff --git a/avm/ptn/authorization/policy-assignment/main.bicep b/avm/ptn/authorization/policy-assignment/main.bicep
@@ -53,6 +53,12 @@ param managementGroupId string = managementGroup().name
 @sys.description('Optional. An array of additional management group IDs to assign RBAC to for the policy assignment if it has an identity.')
 param additionalManagementGroupsIDsToAssignRbacTo array = []
 
+@sys.description('Optional. An array of additional Subscription IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments.')
+param additionalSubscriptionIDsToAssignRbacTo array = []
+
+@sys.description('Optional. An array of additional Resource Group Resource IDs to assign RBAC to for the policy assignment if it has an identity, only supported for Management Group Policy Assignments.')
+param additionalResourceGroupResourceIDsToAssignRbacTo array = []
+
 @sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment.')
 param subscriptionId string = ''
 
@@ -117,6 +123,8 @@ module policyAssignment_mg 'modules/management-group.bicep' = if (empty(subscrip
     overrides: !empty(overrides) ? overrides : []
     resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : []
     additionalManagementGroupsIDsToAssignRbacTo: additionalManagementGroupsIDsToAssignRbacTo
+    additionalSubscriptionIDsToAssignRbacTo: additionalSubscriptionIDsToAssignRbacTo
+    additionalResourceGroupResourceIDsToAssignRbacTo: additionalResourceGroupResourceIDsToAssignRbacTo
   }
 }