From 94358fe3373143e415b52af68afc0f6ef060e049 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Tue, 14 Nov 2023 17:28:02 -0700 Subject: [PATCH 01/42] Created express route workflows --- .../avm.res.network.express-route-circuit.yml | 81 +++++++++++++++++++ .../avm.res.network.express-route-gateway.yml | 81 +++++++++++++++++++ 2 files changed, 162 insertions(+) create mode 100644 .github/workflows/avm.res.network.express-route-circuit.yml create mode 100644 .github/workflows/avm.res.network.express-route-gateway.yml diff --git a/.github/workflows/avm.res.network.express-route-circuit.yml b/.github/workflows/avm.res.network.express-route-circuit.yml new file mode 100644 index 0000000000..bc4e20a727 --- /dev/null +++ b/.github/workflows/avm.res.network.express-route-circuit.yml @@ -0,0 +1,81 @@ +name: "avm.res.network.express-route-circuit" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.express-route-circuit.yml" + - "avm/res/network/express-route-circuit/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/express-route-circuit" + workflowPath: ".github/workflows/avm.res.network.express-route-circuit.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get parameter file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Module" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/.github/workflows/avm.res.network.express-route-gateway.yml b/.github/workflows/avm.res.network.express-route-gateway.yml new file mode 100644 index 0000000000..7a0e195db6 --- /dev/null +++ b/.github/workflows/avm.res.network.express-route-gateway.yml @@ -0,0 +1,81 @@ +name: "avm.res.network.express-route-gateway" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.express-route-gateway.yml" + - "avm/res/network/express-route-gateway/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/express-route-gateway" + workflowPath: ".github/workflows/avm.res.network.express-route-gateway.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get parameter file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Module" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 298cc7671815871309dbd1cdccd8108b2c06f878 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 16 Nov 2023 10:51:27 -0700 Subject: [PATCH 02/42] removed linespace --- .github/workflows/avm.res.network.express-route-circuit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/avm.res.network.express-route-circuit.yml b/.github/workflows/avm.res.network.express-route-circuit.yml index bc4e20a727..1560e31113 100644 --- a/.github/workflows/avm.res.network.express-route-circuit.yml +++ b/.github/workflows/avm.res.network.express-route-circuit.yml @@ -78,4 +78,4 @@ jobs: workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" - secrets: inherit + secrets: inherit \ No newline at end of file From 9414e316aa331c8926c9696ee6dc9fbea58d2a9c Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 16 Nov 2023 17:02:22 -0700 Subject: [PATCH 03/42] Initial Commit --- .../network/express-route-gateway/README.md | 480 ++++++++++++++++++ .../network/express-route-gateway/main.bicep | 152 ++++++ .../network/express-route-gateway/main.json | 301 +++++++++++ .../tests/e2e/defaults/dependencies.bicep | 27 + .../tests/e2e/defaults/main.test.bicep | 60 +++ .../tests/e2e/max/dependencies.bicep | 38 ++ .../tests/e2e/max/main.test.bicep | 77 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 38 ++ .../tests/e2e/waf-aligned/main.test.bicep | 77 +++ .../express-route-gateway/version.json | 7 + 10 files changed, 1257 insertions(+) create mode 100644 avm/res/network/express-route-gateway/README.md create mode 100644 avm/res/network/express-route-gateway/main.bicep create mode 100644 avm/res/network/express-route-gateway/main.json create mode 100644 avm/res/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep create mode 100644 avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep create mode 100644 avm/res/network/express-route-gateway/tests/e2e/max/dependencies.bicep create mode 100644 avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep create mode 100644 avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 avm/res/network/express-route-gateway/version.json diff --git a/avm/res/network/express-route-gateway/README.md b/avm/res/network/express-route-gateway/README.md new file mode 100644 index 0000000000..8c86a790e5 --- /dev/null +++ b/avm/res/network/express-route-gateway/README.md @@ -0,0 +1,480 @@ +# Express Route Gateways `[Microsoft.Network/expressRouteGateways]` + +This module deploys an Express Route Gateway. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Network/expressRouteGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteGateways) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/res/network/express-route-gateway:`. + +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) + +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module expressRouteGateway 'br/public:avm/res/network/express-route-gateway:' = { + name: '${uniqueString(deployment().name, location)}-test-nergmin' + params: { + // Required parameters + name: 'nergmin001' + virtualHubId: '' + // Non-required parameters + enableTelemetry: '' + location: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nergmin001" + }, + "virtualHubId": { + "value": "" + }, + // Non-required parameters + "enableTelemetry": { + "value": "" + }, + "location": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module expressRouteGateway 'br/public:avm/res/network/express-route-gateway:' = { + name: '${uniqueString(deployment().name, location)}-test-nergmax' + params: { + // Required parameters + name: 'nergmax001' + virtualHubId: '' + // Non-required parameters + autoScaleConfigurationBoundsMax: 3 + autoScaleConfigurationBoundsMin: 2 + enableTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + hello: 'world' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nergmax001" + }, + "virtualHubId": { + "value": "" + }, + // Non-required parameters + "autoScaleConfigurationBoundsMax": { + "value": 3 + }, + "autoScaleConfigurationBoundsMin": { + "value": 2 + }, + "enableTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hello": "world", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ +### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module expressRouteGateway 'br/public:avm/res/network/express-route-gateway:' = { + name: '${uniqueString(deployment().name, location)}-test-nergwaf' + params: { + // Required parameters + name: 'nergwaf001' + virtualHubId: '' + // Non-required parameters + autoScaleConfigurationBoundsMax: 3 + autoScaleConfigurationBoundsMin: 2 + enableTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + hello: 'world' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nergwaf001" + }, + "virtualHubId": { + "value": "" + }, + // Non-required parameters + "autoScaleConfigurationBoundsMax": { + "value": 3 + }, + "autoScaleConfigurationBoundsMin": { + "value": 2 + }, + "enableTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hello": "world", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | Name of the Express Route Gateway. | +| [`virtualHubId`](#parameter-virtualhubid) | string | Resource ID of the Virtual Wan Hub. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`allowNonVirtualWanTraffic`](#parameter-allownonvirtualwantraffic) | bool | Configures this gateway to accept traffic from non Virtual WAN networks. | +| [`autoScaleConfigurationBoundsMax`](#parameter-autoscaleconfigurationboundsmax) | int | Maximum number of scale units deployed for ExpressRoute gateway. | +| [`autoScaleConfigurationBoundsMin`](#parameter-autoscaleconfigurationboundsmin) | int | Minimum number of scale units deployed for ExpressRoute gateway. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`expressRouteConnections`](#parameter-expressrouteconnections) | array | List of ExpressRoute connections to the ExpressRoute gateway. | +| [`location`](#parameter-location) | string | Location for all resources. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`tags`](#parameter-tags) | object | Tags of the Firewall policy resource. | + +### Parameter: `allowNonVirtualWanTraffic` + +Configures this gateway to accept traffic from non Virtual WAN networks. +- Required: No +- Type: bool +- Default: `False` + +### Parameter: `autoScaleConfigurationBoundsMax` + +Maximum number of scale units deployed for ExpressRoute gateway. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `autoScaleConfigurationBoundsMin` + +Minimum number of scale units deployed for ExpressRoute gateway. +- Required: No +- Type: int +- Default: `2` + +### Parameter: `enableTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expressRouteConnections` + +List of ExpressRoute connections to the ExpressRoute gateway. +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `location` + +Location for all resources. +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +The lock settings of the service. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. | +| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. | + +### Parameter: `lock.kind` + +Optional. Specify the type of lock. + +- Required: No +- Type: string +- Allowed: `[CanNotDelete, None, ReadOnly]` + +### Parameter: `lock.name` + +Optional. Specify the name of lock. + +- Required: No +- Type: string + +### Parameter: `name` + +Name of the Express Route Gateway. +- Required: Yes +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +- Required: No +- Type: array + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`condition`](#parameter-roleassignmentscondition) | No | string | Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | No | string | Optional. Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | No | string | Optional. The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | No | string | Optional. The description of the role assignment. | +| [`principalId`](#parameter-roleassignmentsprincipalid) | Yes | string | Required. The principal ID of the principal (user/group/identity) to assign the role to. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | No | string | Optional. The principal type of the assigned principal ID. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | Yes | string | Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. | + +### Parameter: `roleAssignments.condition` + +Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container" + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Optional. Version of the condition. + +- Required: No +- Type: string +- Allowed: `[2.0]` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +Optional. The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +Optional. The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalId` + +Required. The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.principalType` + +Optional. The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: `[Device, ForeignGroup, Group, ServicePrincipal, User]` + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead. + +- Required: Yes +- Type: string + +### Parameter: `tags` + +Tags of the Firewall policy resource. +- Required: No +- Type: object + +### Parameter: `virtualHubId` + +Resource ID of the Virtual Wan Hub. +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the ExpressRoute Gateway. | +| `resourceGroupName` | string | The resource group of the ExpressRoute Gateway was deployed into. | +| `resourceId` | string | The resource ID of the ExpressRoute Gateway. | + +## Cross-referenced modules + +_None_ diff --git a/avm/res/network/express-route-gateway/main.bicep b/avm/res/network/express-route-gateway/main.bicep new file mode 100644 index 0000000000..3cd3b7103e --- /dev/null +++ b/avm/res/network/express-route-gateway/main.bicep @@ -0,0 +1,152 @@ +metadata name = 'Express Route Gateways' +metadata description = 'This module deploys an Express Route Gateway.' +metadata owner = 'Azure/module-maintainers' + +@description('Required. Name of the Express Route Gateway.') +param name string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Tags of the Firewall policy resource.') +param tags object? + +@description('Optional. Configures this gateway to accept traffic from non Virtual WAN networks.') +param allowNonVirtualWanTraffic bool = false + +@description('Optional. Maximum number of scale units deployed for ExpressRoute gateway.') +param autoScaleConfigurationBoundsMax int = 2 + +@description('Optional. Minimum number of scale units deployed for ExpressRoute gateway.') +param autoScaleConfigurationBoundsMin int = 2 + +@description('Optional. List of ExpressRoute connections to the ExpressRoute gateway.') +param expressRouteConnections array = [] + +@description('Required. Resource ID of the Virtual Wan Hub.') +param virtualHubId string + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments roleAssignmentType + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableTelemetry bool = true + +@description('Optional. The lock settings of the service.') +param lock lockType + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.res.network-expressroutegateway.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01' = { + name: name + location: location + tags: tags + properties: { + allowNonVirtualWanTraffic: allowNonVirtualWanTraffic + autoScaleConfiguration: { + bounds: { + max: autoScaleConfigurationBoundsMax + min: autoScaleConfigurationBoundsMin + } + } + expressRouteConnections: expressRouteConnections + virtualHub: { + id: virtualHubId + } + } +} + +resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' + } + scope: expressRouteGateway +} + +resource expressRouteGateway_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(expressRouteGateway.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId + } + scope: expressRouteGateway +}] + +@description('The resource ID of the ExpressRoute Gateway.') +output resourceId string = expressRouteGateway.id + +@description('The resource group of the ExpressRoute Gateway was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The name of the ExpressRoute Gateway.') +output name string = expressRouteGateway.name + +@description('The location the resource was deployed into.') +output location string = expressRouteGateway.location + +// =============== // +// Definitions // +// =============== // + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? + +type roleAssignmentType = { + @description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? diff --git a/avm/res/network/express-route-gateway/main.json b/avm/res/network/express-route-gateway/main.json new file mode 100644 index 0000000000..af5151b17c --- /dev/null +++ b/avm/res/network/express-route-gateway/main.json @@ -0,0 +1,301 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "4461263099821836128" + }, + "name": "Express Route Gateways", + "description": "This module deploys an Express Route Gateway.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "nullable": true + }, + "roleAssignmentType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + } + }, + "nullable": true + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Express Route Gateway." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the Firewall policy resource." + } + }, + "allowNonVirtualWanTraffic": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Configures this gateway to accept traffic from non Virtual WAN networks." + } + }, + "autoScaleConfigurationBoundsMax": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Maximum number of scale units deployed for ExpressRoute gateway." + } + }, + "autoScaleConfigurationBoundsMin": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Optional. Minimum number of scale units deployed for ExpressRoute gateway." + } + }, + "expressRouteConnections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of ExpressRoute connections to the ExpressRoute gateway." + } + }, + "virtualHubId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the Virtual Wan Hub." + } + }, + "roleAssignments": { + "$ref": "#/definitions/roleAssignmentType", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "metadata": { + "description": "Optional. The lock settings of the service." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.network-expressroutegateway.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "expressRouteGateway": { + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2023-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "allowNonVirtualWanTraffic": "[parameters('allowNonVirtualWanTraffic')]", + "autoScaleConfiguration": { + "bounds": { + "max": "[parameters('autoScaleConfigurationBoundsMax')]", + "min": "[parameters('autoScaleConfigurationBoundsMin')]" + } + }, + "expressRouteConnections": "[parameters('expressRouteConnections')]", + "virtualHub": { + "id": "[parameters('virtualHubId')]" + } + } + }, + "expressRouteGateway_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "expressRouteGateway" + ] + }, + "expressRouteGateway_roleAssignments": { + "copy": { + "name": "expressRouteGateway_roleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/expressRouteGateways/{0}', parameters('name'))]", + "name": "[guid(resourceId('Microsoft.Network/expressRouteGateways', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "properties": { + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "expressRouteGateway" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the ExpressRoute Gateway." + }, + "value": "[resourceId('Microsoft.Network/expressRouteGateways', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the ExpressRoute Gateway was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the ExpressRoute Gateway." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('expressRouteGateway', '2023-04-01', 'full').location]" + } + } +} \ No newline at end of file diff --git a/avm/res/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep b/avm/res/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep new file mode 100644 index 0000000000..0e84400a01 --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/defaults/dependencies.bicep @@ -0,0 +1,27 @@ +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the virtual Hub to create.') +param virtualHubName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.0.0.0/16' + virtualWan: { + id: virtualWan.id + } + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id diff --git a/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..e17396d1b8 --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,60 @@ +targetScope = 'subscription' + +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nergmin' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' + virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' + location: location + } +} +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableTelemetry: enableTelemetry + name: '${namePrefix}${serviceShort}001' + location: location + virtualHubId: nestedDependencies.outputs.virtualHubResourceId + + } +} diff --git a/avm/res/network/express-route-gateway/tests/e2e/max/dependencies.bicep b/avm/res/network/express-route-gateway/tests/e2e/max/dependencies.bicep new file mode 100644 index 0000000000..acaa3b4df8 --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/max/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the virtual Hub to create.') +param virtualHubName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.0.0.0/16' + virtualWan: { + id: virtualWan.id + } + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep new file mode 100644 index 0000000000..eeddc92c8e --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nergmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' + virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' + location: location + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableTelemetry: enableTelemetry + name: '${namePrefix}${serviceShort}001' + location: location + tags: { + 'hidden-title': 'This is visible in the resource name' + hello: 'world' + } + autoScaleConfigurationBoundsMin: 2 + autoScaleConfigurationBoundsMax: 3 + virtualHubId: nestedDependencies.outputs.virtualHubResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..acaa3b4df8 --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the virtual Hub to create.') +param virtualHubName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.0.0.0/16' + virtualWan: { + id: virtualWan.id + } + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..4879d459c8 --- /dev/null +++ b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nergwaf' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' + virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' + location: location + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableTelemetry: enableTelemetry + name: '${namePrefix}${serviceShort}001' + location: location + tags: { + 'hidden-title': 'This is visible in the resource name' + hello: 'world' + } + autoScaleConfigurationBoundsMin: 2 + autoScaleConfigurationBoundsMax: 3 + virtualHubId: nestedDependencies.outputs.virtualHubResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/avm/res/network/express-route-gateway/version.json b/avm/res/network/express-route-gateway/version.json new file mode 100644 index 0000000000..04a0dd1a80 --- /dev/null +++ b/avm/res/network/express-route-gateway/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.5", + "pathFilters": [ + "./main.json" + ] +} From 1ed5ee6135fb8e51229879efaf5c965cd7fae531 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 16 Nov 2023 17:11:10 -0700 Subject: [PATCH 04/42] Added workflow --- .../avm.res.network.express-route-gateway.yml | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 .github/workflows/avm.res.network.express-route-gateway.yml diff --git a/.github/workflows/avm.res.network.express-route-gateway.yml b/.github/workflows/avm.res.network.express-route-gateway.yml new file mode 100644 index 0000000000..6997bce7ea --- /dev/null +++ b/.github/workflows/avm.res.network.express-route-gateway.yml @@ -0,0 +1,81 @@ +name: "avm.res.network.express-route-gateway" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.express-route-gateway.yml" + - "avm/res/network/express-route-gateway/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/express-route-gateway" + workflowPath: ".github/workflows/avm.res.network.express-route-gateway.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get parameter file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Module" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit \ No newline at end of file From 6797bd93719b3a8972045c03e1c3aea136bddae5 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 16 Nov 2023 17:18:17 -0700 Subject: [PATCH 05/42] Updated NamePrefix --- .../express-route-gateway/tests/e2e/defaults/main.test.bicep | 3 ++- .../express-route-gateway/tests/e2e/max/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep index e17396d1b8..313f56145b 100644 --- a/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep +++ b/avm/res/network/express-route-gateway/tests/e2e/defaults/main.test.bicep @@ -21,7 +21,8 @@ param serviceShort string = 'nergmin' param enableTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' +param namePrefix string = '#_namePrefix_#' + // ============ // // Dependencies // diff --git a/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep index eeddc92c8e..e7f942e9dc 100644 --- a/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep +++ b/avm/res/network/express-route-gateway/tests/e2e/max/main.test.bicep @@ -21,7 +21,7 @@ param serviceShort string = 'nergmax' param enableTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' +param namePrefix string = '#_namePrefix_#' // ============ // // Dependencies // diff --git a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index 4879d459c8..1687922fc0 100644 --- a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -21,7 +21,8 @@ param serviceShort string = 'nergwaf' param enableTelemetry bool = true @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' +param namePrefix string = '#_namePrefix_#' + // ============ // // Dependencies // From a7ef686293a72ae27bc2c2de4ef4d188f70bbf3d Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 16 Nov 2023 18:32:52 -0700 Subject: [PATCH 06/42] Added new line to workflow file --- .github/workflows/avm.res.network.express-route-gateway.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/avm.res.network.express-route-gateway.yml b/.github/workflows/avm.res.network.express-route-gateway.yml index 6997bce7ea..7a0e195db6 100644 --- a/.github/workflows/avm.res.network.express-route-gateway.yml +++ b/.github/workflows/avm.res.network.express-route-gateway.yml @@ -78,4 +78,4 @@ jobs: workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" - secrets: inherit \ No newline at end of file + secrets: inherit From fa73f3c15d2898975c39731a41d09883508b6a9d Mon Sep 17 00:00:00 2001 From: arnoldna Date: Tue, 21 Nov 2023 08:39:41 -0700 Subject: [PATCH 07/42] Removed managed identity --- avm/res/network/express-route-gateway/README.md | 16 ---------------- .../tests/e2e/waf-aligned/dependencies.bicep | 10 ---------- .../tests/e2e/waf-aligned/main.test.bicep | 8 -------- 3 files changed, 34 deletions(-) diff --git a/avm/res/network/express-route-gateway/README.md b/avm/res/network/express-route-gateway/README.md index 8c86a790e5..8de1fbc892 100644 --- a/avm/res/network/express-route-gateway/README.md +++ b/avm/res/network/express-route-gateway/README.md @@ -211,13 +211,6 @@ module expressRouteGateway 'br/public:avm/res/network/express-route-gateway:' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] tags: { hello: 'world' 'hidden-title': 'This is visible in the resource name' @@ -264,15 +257,6 @@ module expressRouteGateway 'br/public:avm/res/network/express-route-gateway:", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, "tags": { "value": { "hello": "world", diff --git a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep index acaa3b4df8..cf53573850 100644 --- a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep +++ b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -7,14 +7,6 @@ param virtualHubName string @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { name: virtualWANName location: location @@ -34,5 +26,3 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { @description('The resource ID of the created Virtual Hub.') output virtualHubResourceId string = virtualHub.id -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index 1687922fc0..c61b8486a3 100644 --- a/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -42,7 +42,6 @@ module nestedDependencies 'dependencies.bicep' = { virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' location: location - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' } } // ============== // @@ -67,12 +66,5 @@ module testDeployment '../../../main.bicep' = { kind: 'CanNotDelete' name: 'myCustomLockName' } - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] } } From 000179dfddd7a36c64a2963c93dddac30e58cec6 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 16 Dec 2023 11:56:31 -0700 Subject: [PATCH 08/42] Added managed-environment workflow --- .../avm.res.app.managed-environment.yml | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 .github/workflows/avm.res.app.managed-environment.yml diff --git a/.github/workflows/avm.res.app.managed-environment.yml b/.github/workflows/avm.res.app.managed-environment.yml new file mode 100644 index 0000000000..2dc84efaf7 --- /dev/null +++ b/.github/workflows/avm.res.app.managed-environment.yml @@ -0,0 +1,83 @@ +name: "avm.res.app.managed-environment" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.app.managed-environment.yml" + - "avm/res/key-vault/vault/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/key-vault/vault" + workflowPath: ".github/workflows/avm.res.app.managed-environment.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Module" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 0ec8db51cdcce12e0087dbe482c59cd0dd5e5105 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 19 Jan 2024 16:07:06 -0700 Subject: [PATCH 09/42] Added virtual-hub workflow --- .../workflows/avm.res.network.virtual-hub.yml | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 .github/workflows/avm.res.network.virtual-hub.yml diff --git a/.github/workflows/avm.res.network.virtual-hub.yml b/.github/workflows/avm.res.network.virtual-hub.yml new file mode 100644 index 0000000000..66759c1999 --- /dev/null +++ b/.github/workflows/avm.res.network.virtual-hub.yml @@ -0,0 +1,83 @@ +name: "avm.res.network.virtual-hub" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.virtual-hub.yml" + - "avm/res/network/virtual-hub/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/virtual-hub" + workflowPath: ".github/workflows/avm.res.network.virtual-hub.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 923c412bc5ec3db83a1bf9622833ce6f08781070 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 16 Feb 2024 15:34:27 -0700 Subject: [PATCH 10/42] added virtual-wan workflow --- .../workflows/avm.res.network.virtual-wan.yml | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 .github/workflows/avm.res.network.virtual-wan.yml diff --git a/.github/workflows/avm.res.network.virtual-wan.yml b/.github/workflows/avm.res.network.virtual-wan.yml new file mode 100644 index 0000000000..f191e5009d --- /dev/null +++ b/.github/workflows/avm.res.network.virtual-wan.yml @@ -0,0 +1,83 @@ +name: "avm.res.network.virtual-wan" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.network.virtual-wan.yml" + - "avm/res/network/virtual-wan/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/network/virtual-wan" + workflowPath: ".github/workflows/avm.res.network.virtual-wan.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From be9048417f3ce347f1753d5c4286c8e36b72d720 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 28 Mar 2024 16:27:55 -0600 Subject: [PATCH 11/42] SQL --- .../workflows/avm.res.sql.managed-instance | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 .github/workflows/avm.res.sql.managed-instance diff --git a/.github/workflows/avm.res.sql.managed-instance b/.github/workflows/avm.res.sql.managed-instance new file mode 100644 index 0000000000..54bb6be439 --- /dev/null +++ b/.github/workflows/avm.res.sql.managed-instance @@ -0,0 +1,85 @@ +name: "avm.res.sql.managed-instance" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.sql.managed-instance.yml" + - "avm/res/sql/managed-instance/**" + - "avm/utilities/pipelines/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/sql/managed-instance" + workflowPath: ".github/workflows/avm.res.sql.managed-instance.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From d7b68a7afc63705b5b275693a0150be2dd4bac65 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 28 Mar 2024 16:31:49 -0600 Subject: [PATCH 12/42] Updated name --- ....res.sql.managed-instance => avm.res.sql.managed-instance.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{avm.res.sql.managed-instance => avm.res.sql.managed-instance.yml} (100%) diff --git a/.github/workflows/avm.res.sql.managed-instance b/.github/workflows/avm.res.sql.managed-instance.yml similarity index 100% rename from .github/workflows/avm.res.sql.managed-instance rename to .github/workflows/avm.res.sql.managed-instance.yml From 4b853a4cf0c485cb0b4546deaae10d3be402e3a2 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 30 Mar 2024 13:39:39 -0600 Subject: [PATCH 13/42] Initial commit --- .../authorization/role-assignment/main.bicep | 126 ++++++++++++++++++ .../management-group/main.bicep | 74 ++++++++++ .../role-assignment/resource-group/main.bicep | 78 +++++++++++ .../role-assignment/subscription/main.bicep | 71 ++++++++++ .../tests/e2e/mg.common/dependencies.bicep | 13 ++ .../e2e/mg.common/interim.dependencies.bicep | 27 ++++ .../tests/e2e/mg.common/main.test.bicep | 48 +++++++ .../tests/e2e/mg.min/dependencies.bicep | 13 ++ .../e2e/mg.min/interim.dependencies.bicep | 27 ++++ .../tests/e2e/mg.min/main.test.bicep | 47 +++++++ .../tests/e2e/rg.common/dependencies.bicep | 13 ++ .../tests/e2e/rg.common/main.test.bicep | 54 ++++++++ .../tests/e2e/rg.min/dependencies.bicep | 13 ++ .../tests/e2e/rg.min/main.test.bicep | 53 ++++++++ .../tests/e2e/sub.common/dependencies.bicep | 13 ++ .../tests/e2e/sub.common/main.test.bicep | 52 ++++++++ .../tests/e2e/sub.min/dependencies.bicep | 13 ++ .../tests/e2e/sub.min/main.test.bicep | 51 +++++++ .../role-assignment/version.json | 7 + 19 files changed, 793 insertions(+) create mode 100644 avm/ptn/authorization/role-assignment/main.bicep create mode 100644 avm/ptn/authorization/role-assignment/management-group/main.bicep create mode 100644 avm/ptn/authorization/role-assignment/resource-group/main.bicep create mode 100644 avm/ptn/authorization/role-assignment/subscription/main.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/version.json diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep new file mode 100644 index 0000000000..570818602f --- /dev/null +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -0,0 +1,126 @@ +metadata name = 'Role Assignments (All scopes)' +metadata description = 'This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'managementGroup' + +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleDefinitionIdOrName string + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group.') +param resourceGroupName string = '' + +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '' + +@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name + +@sys.description('Optional. Location deployment metadata.') +param location string = deployment().location + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. ID of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') +param condition string = '' + +@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableTelemetry bool = true + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = + if (enableTelemetry) { + name: '46d3xbcp.ptn.authorization-roleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } + } + +module roleAssignment_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' + scope: managementGroup(managementGroupId) + params: { + roleDefinitionIdOrName: roleDefinitionIdOrName + principalId: principalId + managementGroupId: managementGroupId + description: !empty(description) ? description : '' + principalType: !empty(principalType) ? principalType : '' + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' + conditionVersion: conditionVersion + condition: !empty(condition) ? condition : '' + } +} + +module roleAssignment_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' + scope: subscription(subscriptionId) + params: { + roleDefinitionIdOrName: roleDefinitionIdOrName + principalId: principalId + subscriptionId: subscriptionId + description: !empty(description) ? description : '' + principalType: !empty(principalType) ? principalType : '' + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' + conditionVersion: conditionVersion + condition: !empty(condition) ? condition : '' + } +} + +module roleAssignment_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { + name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + roleDefinitionIdOrName: roleDefinitionIdOrName + principalId: principalId + subscriptionId: subscriptionId + resourceGroupName: resourceGroupName + description: !empty(description) ? description : '' + principalType: !empty(principalType) ? principalType : '' + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' + conditionVersion: conditionVersion + condition: !empty(condition) ? condition : '' + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.name : roleAssignment_rg.outputs.name) + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.resourceId : roleAssignment_rg.outputs.resourceId) + +@sys.description('The scope this Role Assignment applies to.') +output scope string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.scope : roleAssignment_rg.outputs.scope) diff --git a/avm/ptn/authorization/role-assignment/management-group/main.bicep b/avm/ptn/authorization/role-assignment/management-group/main.bicep new file mode 100644 index 0000000000..734718e8c1 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/management-group/main.bicep @@ -0,0 +1,74 @@ +metadata name = 'Role Assignments (Management Group scope)' +metadata description = 'This module deploys a Role Assignment at a Management Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'managementGroup' + +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleDefinitionIdOrName string + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. ID of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') +param condition string = '' + +@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) + + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managementGroupId, roleDefinitionIdVar, principalId) + properties: { + roleDefinitionId: roleDefinitionIdVar + principalId: principalId + description: !empty(description) ? description : null + principalType: !empty(principalType) ? any(principalType) : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + condition: !empty(condition) ? condition : null + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = roleAssignment.name + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = roleAssignment.id + +@sys.description('The scope this Role Assignment applies to.') +output scope string = az.resourceId('Microsoft.Management/managementGroups', managementGroupId) diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.bicep b/avm/ptn/authorization/role-assignment/resource-group/main.bicep new file mode 100644 index 0000000000..a92e5f4366 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/resource-group/main.bicep @@ -0,0 +1,78 @@ +metadata name = 'Role Assignments (Resource Group scope)' +metadata description = 'This module deploys a Role Assignment at a Resource Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'resourceGroup' + +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleDefinitionIdOrName string + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param resourceGroupName string = resourceGroup().name + +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param subscriptionId string = subscription().subscriptionId + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. ID of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') +param condition string = '' + +@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscriptionId, resourceGroupName, roleDefinitionIdVar, principalId) + properties: { + roleDefinitionId: roleDefinitionIdVar + principalId: principalId + description: !empty(description) ? description : null + principalType: !empty(principalType) ? any(principalType) : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + condition: !empty(condition) ? condition : null + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = roleAssignment.name + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = roleAssignment.id + +@sys.description('The name of the resource group the role assignment was applied at.') +output resourceGroupName string = resourceGroup().name + +@sys.description('The scope this Role Assignment applies to.') +output scope string = resourceGroup().id diff --git a/avm/ptn/authorization/role-assignment/subscription/main.bicep b/avm/ptn/authorization/role-assignment/subscription/main.bicep new file mode 100644 index 0000000000..dc15565083 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/subscription/main.bicep @@ -0,0 +1,71 @@ +metadata name = 'Role Assignments (Subscription scope)' +metadata description = 'This module deploys a Role Assignment at a Subscription scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'subscription' + +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleDefinitionIdOrName string + +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') +param principalId string + +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param subscriptionId string = subscription().subscriptionId + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. ID of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.') +param condition string = '' + +@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscriptionId, roleDefinitionIdVar, principalId) + properties: { + roleDefinitionId: roleDefinitionIdVar + principalId: principalId + description: !empty(description) ? description : null + principalType: !empty(principalType) ? any(principalType) : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + condition: !empty(condition) ? condition : null + } +} + +@sys.description('The GUID of the Role Assignment.') +output name string = roleAssignment.name + +@sys.description('The resource ID of the Role Assignment.') +output resourceId string = roleAssignment.id +@sys.description('The scope this Role Assignment applies to.') +output scope string = subscription().id diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep new file mode 100644 index 0000000000..d367770432 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep new file mode 100644 index 0000000000..b6b3cef622 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep @@ -0,0 +1,27 @@ +targetScope = 'subscription' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Required. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: managedIdentityName + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep new file mode 100644 index 0000000000..b69633dce1 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'managementGroup' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aramgcom' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +module nestedDependencies 'interim.dependencies.bicep' = { + scope: subscription('[[subscriptionId]]') + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + resourceGroupName: resourceGroupName + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../management-group/main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Backup Reader' + description: 'Role Assignment (management group scope)' + managementGroupId: last(split(managementGroup().id, '/')) + principalType: 'ServicePrincipal' + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep new file mode 100644 index 0000000000..d367770432 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep new file mode 100644 index 0000000000..b6b3cef622 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep @@ -0,0 +1,27 @@ +targetScope = 'subscription' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Required. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: managedIdentityName + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep new file mode 100644 index 0000000000..b8ffe5f99b --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -0,0 +1,47 @@ +targetScope = 'managementGroup' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aramgmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +module nestedDependencies 'interim.dependencies.bicep' = { + scope: subscription('[[subscriptionId]]') + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + resourceGroupName: resourceGroupName + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../management-group/main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Storage Queue Data Reader' + principalType: 'ServicePrincipal' + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep new file mode 100644 index 0000000000..5681a89989 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep new file mode 100644 index 0000000000..0207ae8061 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arargcom' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../resource-group/main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Backup Reader' + description: 'Role Assignment (resource group scope)' + principalType: 'ServicePrincipal' + resourceGroupName: resourceGroup.name + subscriptionId: subscription().subscriptionId + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep new file mode 100644 index 0000000000..5681a89989 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep new file mode 100644 index 0000000000..c97e564478 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -0,0 +1,53 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arargmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../resource-group/main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Storage Queue Data Reader' + principalType: 'ServicePrincipal' + resourceGroupName: resourceGroup.name + subscriptionId: subscription().subscriptionId + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep new file mode 100644 index 0000000000..5681a89989 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep new file mode 100644 index 0000000000..29e07ef62f --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -0,0 +1,52 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arasubcom' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../subscription/main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Backup Reader' + description: 'Role Assignment (subscription scope)' + principalType: 'ServicePrincipal' + subscriptionId: subscription().subscriptionId + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep new file mode 100644 index 0000000000..5681a89989 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep new file mode 100644 index 0000000000..552f4b998e --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -0,0 +1,51 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arasubmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../subscription/main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Storage Queue Data Reader' + principalType: 'ServicePrincipal' + subscriptionId: subscription().subscriptionId + } +} diff --git a/avm/ptn/authorization/role-assignment/version.json b/avm/ptn/authorization/role-assignment/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} From 9ebef770a035d92dc5347109b0055f7d1ab0b46b Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 30 Mar 2024 13:45:54 -0600 Subject: [PATCH 14/42] Added subscription name output --- avm/ptn/authorization/role-assignment/subscription/main.bicep | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/avm/ptn/authorization/role-assignment/subscription/main.bicep b/avm/ptn/authorization/role-assignment/subscription/main.bicep index dc15565083..3f0a10e4b0 100644 --- a/avm/ptn/authorization/role-assignment/subscription/main.bicep +++ b/avm/ptn/authorization/role-assignment/subscription/main.bicep @@ -67,5 +67,9 @@ output name string = roleAssignment.name @sys.description('The resource ID of the Role Assignment.') output resourceId string = roleAssignment.id + +@sys.description('The name of the resource group the role assignment was applied at.') +output subscriptionName string = subscription().displayName + @sys.description('The scope this Role Assignment applies to.') output scope string = subscription().id From 2c2b3f4687dfd1bc22fe7a10627a60274085f7c6 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 30 Mar 2024 13:51:15 -0600 Subject: [PATCH 15/42] Updated location --- .../tests/e2e/mg.common/interim.dependencies.bicep | 1 + .../role-assignment/tests/e2e/mg.min/interim.dependencies.bicep | 1 + .../role-assignment/tests/e2e/rg.common/main.test.bicep | 1 + .../role-assignment/tests/e2e/rg.min/main.test.bicep | 1 + .../role-assignment/tests/e2e/sub.common/main.test.bicep | 1 + .../role-assignment/tests/e2e/sub.min/main.test.bicep | 1 + 6 files changed, 6 insertions(+) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep index b6b3cef622..55ada1deea 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep @@ -20,6 +20,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: managedIdentityName + location: location } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep index b6b3cef622..55ada1deea 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep @@ -20,6 +20,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: managedIdentityName + location: location } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index 0207ae8061..e93a4279db 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -33,6 +33,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index c97e564478..b87d010663 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -33,6 +33,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 29e07ef62f..899f78a952 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -33,6 +33,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 552f4b998e..7e88416983 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -33,6 +33,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location } } From bd9f5ff8b283018c38541076c2febcaac0247826 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Mon, 1 Apr 2024 10:07:14 -0600 Subject: [PATCH 16/42] Added version files and README --- .../authorization/role-assignment/README.md | 520 ++++++++++++++++++ .../management-group/README.md | 133 +++++ .../management-group/version.json | 7 + .../role-assignment/resource-group/README.md | 143 +++++ .../resource-group/version.json | 7 + .../role-assignment/subscription/README.md | 134 +++++ .../role-assignment/subscription/version.json | 7 + 7 files changed, 951 insertions(+) create mode 100644 avm/ptn/authorization/role-assignment/README.md create mode 100644 avm/ptn/authorization/role-assignment/management-group/README.md create mode 100644 avm/ptn/authorization/role-assignment/management-group/version.json create mode 100644 avm/ptn/authorization/role-assignment/resource-group/README.md create mode 100644 avm/ptn/authorization/role-assignment/resource-group/version.json create mode 100644 avm/ptn/authorization/role-assignment/subscription/README.md create mode 100644 avm/ptn/authorization/role-assignment/subscription/version.json diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md new file mode 100644 index 0000000000..d5dd99648c --- /dev/null +++ b/avm/ptn/authorization/role-assignment/README.md @@ -0,0 +1,520 @@ +# Role Assignments (All scopes) `[Microsoft.Authorization/roleAssignments]` + +This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-assignment:`. + +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) + +### Example 1: _Mg.Common_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Backup Reader' + // Non-required parameters + description: 'Role Assignment (management group scope)' + managementGroupId: '' + principalType: 'ServicePrincipal' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Backup Reader" + }, + // Non-required parameters + "description": { + "value": "Role Assignment (management group scope)" + }, + "managementGroupId": { + "value": "" + }, + "principalType": { + "value": "ServicePrincipal" + } + } +} +``` + +
+

+ +### Example 2: _Mg.Min_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Storage Queue Data Reader' + // Non-required parameters + principalType: 'ServicePrincipal' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Storage Queue Data Reader" + }, + // Non-required parameters + "principalType": { + "value": "ServicePrincipal" + } + } +} +``` + +
+

+ +### Example 3: _Rg.Common_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Backup Reader' + // Non-required parameters + description: 'Role Assignment (resource group scope)' + principalType: 'ServicePrincipal' + resourceGroupName: '' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Backup Reader" + }, + // Non-required parameters + "description": { + "value": "Role Assignment (resource group scope)" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ +### Example 4: _Rg.Min_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Storage Queue Data Reader' + // Non-required parameters + principalType: 'ServicePrincipal' + resourceGroupName: '' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Storage Queue Data Reader" + }, + // Non-required parameters + "principalType": { + "value": "ServicePrincipal" + }, + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ +### Example 5: _Sub.Common_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Backup Reader' + // Non-required parameters + description: 'Role Assignment (subscription scope)' + principalType: 'ServicePrincipal' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Backup Reader" + }, + // Non-required parameters + "description": { + "value": "Role Assignment (subscription scope)" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ +### Example 6: _Sub.Min_ + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Storage Queue Data Reader' + // Non-required parameters + principalType: 'ServicePrincipal' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Storage Queue Data Reader" + }, + // Non-required parameters + "principalType": { + "value": "ServicePrincipal" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". + +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableTelemetry` + +Enable telemetry via a Globally Unique Identifier (GUID). + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +Location deployment metadata. + +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. + +- Required: No +- Type: string +- Default: `''` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `scope` | string | The scope this Role Assignment applies to. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/management-group/README.md b/avm/ptn/authorization/role-assignment/management-group/README.md new file mode 100644 index 0000000000..b4cf704aaa --- /dev/null +++ b/avm/ptn/authorization/role-assignment/management-group/README.md @@ -0,0 +1,133 @@ +# Role Assignments (Management Group scope) `[Microsoft.Authorization/roleAssignments]` + +This module deploys a Role Assignment at a Management Group scope. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". + +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `managementGroupId` + +Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `scope` | string | The scope this Role Assignment applies to. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/management-group/version.json b/avm/ptn/authorization/role-assignment/management-group/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/management-group/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} diff --git a/avm/ptn/authorization/role-assignment/resource-group/README.md b/avm/ptn/authorization/role-assignment/resource-group/README.md new file mode 100644 index 0000000000..623191bb79 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/resource-group/README.md @@ -0,0 +1,143 @@ +# Role Assignments (Resource Group scope) `[Microsoft.Authorization/roleAssignments]` + +This module deploys a Role Assignment at a Resource Group scope. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". + +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `resourceGroupName` + +Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[resourceGroup().name]` + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `scope` | string | The scope this Role Assignment applies to. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/resource-group/version.json b/avm/ptn/authorization/role-assignment/resource-group/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/resource-group/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} diff --git a/avm/ptn/authorization/role-assignment/subscription/README.md b/avm/ptn/authorization/role-assignment/subscription/README.md new file mode 100644 index 0000000000..d08fe38562 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/subscription/README.md @@ -0,0 +1,134 @@ +# Role Assignments (Subscription scope) `[Microsoft.Authorization/roleAssignments]` + +This module deploys a Role Assignment at a Subscription scope. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | +| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | +| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | +| [`description`](#parameter-description) | string | The description of the role assignment. | +| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | +| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | + +### Parameter: `principalId` + +The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). + +- Required: Yes +- Type: string + +### Parameter: `roleDefinitionIdOrName` + +You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `conditionVersion` + +Version of the condition. Currently accepted value is "2.0". + +- Required: No +- Type: string +- Default: `'2.0'` +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `delegatedManagedIdentityResourceId` + +ID of the delegated managed identity resource. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `description` + +The description of the role assignment. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Default: `''` +- Allowed: + ```Bicep + [ + '' + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `subscriptionId` + +Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[subscription().subscriptionId]` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment. | +| `resourceId` | string | The resource ID of the Role Assignment. | +| `scope` | string | The scope this Role Assignment applies to. | +| `subscriptionName` | string | The name of the resource group the role assignment was applied at. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/subscription/version.json b/avm/ptn/authorization/role-assignment/subscription/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/subscription/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} From b4058d46c7b8e1b9b262e0925f1f31195007262a Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 12:54:38 -0600 Subject: [PATCH 17/42] Created main.jsons --- .../authorization/role-assignment/main.json | 665 ++++++++++++++++++ .../management-group/main.json | 131 ++++ .../role-assignment/resource-group/main.json | 144 ++++ .../role-assignment/subscription/main.json | 137 ++++ 4 files changed, 1077 insertions(+) create mode 100644 avm/ptn/authorization/role-assignment/main.json create mode 100644 avm/ptn/authorization/role-assignment/management-group/main.json create mode 100644 avm/ptn/authorization/role-assignment/resource-group/main.json create mode 100644 avm/ptn/authorization/role-assignment/subscription/main.json diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json new file mode 100644 index 0000000000..21371fb7a9 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/main.json @@ -0,0 +1,665 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "7158698530515047734" + }, + "name": "Role Assignments (All scopes)", + "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription." + } + }, + "managementGroupId": { + "type": "string", + "defaultValue": "[managementGroup().name]", + "metadata": { + "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location deployment metadata." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.ptn.authorization-roleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + { + "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))]", + "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleDefinitionIdOrName": { + "value": "[parameters('roleDefinitionIdOrName')]" + }, + "principalId": { + "value": "[parameters('principalId')]" + }, + "managementGroupId": { + "value": "[parameters('managementGroupId')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", + "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", + "conditionVersion": { + "value": "[parameters('conditionVersion')]" + }, + "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "11368561288445479452" + }, + "name": "Role Assignments (Management Group scope)", + "description": "This module deploys a Role Assignment at a Management Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "managementGroupId": { + "type": "string", + "defaultValue": "[managementGroup().name]", + "metadata": { + "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleAssignments', guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[resourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))]" + } + } + } + } + }, + { + "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))]", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleDefinitionIdOrName": { + "value": "[parameters('roleDefinitionIdOrName')]" + }, + "principalId": { + "value": "[parameters('principalId')]" + }, + "subscriptionId": { + "value": "[parameters('subscriptionId')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", + "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", + "conditionVersion": { + "value": "[parameters('conditionVersion')]" + }, + "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "13644754829024725945" + }, + "name": "Role Assignments (Subscription scope)", + "description": "This module deploys a Role Assignment at a Subscription scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[subscriptionResourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "subscriptionName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[subscription().displayName]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[subscription().id]" + } + } + } + } + }, + { + "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))]", + "subscriptionId": "[parameters('subscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleDefinitionIdOrName": { + "value": "[parameters('roleDefinitionIdOrName')]" + }, + "principalId": { + "value": "[parameters('principalId')]" + }, + "subscriptionId": { + "value": "[parameters('subscriptionId')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', ''))]", + "principalType": "[if(not(empty(parameters('principalType'))), createObject('value', parameters('principalType')), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), createObject('value', parameters('delegatedManagedIdentityResourceId')), createObject('value', ''))]", + "conditionVersion": { + "value": "[parameters('conditionVersion')]" + }, + "condition": "[if(not(empty(parameters('condition'))), createObject('value', parameters('condition')), createObject('value', ''))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "8818028054866879023" + }, + "name": "Role Assignments (Resource Group scope)", + "description": "This module deploys a Role Assignment at a Resource Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[resourceGroup().name]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[resourceGroup().id]" + } + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-RoleAssignment-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.scope.value))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/management-group/main.json b/avm/ptn/authorization/role-assignment/management-group/main.json new file mode 100644 index 0000000000..ad89b38161 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/management-group/main.json @@ -0,0 +1,131 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "11368561288445479452" + }, + "name": "Role Assignments (Management Group scope)", + "description": "This module deploys a Role Assignment at a Management Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "managementGroupId": { + "type": "string", + "defaultValue": "[managementGroup().name]", + "metadata": { + "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleAssignments', guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[resourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.json b/avm/ptn/authorization/role-assignment/resource-group/main.json new file mode 100644 index 0000000000..7a9dec2b2a --- /dev/null +++ b/avm/ptn/authorization/role-assignment/resource-group/main.json @@ -0,0 +1,144 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "8818028054866879023" + }, + "name": "Role Assignments (Resource Group scope)", + "description": "This module deploys a Role Assignment at a Resource Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[resourceGroup().name]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[resourceGroup().id]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/subscription/main.json b/avm/ptn/authorization/role-assignment/subscription/main.json new file mode 100644 index 0000000000..a0339da676 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/subscription/main.json @@ -0,0 +1,137 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "13644754829024725945" + }, + "name": "Role Assignments (Subscription scope)", + "description": "This module deploys a Role Assignment at a Subscription scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[subscriptionResourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "subscriptionName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[subscription().displayName]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[subscription().id]" + } + } +} \ No newline at end of file From e6542826ac1674bf2d491d4717df06dbf4db6021 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 13:11:10 -0600 Subject: [PATCH 18/42] Update codeowners --- .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/avm_module_issue.yml | 1 + .../avm.ptn.authorization.role-assignment.yml | 86 +++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 .github/workflows/avm.ptn.authorization.role-assignment.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 81832c9bba..eb0758bb19 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,6 +3,7 @@ /scripts/ @Azure/bicep-admins @Azure/avm-core-team-technical-bicep /avm/ @Azure/avm-core-team-technical-bicep /avm/utilities/ @Azure/avm-core-team-technical-bicep +/avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep #/avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep /avm/res/analysis-services/server/ @Azure/avm-res-analysisservices-server-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/res/api-management/service/ @Azure/avm-res-apimanagement-service-module-owners-bicep @Azure/avm-core-team-technical-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 6696605d92..eef1cbbe63 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -44,6 +44,7 @@ body: # - "avm/ptn/avd-lza/session-hosts" # - "avm/ptn/security/security-center" # - "avm/res/aad/domain-service" + - "avm/ptn/authorization/role-assignments" - "avm/res/analysis-services/server" - "avm/res/api-management/service" - "avm/res/app-configuration/configuration-store" diff --git a/.github/workflows/avm.ptn.authorization.role-assignment.yml b/.github/workflows/avm.ptn.authorization.role-assignment.yml new file mode 100644 index 0000000000..69eb7747dd --- /dev/null +++ b/.github/workflows/avm.ptn.authorization.role-assignment.yml @@ -0,0 +1,86 @@ +name: "avm.ptn.authorization.role-assignment" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.authorization.role-assignment.yml" + - "avm/res/analysis-services/server/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/analysis-services/server" + workflowPath: ".github/workflows/avm.ptn.authorization.role-assignment.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 7c0a3c500828750107b6f69f60be6a35539c99e5 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 13:12:46 -0600 Subject: [PATCH 19/42] Added PTN workflow --- .../avm.ptn.authorization.role-assignment.yml | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/avm.ptn.authorization.role-assignment.yml diff --git a/.github/workflows/avm.ptn.authorization.role-assignment.yml b/.github/workflows/avm.ptn.authorization.role-assignment.yml new file mode 100644 index 0000000000..69eb7747dd --- /dev/null +++ b/.github/workflows/avm.ptn.authorization.role-assignment.yml @@ -0,0 +1,86 @@ +name: "avm.ptn.authorization.role-assignment" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.authorization.role-assignment.yml" + - "avm/res/analysis-services/server/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/analysis-services/server" + workflowPath: ".github/workflows/avm.ptn.authorization.role-assignment.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit From 787f824861a61e4b7829d6b026038ee026c9e371 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 15:37:36 -0600 Subject: [PATCH 20/42] Update yml --- .github/workflows/avm.ptn.authorization.role-assignment.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/avm.ptn.authorization.role-assignment.yml b/.github/workflows/avm.ptn.authorization.role-assignment.yml index 69eb7747dd..c9ad828152 100644 --- a/.github/workflows/avm.ptn.authorization.role-assignment.yml +++ b/.github/workflows/avm.ptn.authorization.role-assignment.yml @@ -27,13 +27,13 @@ on: - ".github/actions/templates/avm-**" - ".github/workflows/avm.template.module.yml" - ".github/workflows/avm.ptn.authorization.role-assignment.yml" - - "avm/res/analysis-services/server/**" + - "avm/ptn/authorization/role-assignment/**" - "avm/utilities/pipelines/**" - "!avm/utilities/pipelines/platform/**" - "!*/**/README.md" env: - modulePath: "avm/res/analysis-services/server" + modulePath: "avm/ptn/authorization/role-assignment" workflowPath: ".github/workflows/avm.ptn.authorization.role-assignment.yml" concurrency: From b56570bf0af57dd5782824a98066dfcfd27f3e53 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 15:40:34 -0600 Subject: [PATCH 21/42] Module updates --- .github/ISSUE_TEMPLATE/avm_module_issue.yml | 2 +- .../avm.ptn.authorization.role-assignment.yml | 4 +- .../avm.res.sql.managed-instance.yml | 85 ------------------- 3 files changed, 3 insertions(+), 88 deletions(-) delete mode 100644 .github/workflows/avm.res.sql.managed-instance.yml diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index eef1cbbe63..a640e04fa9 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -38,13 +38,13 @@ body: description: Which existing AVM module is this issue related to? options: - "" + - "avm/ptn/authorization/role-assignments" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" # - "avm/ptn/avd-lza/session-hosts" # - "avm/ptn/security/security-center" # - "avm/res/aad/domain-service" - - "avm/ptn/authorization/role-assignments" - "avm/res/analysis-services/server" - "avm/res/api-management/service" - "avm/res/app-configuration/configuration-store" diff --git a/.github/workflows/avm.ptn.authorization.role-assignment.yml b/.github/workflows/avm.ptn.authorization.role-assignment.yml index 69eb7747dd..c9ad828152 100644 --- a/.github/workflows/avm.ptn.authorization.role-assignment.yml +++ b/.github/workflows/avm.ptn.authorization.role-assignment.yml @@ -27,13 +27,13 @@ on: - ".github/actions/templates/avm-**" - ".github/workflows/avm.template.module.yml" - ".github/workflows/avm.ptn.authorization.role-assignment.yml" - - "avm/res/analysis-services/server/**" + - "avm/ptn/authorization/role-assignment/**" - "avm/utilities/pipelines/**" - "!avm/utilities/pipelines/platform/**" - "!*/**/README.md" env: - modulePath: "avm/res/analysis-services/server" + modulePath: "avm/ptn/authorization/role-assignment" workflowPath: ".github/workflows/avm.ptn.authorization.role-assignment.yml" concurrency: diff --git a/.github/workflows/avm.res.sql.managed-instance.yml b/.github/workflows/avm.res.sql.managed-instance.yml deleted file mode 100644 index 54bb6be439..0000000000 --- a/.github/workflows/avm.res.sql.managed-instance.yml +++ /dev/null @@ -1,85 +0,0 @@ -name: "avm.res.sql.managed-instance" - -on: - schedule: - - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) - workflow_dispatch: - inputs: - staticValidation: - type: boolean - description: "Execute static validation" - required: false - default: true - deploymentValidation: - type: boolean - description: "Execute deployment validation" - required: false - default: true - removeDeployment: - type: boolean - description: "Remove deployed module" - required: false - default: true - push: - branches: - - main - paths: - - ".github/actions/templates/avm-**" - - ".github/workflows/avm.template.module.yml" - - ".github/workflows/avm.res.sql.managed-instance.yml" - - "avm/res/sql/managed-instance/**" - - "avm/utilities/pipelines/**" - - "!*/**/README.md" - -env: - modulePath: "avm/res/sql/managed-instance" - workflowPath: ".github/workflows/avm.res.sql.managed-instance.yml" - -concurrency: - group: ${{ github.workflow }} - -jobs: - ########################### - # Initialize pipeline # - ########################### - job_initialize_pipeline: - runs-on: ubuntu-latest - name: "Initialize pipeline" - steps: - - name: "Checkout" - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: "Set input parameters to output variables" - id: get-workflow-param - uses: ./.github/actions/templates/avm-getWorkflowInput - with: - workflowPath: "${{ env.workflowPath}}" - - name: "Get module test file paths" - id: get-module-test-file-paths - uses: ./.github/actions/templates/avm-getModuleTestFiles - with: - modulePath: "${{ env.modulePath }}" - outputs: - workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} - moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} - psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} - modulePath: "${{ env.modulePath }}" - - ############################## - # Call reusable workflow # - ############################## - call-workflow-passing-data: - name: "Run" - permissions: - id-token: write # For OIDC - contents: write # For release tags - needs: - - job_initialize_pipeline - uses: ./.github/workflows/avm.template.module.yml - with: - workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" - moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" - psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" - modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" - secrets: inherit From ae62c7b264fd6b1c5f1852d706cdc1a73adbace0 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 16:05:49 -0600 Subject: [PATCH 22/42] Updated tests --- .../authorization/role-assignment/ORPHANED.md | 4 ++ .../authorization/role-assignment/README.md | 51 ++++++++++++++----- .../authorization/role-assignment/main.bicep | 2 +- .../tests/e2e/mg.common/main.test.bicep | 2 + .../tests/e2e/mg.min/main.test.bicep | 2 + .../tests/e2e/rg.common/main.test.bicep | 2 + .../tests/e2e/rg.min/main.test.bicep | 2 + .../tests/e2e/sub.common/main.test.bicep | 2 + .../tests/e2e/sub.min/main.test.bicep | 2 + 9 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 avm/ptn/authorization/role-assignment/ORPHANED.md diff --git a/avm/ptn/authorization/role-assignment/ORPHANED.md b/avm/ptn/authorization/role-assignment/ORPHANED.md new file mode 100644 index 0000000000..ef8fa911d2 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/ORPHANED.md @@ -0,0 +1,4 @@ +⚠️THIS MODULE IS CURRENTLY ORPHANED.⚠️ + +- Only security and bug fixes are being handled by the AVM core team at present. +- If interested in becoming the module owner of this orphaned module (must be Microsoft FTE), please look for the related "orphaned module" GitHub issue [here](https://aka.ms/AVM/OrphanedModules)! \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index d5dd99648c..38a8eb7d6b 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -1,5 +1,10 @@ # Role Assignments (All scopes) `[Microsoft.Authorization/roleAssignments]` +> ⚠️THIS MODULE IS CURRENTLY ORPHANED.⚠️ +> +> - Only security and bug fixes are being handled by the AVM core team at present. +> - If interested in becoming the module owner of this orphaned module (must be Microsoft FTE), please look for the related "orphaned module" GitHub issue [here](https://aka.ms/AVM/OrphanedModules)! + This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope. ## Navigation @@ -25,14 +30,17 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-assignment:`. -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) +- [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) +- [Role Assignments (Management Group scope)](#example-2-role-assignments-management-group-scope) +- [Role Assignments (Resource Group)](#example-3-role-assignments-resource-group) +- [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) +- [Role Assignments (Subscription scope)](#example-5-role-assignments-subscription-scope) +- [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) + +### Example 1: _Role Assignments (Management Group scope)_ + +This module deploys a Role Assignment at a Management Group scope using common parameters. -### Example 1: _Mg.Common_

@@ -89,7 +97,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 2: _Mg.Min_ +### Example 2: _Role Assignments (Management Group scope)_ + +This module deploys a Role Assignment at a Management Group scope using minimal parameters. +

@@ -138,7 +149,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 3: _Rg.Common_ +### Example 3: _Role Assignments (Resource Group)_ + +This module deploys a Role Assignment at a Resource Group scope using common parameters. +

@@ -199,7 +213,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Rg.Min_ +### Example 4: _Role Assignments (Resource Group)_ + +This module deploys a Role Assignment at a Resource Group scope using minimal parameters. +

@@ -256,7 +273,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 5: _Sub.Common_ +### Example 5: _Role Assignments (Subscription scope)_ + +This module deploys a Role Assignment at a Subscription scope using common parameters. +

@@ -313,7 +333,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 6: _Sub.Min_ +### Example 6: _Role Assignments (Subscription scope)_ + +This module deploys a Role Assignment at a Subscription scope using minimal parameters. +

@@ -384,7 +407,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: | [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | | [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | | [`description`](#parameter-description) | string | The description of the role assignment. | -| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`location`](#parameter-location) | string | Location deployment metadata. | | [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | @@ -445,7 +468,7 @@ The description of the role assignment. ### Parameter: `enableTelemetry` -Enable telemetry via a Globally Unique Identifier (GUID). +Enable/Disable usage telemetry for module. - Required: No - Type: bool diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index 570818602f..97dd4310ce 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -48,7 +48,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +@sys.description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index b69633dce1..6b20b35ee8 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'managementGroup' +metadata name = 'Role Assignments (Management Group scope)' +metadata description = 'This module deploys a Role Assignment at a Management Group scope using common parameters.' // ========== // // Parameters // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index b8ffe5f99b..c012a662c8 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'managementGroup' +metadata name = 'Role Assignments (Management Group scope)' +metadata description = 'This module deploys a Role Assignment at a Management Group scope using minimal parameters.' // ========== // // Parameters // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index e93a4279db..1c40ceb805 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'subscription' +metadata name = 'Role Assignments (Resource Group)' +metadata description = 'This module deploys a Role Assignment at a Resource Group scope using common parameters.' // ========== // // Parameters // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index b87d010663..6646a645d7 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'subscription' +metadata name = 'Role Assignments (Resource Group)' +metadata description = 'This module deploys a Role Assignment at a Resource Group scope using minimal parameters.' // ========== // // Parameters // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 899f78a952..51a409bcef 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'subscription' +metadata name = 'Role Assignments (Subscription scope)' +metadata description = 'This module deploys a Role Assignment at a Subscription scope using common parameters.' // ========== // // Parameters // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 7e88416983..fe8043132d 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -1,4 +1,6 @@ targetScope = 'subscription' +metadata name = 'Role Assignments (Subscription scope)' +metadata description = 'This module deploys a Role Assignment at a Subscription scope using minimal parameters.' // ========== // // Parameters // From 4470844d3521c563b34726aedc20f13978818a1a Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 17:32:15 -0600 Subject: [PATCH 23/42] updated issue_template --- .github/ISSUE_TEMPLATE/avm_module_issue.yml | 2 +- avm/ptn/authorization/role-assignment/main.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 909801403f..1337b79724 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -38,7 +38,7 @@ body: description: Which existing AVM module is this issue related to? options: - "" - - "avm/ptn/authorization/role-assignments" + - "avm/ptn/authorization/role-assignment" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index 21371fb7a9..ecfd9ce2eb 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "7158698530515047734" + "templateHash": "7711283427913589187" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -102,7 +102,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, From bb0c55ece036ceaefc3ce8dd2a90151e2ffadfa4 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 10 Apr 2024 17:49:11 -0600 Subject: [PATCH 24/42] updated location --- .../role-assignment/tests/e2e/mg.common/main.test.bicep | 6 +++--- .../role-assignment/tests/e2e/mg.min/main.test.bicep | 6 +++--- .../role-assignment/tests/e2e/rg.common/main.test.bicep | 8 ++++---- .../role-assignment/tests/e2e/rg.min/main.test.bicep | 8 ++++---- .../role-assignment/tests/e2e/sub.common/main.test.bicep | 8 ++++---- .../role-assignment/tests/e2e/sub.min/main.test.bicep | 8 ++++---- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 6b20b35ee8..f8b99ebcd1 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Management Gr param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'aramgcom' @@ -26,11 +26,11 @@ param namePrefix string = '#_namePrefix_#' // ================= module nestedDependencies 'interim.dependencies.bicep' = { scope: subscription('[[subscriptionId]]') - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' resourceGroupName: resourceGroupName - location: location + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index c012a662c8..5251ea9321 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Management Gr param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'aramgmin' @@ -27,11 +27,11 @@ param namePrefix string = '#_namePrefix_#' // ================= module nestedDependencies 'interim.dependencies.bicep' = { scope: subscription('[[subscriptionId]]') - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' resourceGroupName: resourceGroupName - location: location + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index 1c40ceb805..6ec71dab7e 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Resource Grou param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'arargcom' @@ -27,15 +27,15 @@ param namePrefix string = '#_namePrefix_#' // ================= resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: resourceGroupName - location: location + location: resourceLocation } module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index 6646a645d7..2910bf66c5 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Resource Grou param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'arargmin' @@ -27,15 +27,15 @@ param namePrefix string = '#_namePrefix_#' // ================= resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: resourceGroupName - location: location + location: resourceLocation } module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 51a409bcef..9f489dcdd2 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Subscription param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'arasubcom' @@ -27,15 +27,15 @@ param namePrefix string = '#_namePrefix_#' // ================= resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: resourceGroupName - location: location + location: resourceLocation } module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index fe8043132d..3be8ece426 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -11,7 +11,7 @@ metadata description = 'This module deploys a Role Assignment at a Subscription param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') -param location string = deployment().location +param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'arasubmin' @@ -27,15 +27,15 @@ param namePrefix string = '#_namePrefix_#' // ================= resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: resourceGroupName - location: location + location: resourceLocation } module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - location: location + location: resourceLocation } } From 04d4071a61b2a8f9e8afccf8d9db2a3a0fcc9855 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 10:13:19 -0600 Subject: [PATCH 25/42] Updated tests --- .../role-assignment/tests/e2e/mg.common/main.test.bicep | 3 ++- .../role-assignment/tests/e2e/mg.min/main.test.bicep | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index f8b99ebcd1..24f0521abf 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -38,7 +38,7 @@ module nestedDependencies 'interim.dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../management-group/main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId @@ -46,5 +46,6 @@ module testDeployment '../../../management-group/main.bicep' = { description: 'Role Assignment (management group scope)' managementGroupId: last(split(managementGroup().id, '/')) principalType: 'ServicePrincipal' + location: resourceLocation } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index 5251ea9321..c7f23909a3 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -39,11 +39,12 @@ module nestedDependencies 'interim.dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../management-group/main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Storage Queue Data Reader' principalType: 'ServicePrincipal' + location: resourceLocation } } From 668472ef86b0c787440664e4749d7d309ff80fe8 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 10:44:21 -0600 Subject: [PATCH 26/42] Updated readme --- avm/ptn/authorization/role-assignment/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 38a8eb7d6b..a8c763be7d 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -55,6 +55,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: roleDefinitionIdOrName: 'Backup Reader' // Non-required parameters description: 'Role Assignment (management group scope)' + location: '' managementGroupId: '' principalType: 'ServicePrincipal' } @@ -84,6 +85,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "description": { "value": "Role Assignment (management group scope)" }, + "location": { + "value": "" + }, "managementGroupId": { "value": "" }, @@ -114,6 +118,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: principalId: '' roleDefinitionIdOrName: 'Storage Queue Data Reader' // Non-required parameters + location: '' principalType: 'ServicePrincipal' } } @@ -139,6 +144,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "Storage Queue Data Reader" }, // Non-required parameters + "location": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" } From 16858c27cd1cd0c1a149af1a55a62a07c998b110 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 16:52:54 -0600 Subject: [PATCH 27/42] Replaced broken test, updated readme --- .../authorization/role-assignment/README.md | 28 +++++++++---------- .../authorization/role-assignment/main.bicep | 4 +-- .../authorization/role-assignment/main.json | 22 +++++++-------- .../management-group/README.md | 4 +-- .../management-group/main.bicep | 3 +- .../management-group/main.json | 7 +++-- .../role-assignment/resource-group/README.md | 7 ++--- .../role-assignment/resource-group/main.bicep | 4 +-- .../role-assignment/resource-group/main.json | 5 ++-- .../role-assignment/subscription/README.md | 4 +-- .../role-assignment/subscription/main.bicep | 2 +- .../role-assignment/subscription/main.json | 4 +-- .../tests/e2e/mg.common/main.test.bicep | 2 +- .../tests/e2e/mg.min/main.test.bicep | 2 +- .../tests/e2e/rg.common/main.test.bicep | 2 +- .../tests/e2e/rg.min/main.test.bicep | 2 +- .../tests/e2e/sub.common/main.test.bicep | 2 +- .../tests/e2e/sub.min/main.test.bicep | 2 +- 18 files changed, 53 insertions(+), 53 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index a8c763be7d..8a50b77dfd 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -52,7 +52,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Management Group Reader' // Non-required parameters description: 'Role Assignment (management group scope)' location: '' @@ -79,7 +79,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Backup Reader" + "value": "Management Group Reader" }, // Non-required parameters "description": { @@ -116,7 +116,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: 'Resource Policy Contributor' // Non-required parameters location: '' principalType: 'ServicePrincipal' @@ -141,7 +141,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" + "value": "Resource Policy Contributor" }, // Non-required parameters "location": { @@ -172,7 +172,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Reader' // Non-required parameters description: 'Role Assignment (resource group scope)' principalType: 'ServicePrincipal' @@ -199,7 +199,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Backup Reader" + "value": "Reader" }, // Non-required parameters "description": { @@ -236,7 +236,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' // Non-required parameters principalType: 'ServicePrincipal' resourceGroupName: '' @@ -262,7 +262,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" + "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" }, // Non-required parameters "principalType": { @@ -296,7 +296,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Reader' // Non-required parameters description: 'Role Assignment (subscription scope)' principalType: 'ServicePrincipal' @@ -322,7 +322,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Backup Reader" + "value": "Reader" }, // Non-required parameters "description": { @@ -356,7 +356,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' // Non-required parameters principalType: 'ServicePrincipal' subscriptionId: '' @@ -381,7 +381,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Storage Queue Data Reader" + "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" }, // Non-required parameters "principalType": { @@ -405,7 +405,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: | Parameter | Type | Description | | :-- | :-- | :-- | | [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** @@ -431,7 +431,7 @@ The Principal or Object ID of the Security Principal (User, Group, Service Princ ### Parameter: `roleDefinitionIdOrName` -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index 97dd4310ce..76a924f393 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -4,7 +4,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@sys.description('Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') @@ -53,7 +53,7 @@ param enableTelemetry bool = true resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { - name: '46d3xbcp.ptn.authorization-roleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + name: '46d3xbcp.authorization-roleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' properties: { mode: 'Incremental' template: { diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index ecfd9ce2eb..e0c747f09f 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "7711283427913589187" + "templateHash": "13872639979577480238" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -15,7 +15,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -111,7 +111,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.ptn.authorization-roleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.authorization-roleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -164,7 +164,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "11368561288445479452" + "templateHash": "13039882721901146916" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -174,7 +174,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -244,7 +244,8 @@ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Management Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d')]" }, "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" }, @@ -327,7 +328,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "13644754829024725945" + "templateHash": "16585133441538520821" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -337,7 +338,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -499,7 +500,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "8818028054866879023" + "templateHash": "11297620450852372708" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", @@ -509,7 +510,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -565,7 +566,6 @@ }, "principalType": { "type": "string", - "defaultValue": "", "allowedValues": [ "ServicePrincipal", "Group", diff --git a/avm/ptn/authorization/role-assignment/management-group/README.md b/avm/ptn/authorization/role-assignment/management-group/README.md index b4cf704aaa..6ac0b818ac 100644 --- a/avm/ptn/authorization/role-assignment/management-group/README.md +++ b/avm/ptn/authorization/role-assignment/management-group/README.md @@ -23,7 +23,7 @@ This module deploys a Role Assignment at a Management Group scope. | Parameter | Type | Description | | :-- | :-- | :-- | | [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** @@ -45,7 +45,7 @@ The Principal or Object ID of the Security Principal (User, Group, Service Princ ### Parameter: `roleDefinitionIdOrName` -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/avm/ptn/authorization/role-assignment/management-group/main.bicep b/avm/ptn/authorization/role-assignment/management-group/main.bicep index 734718e8c1..ba2bf1730e 100644 --- a/avm/ptn/authorization/role-assignment/management-group/main.bicep +++ b/avm/ptn/authorization/role-assignment/management-group/main.bicep @@ -4,7 +4,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@sys.description('Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') @@ -46,6 +46,7 @@ var builtInRoleNames = { 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Management Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d') } var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) diff --git a/avm/ptn/authorization/role-assignment/management-group/main.json b/avm/ptn/authorization/role-assignment/management-group/main.json index ad89b38161..d757514886 100644 --- a/avm/ptn/authorization/role-assignment/management-group/main.json +++ b/avm/ptn/authorization/role-assignment/management-group/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "11368561288445479452" + "templateHash": "13039882721901146916" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -15,7 +15,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -85,7 +85,8 @@ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Management Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d')]" }, "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" }, diff --git a/avm/ptn/authorization/role-assignment/resource-group/README.md b/avm/ptn/authorization/role-assignment/resource-group/README.md index 623191bb79..4c967cdc56 100644 --- a/avm/ptn/authorization/role-assignment/resource-group/README.md +++ b/avm/ptn/authorization/role-assignment/resource-group/README.md @@ -23,7 +23,7 @@ This module deploys a Role Assignment at a Resource Group scope. | Parameter | Type | Description | | :-- | :-- | :-- | | [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** @@ -46,7 +46,7 @@ The Principal or Object ID of the Security Principal (User, Group, Service Princ ### Parameter: `roleDefinitionIdOrName` -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string @@ -93,9 +93,8 @@ The description of the role assignment. The principal type of the assigned principal ID. -- Required: No +- Required: Yes - Type: string -- Default: `''` - Allowed: ```Bicep [ diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.bicep b/avm/ptn/authorization/role-assignment/resource-group/main.bicep index a92e5f4366..459bde3f99 100644 --- a/avm/ptn/authorization/role-assignment/resource-group/main.bicep +++ b/avm/ptn/authorization/role-assignment/resource-group/main.bicep @@ -4,7 +4,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'resourceGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@sys.description('Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') @@ -40,7 +40,7 @@ param conditionVersion string = '2.0' 'Device' '' ]) -param principalType string = '' +param principalType string var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.json b/avm/ptn/authorization/role-assignment/resource-group/main.json index 7a9dec2b2a..8735f98e09 100644 --- a/avm/ptn/authorization/role-assignment/resource-group/main.json +++ b/avm/ptn/authorization/role-assignment/resource-group/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "8818028054866879023" + "templateHash": "11297620450852372708" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", @@ -15,7 +15,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { @@ -71,7 +71,6 @@ }, "principalType": { "type": "string", - "defaultValue": "", "allowedValues": [ "ServicePrincipal", "Group", diff --git a/avm/ptn/authorization/role-assignment/subscription/README.md b/avm/ptn/authorization/role-assignment/subscription/README.md index d08fe38562..b914a5e940 100644 --- a/avm/ptn/authorization/role-assignment/subscription/README.md +++ b/avm/ptn/authorization/role-assignment/subscription/README.md @@ -23,7 +23,7 @@ This module deploys a Role Assignment at a Subscription scope. | Parameter | Type | Description | | :-- | :-- | :-- | | [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | **Optional parameters** @@ -45,7 +45,7 @@ The Principal or Object ID of the Security Principal (User, Group, Service Princ ### Parameter: `roleDefinitionIdOrName` -You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. +You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - Required: Yes - Type: string diff --git a/avm/ptn/authorization/role-assignment/subscription/main.bicep b/avm/ptn/authorization/role-assignment/subscription/main.bicep index 3f0a10e4b0..2a41bc6b07 100644 --- a/avm/ptn/authorization/role-assignment/subscription/main.bicep +++ b/avm/ptn/authorization/role-assignment/subscription/main.bicep @@ -4,7 +4,7 @@ metadata owner = 'Azure/module-maintainers' targetScope = 'subscription' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +@sys.description('Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).') diff --git a/avm/ptn/authorization/role-assignment/subscription/main.json b/avm/ptn/authorization/role-assignment/subscription/main.json index a0339da676..c691525f55 100644 --- a/avm/ptn/authorization/role-assignment/subscription/main.json +++ b/avm/ptn/authorization/role-assignment/subscription/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "13644754829024725945" + "templateHash": "16585133441538520821" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -15,7 +15,7 @@ "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, "principalId": { diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 24f0521abf..47cfa5ddcb 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -42,7 +42,7 @@ module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Management Group Reader' description: 'Role Assignment (management group scope)' managementGroupId: last(split(managementGroup().id, '/')) principalType: 'ServicePrincipal' diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index c7f23909a3..0fab7bbae8 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -43,7 +43,7 @@ module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: 'Resource Policy Contributor' principalType: 'ServicePrincipal' location: resourceLocation } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index 6ec71dab7e..d567701c91 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -48,7 +48,7 @@ module testDeployment '../../../resource-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Reader' description: 'Role Assignment (resource group scope)' principalType: 'ServicePrincipal' resourceGroupName: resourceGroup.name diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index 2910bf66c5..e12b4edee7 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -48,7 +48,7 @@ module testDeployment '../../../resource-group/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' principalType: 'ServicePrincipal' resourceGroupName: resourceGroup.name subscriptionId: subscription().subscriptionId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 9f489dcdd2..eb7a800906 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -47,7 +47,7 @@ module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Backup Reader' + roleDefinitionIdOrName: 'Reader' description: 'Role Assignment (subscription scope)' principalType: 'ServicePrincipal' subscriptionId: subscription().subscriptionId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 3be8ece426..110d93fe37 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -47,7 +47,7 @@ module testDeployment '../../../subscription/main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Storage Queue Data Reader' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' principalType: 'ServicePrincipal' subscriptionId: subscription().subscriptionId } From 90ae91b967f44a3962d915d4d5b46bf922aaa74b Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 16:57:51 -0600 Subject: [PATCH 28/42] Updated telemetry module name --- avm/ptn/authorization/role-assignment/main.bicep | 2 +- avm/ptn/authorization/role-assignment/main.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index 76a924f393..df0ba53ddf 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -53,7 +53,7 @@ param enableTelemetry bool = true resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { - name: '46d3xbcp.authorization-roleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + name: '46d3xbcp.ptn.authorization-roleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' properties: { mode: 'Incremental' template: { diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index e0c747f09f..50973ebaf1 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "13872639979577480238" + "templateHash": "10019154558804054319" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -111,7 +111,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.authorization-roleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.ptn.authorization-roleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { From 71ef2a6fc8d469171a8009db5e0fc335aef10f30 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 18:06:47 -0600 Subject: [PATCH 29/42] Testing management group scope --- .../role-assignment/management-group/main.bicep | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/management-group/main.bicep b/avm/ptn/authorization/role-assignment/management-group/main.bicep index ba2bf1730e..2b8a35db29 100644 --- a/avm/ptn/authorization/role-assignment/management-group/main.bicep +++ b/avm/ptn/authorization/role-assignment/management-group/main.bicep @@ -40,13 +40,13 @@ param conditionVersion string = '2.0' param principalType string = '' var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Management Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d') + // Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + // Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + // 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + // 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + // 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + // 'Management Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d') } var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) From 723be5662840b382862dd2eeaf818002dd23d677 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Thu, 11 Apr 2024 18:52:47 -0600 Subject: [PATCH 30/42] Updated scope --- avm/ptn/authorization/role-assignment/main.json | 6 +++--- .../role-assignment/management-group/main.bicep | 12 ++++++------ .../role-assignment/management-group/main.json | 4 ++-- .../tests/e2e/mg.common/main.test.bicep | 6 +++++- .../role-assignment/tests/e2e/mg.min/main.test.bicep | 5 ++++- 5 files changed, 20 insertions(+), 13 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index 50973ebaf1..999d9919cf 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "10019154558804054319" + "templateHash": "12858800540143057292" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -164,7 +164,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "13039882721901146916" + "templateHash": "13138890425764423619" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -240,7 +240,7 @@ "variables": { "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", diff --git a/avm/ptn/authorization/role-assignment/management-group/main.bicep b/avm/ptn/authorization/role-assignment/management-group/main.bicep index 2b8a35db29..b1a51d40f9 100644 --- a/avm/ptn/authorization/role-assignment/management-group/main.bicep +++ b/avm/ptn/authorization/role-assignment/management-group/main.bicep @@ -40,13 +40,13 @@ param conditionVersion string = '2.0' param principalType string = '' var builtInRoleNames = { - // Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') Owner: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - // Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - // 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - // 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - // 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - // 'Management Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Management Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d') } var roleDefinitionIdVar = (contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName) diff --git a/avm/ptn/authorization/role-assignment/management-group/main.json b/avm/ptn/authorization/role-assignment/management-group/main.json index d757514886..ce6b8fe249 100644 --- a/avm/ptn/authorization/role-assignment/management-group/main.json +++ b/avm/ptn/authorization/role-assignment/management-group/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "13039882721901146916" + "templateHash": "13138890425764423619" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -81,7 +81,7 @@ "variables": { "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 47cfa5ddcb..37deb97f45 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -18,6 +18,10 @@ param serviceShort string = 'aramgcom' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' + +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '' + // ============ // // Dependencies // // ============ // @@ -25,7 +29,7 @@ param namePrefix string = '#_namePrefix_#' // General resources // ================= module nestedDependencies 'interim.dependencies.bicep' = { - scope: subscription('[[subscriptionId]]') + scope: subscription('${subscriptionId}') name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index 0fab7bbae8..c16c863277 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -19,6 +19,9 @@ param serviceShort string = 'aramgmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '' + // ============ // // Dependencies // // ============ // @@ -26,7 +29,7 @@ param namePrefix string = '#_namePrefix_#' // General resources // ================= module nestedDependencies 'interim.dependencies.bicep' = { - scope: subscription('[[subscriptionId]]') + scope: subscription('${subscriptionId}') name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' From dd8a0a01e87778a555acd4ec10bfeb07ecb794b3 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 10:54:52 -0600 Subject: [PATCH 31/42] Upgraded tests --- .../tests/e2e/mg.common/main.test.bicep | 2 +- .../tests/e2e/mg.min copy/dependencies.bicep | 13 +++++ .../mg.min copy/interim.dependencies.bicep | 28 ++++++++++ .../tests/e2e/mg.min copy/main.test.bicep | 54 +++++++++++++++++++ .../tests/e2e/mg.min/main.test.bicep | 2 +- .../tests/e2e/sub.common/dependencies.bicep | 6 +-- .../e2e/sub.common/interim.dependencies.bicep | 28 ++++++++++ .../tests/e2e/sub.common/main.test.bicep | 29 ++++++---- .../tests/e2e/sub.min/dependencies.bicep | 6 +-- .../e2e/sub.min/interim.dependencies.bicep | 28 ++++++++++ .../tests/e2e/sub.min/main.test.bicep | 22 ++++---- 11 files changed, 190 insertions(+), 28 deletions(-) create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep create mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 37deb97f45..070bbfe96f 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -20,7 +20,7 @@ param serviceShort string = 'aramgcom' param namePrefix string = '#_namePrefix_#' @description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') -param subscriptionId string = '' +param subscriptionId string = '#_subscriptionId_#' // ============ // // Dependencies // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep new file mode 100644 index 0000000000..d367770432 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep new file mode 100644 index 0000000000..55ada1deea --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep @@ -0,0 +1,28 @@ +targetScope = 'subscription' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Required. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: managedIdentityName + location: location + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep new file mode 100644 index 0000000000..39de0c3400 --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Role Assignments (Subscription scope)' +metadata description = 'This module deploys a Role Assignment at a Subscription scope using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'arasubmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '#_subscriptionId_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +module nestedDependencies 'interim.dependencies.bicep' = { + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + resourceGroupName: resourceGroupName + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Resource Policy Contributor' + principalType: 'ServicePrincipal' + location: resourceLocation + subscriptionId: subscriptionId + } +} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index c16c863277..d468878b54 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -20,7 +20,7 @@ param serviceShort string = 'aramgmin' param namePrefix string = '#_namePrefix_#' @description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') -param subscriptionId string = '' +param subscriptionId string = '#_subscriptionId_#' // ============ // // Dependencies // diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep index 5681a89989..d367770432 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep @@ -1,9 +1,9 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: managedIdentityName location: location diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep new file mode 100644 index 0000000000..55ada1deea --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep @@ -0,0 +1,28 @@ +targetScope = 'subscription' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Required. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: managedIdentityName + location: location + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index eb7a800906..eadb2ab2e4 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -1,4 +1,4 @@ -targetScope = 'subscription' +targetScope = 'managementGroup' metadata name = 'Role Assignments (Subscription scope)' metadata description = 'This module deploys a Role Assignment at a Subscription scope using common parameters.' @@ -19,22 +19,32 @@ param serviceShort string = 'arasubcom' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '#_subscriptionId_#' + // ============ // // Dependencies // // ============ // // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup +module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' ={ + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } + + +} +module nestedDependencies 'interim.dependencies.bicep' = { + scope: subscription('${subscriptionId}') name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + resourceGroupName: resourceGroupName location: resourceLocation } } @@ -43,13 +53,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../subscription/main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' description: 'Role Assignment (subscription scope)' principalType: 'ServicePrincipal' - subscriptionId: subscription().subscriptionId + location: resourceLocation + subscriptionId: subscriptionId } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep index 5681a89989..d367770432 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep @@ -1,9 +1,9 @@ -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: managedIdentityName location: location diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep new file mode 100644 index 0000000000..55ada1deea --- /dev/null +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep @@ -0,0 +1,28 @@ +targetScope = 'subscription' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Required. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: managedIdentityName + location: location + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 110d93fe37..39de0c3400 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -1,4 +1,4 @@ -targetScope = 'subscription' +targetScope = 'managementGroup' metadata name = 'Role Assignments (Subscription scope)' metadata description = 'This module deploys a Role Assignment at a Subscription scope using minimal parameters.' @@ -19,22 +19,21 @@ param serviceShort string = 'arasubmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '#_subscriptionId_#' + // ============ // // Dependencies // // ============ // // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup +module nestedDependencies 'interim.dependencies.bicep' = { + scope: subscription('${subscriptionId}') name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + resourceGroupName: resourceGroupName location: resourceLocation } } @@ -43,12 +42,13 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../subscription/main.bicep' = { +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleDefinitionIdOrName: 'Resource Policy Contributor' principalType: 'ServicePrincipal' - subscriptionId: subscription().subscriptionId + location: resourceLocation + subscriptionId: subscriptionId } } From 42bd3f4869e345051852959dc719a167eb7d0940 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 10:58:50 -0600 Subject: [PATCH 32/42] Updated readme --- .../authorization/role-assignment/README.md | 89 ++++++++++++++++--- 1 file changed, 79 insertions(+), 10 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 8a50b77dfd..80b557b440 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -31,11 +31,12 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-assignment:`. - [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) -- [Role Assignments (Management Group scope)](#example-2-role-assignments-management-group-scope) -- [Role Assignments (Resource Group)](#example-3-role-assignments-resource-group) +- [Role Assignments (Subscription scope)](#example-2-role-assignments-subscription-scope) +- [Role Assignments (Management Group scope)](#example-3-role-assignments-management-group-scope) - [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) -- [Role Assignments (Subscription scope)](#example-5-role-assignments-subscription-scope) +- [Role Assignments (Resource Group)](#example-5-role-assignments-resource-group) - [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) +- [Role Assignments (Subscription scope)](#example-7-role-assignments-subscription-scope) ### Example 1: _Role Assignments (Management Group scope)_ @@ -101,7 +102,67 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 2: _Role Assignments (Management Group scope)_ +### Example 2: _Role Assignments (Subscription scope)_ + +This module deploys a Role Assignment at a Subscription scope using minimal parameters. + + +

+ +via Bicep module + +```bicep +module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { + name: 'roleAssignmentDeployment' + params: { + // Required parameters + principalId: '' + roleDefinitionIdOrName: 'Resource Policy Contributor' + // Non-required parameters + location: '' + principalType: 'ServicePrincipal' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "principalId": { + "value": "" + }, + "roleDefinitionIdOrName": { + "value": "Resource Policy Contributor" + }, + // Non-required parameters + "location": { + "value": "" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Role Assignments (Management Group scope)_ This module deploys a Role Assignment at a Management Group scope using minimal parameters. @@ -157,7 +218,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 3: _Role Assignments (Resource Group)_ +### Example 4: _Role Assignments (Resource Group)_ This module deploys a Role Assignment at a Resource Group scope using common parameters. @@ -221,7 +282,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Role Assignments (Resource Group)_ +### Example 5: _Role Assignments (Resource Group)_ This module deploys a Role Assignment at a Resource Group scope using minimal parameters. @@ -281,7 +342,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 5: _Role Assignments (Subscription scope)_ +### Example 6: _Role Assignments (Subscription scope)_ This module deploys a Role Assignment at a Subscription scope using common parameters. @@ -299,6 +360,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: roleDefinitionIdOrName: 'Reader' // Non-required parameters description: 'Role Assignment (subscription scope)' + location: '' principalType: 'ServicePrincipal' subscriptionId: '' } @@ -328,6 +390,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "description": { "value": "Role Assignment (subscription scope)" }, + "location": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" }, @@ -341,7 +406,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 6: _Role Assignments (Subscription scope)_ +### Example 7: _Role Assignments (Subscription scope)_ This module deploys a Role Assignment at a Subscription scope using minimal parameters. @@ -356,8 +421,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleDefinitionIdOrName: 'Resource Policy Contributor' // Non-required parameters + location: '' principalType: 'ServicePrincipal' subscriptionId: '' } @@ -381,9 +447,12 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" + "value": "Resource Policy Contributor" }, // Non-required parameters + "location": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" }, From 06b9b4eb5aca97b3a37bd2d57c754aa29426ae38 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 12:53:55 -0600 Subject: [PATCH 33/42] Updated structure. Added parameters --- .../authorization/role-assignment/README.md | 117 ++++---------- .../authorization/role-assignment/main.bicep | 6 +- .../management-group/README.md | 133 ---------------- .../management-group/main.json | 132 ---------------- .../management-group/version.json | 7 - .../management-group.bicep} | 0 .../resource-group.bicep} | 0 .../main.bicep => modules/subscription.bicep} | 0 .../role-assignment/resource-group/README.md | 142 ----------------- .../role-assignment/resource-group/main.json | 143 ------------------ .../resource-group/version.json | 7 - .../role-assignment/subscription/README.md | 134 ---------------- .../role-assignment/subscription/main.json | 137 ----------------- .../role-assignment/subscription/version.json | 7 - .../tests/e2e/mg.common/main.test.bicep | 1 + .../tests/e2e/mg.min copy/dependencies.bicep | 13 -- .../mg.min copy/interim.dependencies.bicep | 28 ---- .../tests/e2e/mg.min copy/main.test.bicep | 54 ------- .../tests/e2e/mg.min/main.test.bicep | 1 + .../tests/e2e/sub.common/main.test.bicep | 1 + .../tests/e2e/sub.min/main.test.bicep | 1 + 21 files changed, 34 insertions(+), 1030 deletions(-) delete mode 100644 avm/ptn/authorization/role-assignment/management-group/README.md delete mode 100644 avm/ptn/authorization/role-assignment/management-group/main.json delete mode 100644 avm/ptn/authorization/role-assignment/management-group/version.json rename avm/ptn/authorization/role-assignment/{management-group/main.bicep => modules/management-group.bicep} (100%) rename avm/ptn/authorization/role-assignment/{resource-group/main.bicep => modules/resource-group.bicep} (100%) rename avm/ptn/authorization/role-assignment/{subscription/main.bicep => modules/subscription.bicep} (100%) delete mode 100644 avm/ptn/authorization/role-assignment/resource-group/README.md delete mode 100644 avm/ptn/authorization/role-assignment/resource-group/main.json delete mode 100644 avm/ptn/authorization/role-assignment/resource-group/version.json delete mode 100644 avm/ptn/authorization/role-assignment/subscription/README.md delete mode 100644 avm/ptn/authorization/role-assignment/subscription/main.json delete mode 100644 avm/ptn/authorization/role-assignment/subscription/version.json delete mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep delete mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep delete mode 100644 avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 80b557b440..84b0bb151a 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -30,18 +30,14 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-assignment:`. -- [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) -- [Role Assignments (Subscription scope)](#example-2-role-assignments-subscription-scope) -- [Role Assignments (Management Group scope)](#example-3-role-assignments-management-group-scope) -- [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) -- [Role Assignments (Resource Group)](#example-5-role-assignments-resource-group) -- [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) -- [Role Assignments (Subscription scope)](#example-7-role-assignments-subscription-scope) - -### Example 1: _Role Assignments (Management Group scope)_ - -This module deploys a Role Assignment at a Management Group scope using common parameters. +- [Mg.Common](#example-1-mgcommon) +- [Mg.Min](#example-2-mgmin) +- [Rg.Common](#example-3-rgcommon) +- [Rg.Min](#example-4-rgmin) +- [Sub.Common](#example-5-subcommon) +- [Sub.Min](#example-6-submin) +### Example 1: _Mg.Common_

@@ -59,6 +55,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: location: '' managementGroupId: '' principalType: 'ServicePrincipal' + resourceGroupName: '' } } ``` @@ -92,68 +89,11 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "managementGroupId": { "value": "" }, - "principalType": { - "value": "ServicePrincipal" - } - } -} -``` - -
-

- -### Example 2: _Role Assignments (Subscription scope)_ - -This module deploys a Role Assignment at a Subscription scope using minimal parameters. - - -

- -via Bicep module - -```bicep -module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:' = { - name: 'roleAssignmentDeployment' - params: { - // Required parameters - principalId: '' - roleDefinitionIdOrName: 'Resource Policy Contributor' - // Non-required parameters - location: '' - principalType: 'ServicePrincipal' - subscriptionId: '' - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "principalId": { - "value": "" - }, - "roleDefinitionIdOrName": { - "value": "Resource Policy Contributor" - }, - // Non-required parameters - "location": { - "value": "" - }, "principalType": { "value": "ServicePrincipal" }, - "subscriptionId": { - "value": "" + "resourceGroupName": { + "value": "" } } } @@ -162,10 +102,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 3: _Role Assignments (Management Group scope)_ - -This module deploys a Role Assignment at a Management Group scope using minimal parameters. - +### Example 2: _Mg.Min_

@@ -181,6 +118,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: // Non-required parameters location: '' principalType: 'ServicePrincipal' + resourceGroupName: '' } } ``` @@ -210,6 +148,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: }, "principalType": { "value": "ServicePrincipal" + }, + "resourceGroupName": { + "value": "" } } } @@ -218,10 +159,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Role Assignments (Resource Group)_ - -This module deploys a Role Assignment at a Resource Group scope using common parameters. - +### Example 3: _Rg.Common_

@@ -282,10 +220,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 5: _Role Assignments (Resource Group)_ - -This module deploys a Role Assignment at a Resource Group scope using minimal parameters. - +### Example 4: _Rg.Min_

@@ -342,10 +277,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 6: _Role Assignments (Subscription scope)_ - -This module deploys a Role Assignment at a Subscription scope using common parameters. - +### Example 5: _Sub.Common_

@@ -362,6 +294,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: description: 'Role Assignment (subscription scope)' location: '' principalType: 'ServicePrincipal' + resourceGroupName: '' subscriptionId: '' } } @@ -396,6 +329,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "principalType": { "value": "ServicePrincipal" }, + "resourceGroupName": { + "value": "" + }, "subscriptionId": { "value": "" } @@ -406,10 +342,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 7: _Role Assignments (Subscription scope)_ - -This module deploys a Role Assignment at a Subscription scope using minimal parameters. - +### Example 6: _Sub.Min_

@@ -425,6 +358,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: // Non-required parameters location: '' principalType: 'ServicePrincipal' + resourceGroupName: '' subscriptionId: '' } } @@ -456,6 +390,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "principalType": { "value": "ServicePrincipal" }, + "resourceGroupName": { + "value": "" + }, "subscriptionId": { "value": "" } diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index df0ba53ddf..82c6d330b5 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -70,7 +70,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = } } -module roleAssignment_mg 'management-group/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_mg 'modules/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -85,7 +85,7 @@ module roleAssignment_mg 'management-group/main.bicep' = if (empty(subscriptionI } } -module roleAssignment_sub 'subscription/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_sub 'modules/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -100,7 +100,7 @@ module roleAssignment_sub 'subscription/main.bicep' = if (!empty(subscriptionId) } } -module roleAssignment_rg 'resource-group/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { +module roleAssignment_rg 'modules/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/avm/ptn/authorization/role-assignment/management-group/README.md b/avm/ptn/authorization/role-assignment/management-group/README.md deleted file mode 100644 index 6ac0b818ac..0000000000 --- a/avm/ptn/authorization/role-assignment/management-group/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# Role Assignments (Management Group scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Management Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Data Collection](#Data-Collection) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`managementGroupId`](#parameter-managementgroupid) | string | Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managementGroupId` - -Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[managementGroup().name]` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ - -## Data Collection - -The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/management-group/main.json b/avm/ptn/authorization/role-assignment/management-group/main.json deleted file mode 100644 index ce6b8fe249..0000000000 --- a/avm/ptn/authorization/role-assignment/management-group/main.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "13138890425764423619" - }, - "name": "Role Assignments (Management Group scope)", - "description": "This module deploys a Role Assignment at a Management Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "managementGroupId": { - "type": "string", - "defaultValue": "[managementGroup().name]", - "metadata": { - "description": "Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Management Group Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ac63b705-f282-497d-ac71-919bf39d939d')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleAssignments', guid(parameters('managementGroupId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceId('Microsoft.Management/managementGroups', parameters('managementGroupId'))]" - } - } -} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/management-group/version.json b/avm/ptn/authorization/role-assignment/management-group/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/avm/ptn/authorization/role-assignment/management-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/avm/ptn/authorization/role-assignment/management-group/main.bicep b/avm/ptn/authorization/role-assignment/modules/management-group.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/management-group/main.bicep rename to avm/ptn/authorization/role-assignment/modules/management-group.bicep diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.bicep b/avm/ptn/authorization/role-assignment/modules/resource-group.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/resource-group/main.bicep rename to avm/ptn/authorization/role-assignment/modules/resource-group.bicep diff --git a/avm/ptn/authorization/role-assignment/subscription/main.bicep b/avm/ptn/authorization/role-assignment/modules/subscription.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/subscription/main.bicep rename to avm/ptn/authorization/role-assignment/modules/subscription.bicep diff --git a/avm/ptn/authorization/role-assignment/resource-group/README.md b/avm/ptn/authorization/role-assignment/resource-group/README.md deleted file mode 100644 index 4c967cdc56..0000000000 --- a/avm/ptn/authorization/role-assignment/resource-group/README.md +++ /dev/null @@ -1,142 +0,0 @@ -# Role Assignments (Resource Group scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Resource Group scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Data Collection](#Data-Collection) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | -| [`resourceGroupName`](#parameter-resourcegroupname) | string | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `resourceGroupName` - -Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[resourceGroup().name]` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | - -## Cross-referenced modules - -_None_ - -## Data Collection - -The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/resource-group/main.json b/avm/ptn/authorization/role-assignment/resource-group/main.json deleted file mode 100644 index 8735f98e09..0000000000 --- a/avm/ptn/authorization/role-assignment/resource-group/main.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "11297620450852372708" - }, - "name": "Role Assignments (Resource Group scope)", - "description": "This module deploys a Role Assignment at a Resource Group scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role assignment was applied at." - }, - "value": "[resourceGroup().name]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[resourceGroup().id]" - } - } -} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/resource-group/version.json b/avm/ptn/authorization/role-assignment/resource-group/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/avm/ptn/authorization/role-assignment/resource-group/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/avm/ptn/authorization/role-assignment/subscription/README.md b/avm/ptn/authorization/role-assignment/subscription/README.md deleted file mode 100644 index b914a5e940..0000000000 --- a/avm/ptn/authorization/role-assignment/subscription/README.md +++ /dev/null @@ -1,134 +0,0 @@ -# Role Assignments (Subscription scope) `[Microsoft.Authorization/roleAssignments]` - -This module deploys a Role Assignment at a Subscription scope. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Cross-referenced modules](#Cross-referenced-modules) -- [Data Collection](#Data-Collection) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | - -## Parameters - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). | -| [`roleDefinitionIdOrName`](#parameter-roledefinitionidorname) | string | You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`condition`](#parameter-condition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. | -| [`conditionVersion`](#parameter-conditionversion) | string | Version of the condition. Currently accepted value is "2.0". | -| [`delegatedManagedIdentityResourceId`](#parameter-delegatedmanagedidentityresourceid) | string | ID of the delegated managed identity resource. | -| [`description`](#parameter-description) | string | The description of the role assignment. | -| [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. | -| [`subscriptionId`](#parameter-subscriptionid) | string | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | - -### Parameter: `principalId` - -The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). - -- Required: Yes -- Type: string - -### Parameter: `roleDefinitionIdOrName` - -You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. - -- Required: Yes -- Type: string - -### Parameter: `condition` - -The conditions on the role assignment. This limits the resources it can be assigned to. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `conditionVersion` - -Version of the condition. Currently accepted value is "2.0". - -- Required: No -- Type: string -- Default: `'2.0'` -- Allowed: - ```Bicep - [ - '2.0' - ] - ``` - -### Parameter: `delegatedManagedIdentityResourceId` - -ID of the delegated managed identity resource. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `description` - -The description of the role assignment. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `principalType` - -The principal type of the assigned principal ID. - -- Required: No -- Type: string -- Default: `''` -- Allowed: - ```Bicep - [ - '' - 'Device' - 'ForeignGroup' - 'Group' - 'ServicePrincipal' - 'User' - ] - ``` - -### Parameter: `subscriptionId` - -Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. - -- Required: No -- Type: string -- Default: `[subscription().subscriptionId]` - - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The GUID of the Role Assignment. | -| `resourceId` | string | The resource ID of the Role Assignment. | -| `scope` | string | The scope this Role Assignment applies to. | -| `subscriptionName` | string | The name of the resource group the role assignment was applied at. | - -## Cross-referenced modules - -_None_ - -## Data Collection - -The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-assignment/subscription/main.json b/avm/ptn/authorization/role-assignment/subscription/main.json deleted file mode 100644 index c691525f55..0000000000 --- a/avm/ptn/authorization/role-assignment/subscription/main.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "16585133441538520821" - }, - "name": "Role Assignments (Subscription scope)", - "description": "This module deploys a Role Assignment at a Subscription scope.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. You can provide either the display name of the role definition (must be configured in the variable `builtInRoleNames`), or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. ID of the delegated managed identity resource." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "name": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]", - "properties": { - "roleDefinitionId": "[variables('roleDefinitionIdVar')]", - "principalId": "[parameters('principalId')]", - "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." - }, - "value": "[guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId'))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[subscriptionResourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), variables('roleDefinitionIdVar'), parameters('principalId')))]" - }, - "subscriptionName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the role assignment was applied at." - }, - "value": "[subscription().displayName]" - }, - "scope": { - "type": "string", - "metadata": { - "description": "The scope this Role Assignment applies to." - }, - "value": "[subscription().id]" - } - } -} \ No newline at end of file diff --git a/avm/ptn/authorization/role-assignment/subscription/version.json b/avm/ptn/authorization/role-assignment/subscription/version.json deleted file mode 100644 index 7fa401bdf7..0000000000 --- a/avm/ptn/authorization/role-assignment/subscription/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] -} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index 070bbfe96f..b04b42ca9a 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -51,5 +51,6 @@ module testDeployment '../../../main.bicep' = { managementGroupId: last(split(managementGroup().id, '/')) principalType: 'ServicePrincipal' location: resourceLocation + resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep deleted file mode 100644 index d367770432..0000000000 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/dependencies.bicep +++ /dev/null @@ -1,13 +0,0 @@ -@description('Optional. The location to deploy resources to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep deleted file mode 100644 index 55ada1deea..0000000000 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/interim.dependencies.bicep +++ /dev/null @@ -1,28 +0,0 @@ -targetScope = 'subscription' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Required. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-nestedDependencies' - params: { - managedIdentityName: managedIdentityName - location: location - } -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = nestedDependencies.outputs.managedIdentityPrincipalId diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep deleted file mode 100644 index 39de0c3400..0000000000 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min copy/main.test.bicep +++ /dev/null @@ -1,54 +0,0 @@ -targetScope = 'managementGroup' -metadata name = 'Role Assignments (Subscription scope)' -metadata description = 'This module deploys a Role Assignment at a Subscription scope using minimal parameters.' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignments-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param resourceLocation string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arasubmin' - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' - -@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') -param subscriptionId string = '#_subscriptionId_#' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -module nestedDependencies 'interim.dependencies.bicep' = { - scope: subscription('${subscriptionId}') - name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - resourceGroupName: resourceGroupName - location: resourceLocation - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../../main.bicep' = { - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Resource Policy Contributor' - principalType: 'ServicePrincipal' - location: resourceLocation - subscriptionId: subscriptionId - } -} diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index d468878b54..f91280625b 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -49,5 +49,6 @@ module testDeployment '../../../main.bicep' = { roleDefinitionIdOrName: 'Resource Policy Contributor' principalType: 'ServicePrincipal' location: resourceLocation + resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index eadb2ab2e4..29eae8a4c0 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -62,5 +62,6 @@ module testDeployment '../../../main.bicep' = { principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId + resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 39de0c3400..9a5baf3c18 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -50,5 +50,6 @@ module testDeployment '../../../main.bicep' = { principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId + resourceGroupName: resourceGroupName } } From 05a3577aabff183e23b8648fa60331d5dcca08fd Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 14:38:38 -0600 Subject: [PATCH 34/42] Updated tests with correct path --- .../authorization/role-assignment/README.md | 50 ++++++++++++++----- .../authorization/role-assignment/main.bicep | 6 +-- .../authorization/role-assignment/main.json | 16 +++--- .../tests/e2e/rg.common/main.test.bicep | 25 ++++++---- .../tests/e2e/rg.min/main.test.bicep | 29 +++++++---- 5 files changed, 84 insertions(+), 42 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 84b0bb151a..5c51617044 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -30,14 +30,17 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-assignment:`. -- [Mg.Common](#example-1-mgcommon) -- [Mg.Min](#example-2-mgmin) -- [Rg.Common](#example-3-rgcommon) -- [Rg.Min](#example-4-rgmin) -- [Sub.Common](#example-5-subcommon) -- [Sub.Min](#example-6-submin) +- [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) +- [Role Assignments (Management Group scope)](#example-2-role-assignments-management-group-scope) +- [Role Assignments (Resource Group)](#example-3-role-assignments-resource-group) +- [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) +- [Role Assignments (Subscription scope)](#example-5-role-assignments-subscription-scope) +- [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) + +### Example 1: _Role Assignments (Management Group scope)_ + +This module deploys a Role Assignment at a Management Group scope using common parameters. -### Example 1: _Mg.Common_
@@ -102,7 +105,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 2: _Mg.Min_ +### Example 2: _Role Assignments (Management Group scope)_ + +This module deploys a Role Assignment at a Management Group scope using minimal parameters. +

@@ -159,7 +165,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 3: _Rg.Common_ +### Example 3: _Role Assignments (Resource Group)_ + +This module deploys a Role Assignment at a Resource Group scope using common parameters. +

@@ -174,6 +183,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: roleDefinitionIdOrName: 'Reader' // Non-required parameters description: 'Role Assignment (resource group scope)' + location: '' principalType: 'ServicePrincipal' resourceGroupName: '' subscriptionId: '' @@ -204,6 +214,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "description": { "value": "Role Assignment (resource group scope)" }, + "location": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" }, @@ -220,7 +233,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Rg.Min_ +### Example 4: _Role Assignments (Resource Group)_ + +This module deploys a Role Assignment at a Resource Group scope using minimal parameters. +

@@ -234,6 +250,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: principalId: '' roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' // Non-required parameters + location: '' principalType: 'ServicePrincipal' resourceGroupName: '' subscriptionId: '' @@ -261,6 +278,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" }, // Non-required parameters + "location": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" }, @@ -277,7 +297,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 5: _Sub.Common_ +### Example 5: _Role Assignments (Subscription scope)_ + +This module deploys a Role Assignment at a Subscription scope using common parameters. +

@@ -342,7 +365,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 6: _Sub.Min_ +### Example 6: _Role Assignments (Subscription scope)_ + +This module deploys a Role Assignment at a Subscription scope using minimal parameters. +

diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index 82c6d330b5..dfab7f8b18 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -70,7 +70,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = } } -module roleAssignment_mg 'modules/main.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_mg 'modules/management-group.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -85,7 +85,7 @@ module roleAssignment_mg 'modules/main.bicep' = if (empty(subscriptionId) && emp } } -module roleAssignment_sub 'modules/main.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_sub 'modules/subscription.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -100,7 +100,7 @@ module roleAssignment_sub 'modules/main.bicep' = if (!empty(subscriptionId) && e } } -module roleAssignment_rg 'modules/main.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { +module roleAssignment_rg 'modules/resource-group.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index 999d9919cf..f2761c2ca6 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "12858800540143057292" + "version": "0.26.170.59819", + "templateHash": "13721056555841877914" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -163,8 +163,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "13138890425764423619" + "version": "0.26.170.59819", + "templateHash": "13749459126745145624" }, "name": "Role Assignments (Management Group scope)", "description": "This module deploys a Role Assignment at a Management Group scope.", @@ -327,8 +327,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "16585133441538520821" + "version": "0.26.170.59819", + "templateHash": "4516670639800961845" }, "name": "Role Assignments (Subscription scope)", "description": "This module deploys a Role Assignment at a Subscription scope.", @@ -499,8 +499,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "11297620450852372708" + "version": "0.26.170.59819", + "templateHash": "7241874480439813582" }, "name": "Role Assignments (Resource Group scope)", "description": "This module deploys a Role Assignment at a Resource Group scope.", diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep index d567701c91..5f22a1c277 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep @@ -1,4 +1,4 @@ -targetScope = 'subscription' +targetScope = 'managementGroup' metadata name = 'Role Assignments (Resource Group)' metadata description = 'This module deploys a Role Assignment at a Resource Group scope using common parameters.' @@ -19,19 +19,26 @@ param serviceShort string = 'arargcom' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '#_subscriptionId_#' + // ============ // // Dependencies // // ============ // // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation +module resourceGroupDeploy 'br/public:avm/res/resources/resource-group:0.2.3' ={ + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } } module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup + scope: resourceGroup(subscriptionId, resourceGroupName) name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' @@ -43,15 +50,15 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: 'Reader' description: 'Role Assignment (resource group scope)' principalType: 'ServicePrincipal' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId + location: resourceLocation + subscriptionId: subscriptionId + resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index e12b4edee7..2261d68f5a 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -1,4 +1,4 @@ -targetScope = 'subscription' +targetScope = 'managementGroup' metadata name = 'Role Assignments (Resource Group)' metadata description = 'This module deploys a Role Assignment at a Resource Group scope using minimal parameters.' @@ -19,19 +19,28 @@ param serviceShort string = 'arargmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +param subscriptionId string = '#_subscriptionId_#' + + // ============ // // Dependencies // // ============ // // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} +module resourceGroupDeploy 'br/public:avm/res/resources/resource-group:0.2.3' ={ + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } + +} module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup + scope: resourceGroup(subscriptionId, resourceGroupName) name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' @@ -43,14 +52,14 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../resource-group/main.bicep' = { - scope: resourceGroup +module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' principalType: 'ServicePrincipal' - resourceGroupName: resourceGroup.name - subscriptionId: subscription().subscriptionId + location: resourceLocation + subscriptionId: subscriptionId + resourceGroupName: resourceGroupName } } From b3ba838b5d4d6eef8e01c5c6a3b108a45c7da330 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 15:29:22 -0600 Subject: [PATCH 35/42] Added location to avmTelemetry --- avm/ptn/authorization/role-assignment/main.bicep | 1 + avm/ptn/authorization/role-assignment/main.json | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/main.bicep b/avm/ptn/authorization/role-assignment/main.bicep index dfab7f8b18..36669e0e95 100644 --- a/avm/ptn/authorization/role-assignment/main.bicep +++ b/avm/ptn/authorization/role-assignment/main.bicep @@ -68,6 +68,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = } } } + location:location } module roleAssignment_mg 'modules/management-group.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { diff --git a/avm/ptn/authorization/role-assignment/main.json b/avm/ptn/authorization/role-assignment/main.json index f2761c2ca6..d8570e9088 100644 --- a/avm/ptn/authorization/role-assignment/main.json +++ b/avm/ptn/authorization/role-assignment/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "13721056555841877914" + "templateHash": "3360936249154372689" }, "name": "Role Assignments (All scopes)", "description": "This module deploys a Role Assignment at a Management Group, Subscription or Resource Group scope.", @@ -125,7 +125,8 @@ } } } - } + }, + "location": "[parameters('location')]" }, { "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", From 2f2074236ab79da996347a2e90278de831413dba Mon Sep 17 00:00:00 2001 From: arnoldna Date: Fri, 12 Apr 2024 16:53:42 -0600 Subject: [PATCH 36/42] Updated resource group name --- .../role-assignment/tests/e2e/mg.common/main.test.bicep | 2 +- .../role-assignment/tests/e2e/mg.min/main.test.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index b04b42ca9a..fcc3dbf293 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -30,7 +30,7 @@ param subscriptionId string = '#_subscriptionId_#' // ================= module nestedDependencies 'interim.dependencies.bicep' = { scope: subscription('${subscriptionId}') - name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-${serviceShort}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' resourceGroupName: resourceGroupName diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index f91280625b..0fecbc2e53 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -30,7 +30,7 @@ param subscriptionId string = '#_subscriptionId_#' // ================= module nestedDependencies 'interim.dependencies.bicep' = { scope: subscription('${subscriptionId}') - name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + name: '${uniqueString(deployment().name, resourceLocation)}-${serviceShort}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' resourceGroupName: resourceGroupName From d2cdaa583f57edb0fff1506460ff305352f2f9ee Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 13 Apr 2024 10:02:40 -0600 Subject: [PATCH 37/42] Updated tests --- avm/ptn/authorization/role-assignment/README.md | 8 -------- .../tests/e2e/mg.common/main.test.bicep | 1 - .../role-assignment/tests/e2e/mg.min/main.test.bicep | 1 - .../role-assignment/tests/e2e/sub.min/main.test.bicep | 11 +++++++++++ 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 5c51617044..406cb9bf56 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -58,7 +58,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: location: '' managementGroupId: '' principalType: 'ServicePrincipal' - resourceGroupName: '' } } ``` @@ -94,9 +93,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: }, "principalType": { "value": "ServicePrincipal" - }, - "resourceGroupName": { - "value": "" } } } @@ -124,7 +120,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: // Non-required parameters location: '' principalType: 'ServicePrincipal' - resourceGroupName: '' } } ``` @@ -154,9 +149,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: }, "principalType": { "value": "ServicePrincipal" - }, - "resourceGroupName": { - "value": "" } } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep index fcc3dbf293..9947a1d4af 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep @@ -51,6 +51,5 @@ module testDeployment '../../../main.bicep' = { managementGroupId: last(split(managementGroup().id, '/')) principalType: 'ServicePrincipal' location: resourceLocation - resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep index 0fecbc2e53..0dfff91298 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep @@ -49,6 +49,5 @@ module testDeployment '../../../main.bicep' = { roleDefinitionIdOrName: 'Resource Policy Contributor' principalType: 'ServicePrincipal' location: resourceLocation - resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 9a5baf3c18..b6b85f085f 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -28,6 +28,17 @@ param subscriptionId string = '#_subscriptionId_#' // General resources // ================= + + +module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' ={ + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } +} + module nestedDependencies 'interim.dependencies.bicep' = { scope: subscription('${subscriptionId}') name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' From 1e9c6967e495b0975f8a1eb1d9fa5bf7b4b3dca2 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Sat, 13 Apr 2024 10:18:12 -0600 Subject: [PATCH 38/42] Updated test with correct role ID --- avm/ptn/authorization/role-assignment/README.md | 4 ++-- .../role-assignment/tests/e2e/sub.min/main.test.bicep | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 406cb9bf56..1f074f0fbe 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -372,7 +372,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Resource Policy Contributor' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' // Non-required parameters location: '' principalType: 'ServicePrincipal' @@ -399,7 +399,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Resource Policy Contributor" + "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" }, // Non-required parameters "location": { diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index b6b85f085f..50748f67ef 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -57,7 +57,7 @@ module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: 'Resource Policy Contributor' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId From 51ec1d4d0499720cefb7ee0e4709476eee10adeb Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Mon, 15 Apr 2024 08:22:40 -0600 Subject: [PATCH 39/42] Update avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep Co-authored-by: Alexander Sehr --- .../role-assignment/tests/e2e/rg.min/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep index 2261d68f5a..99cebb3035 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep @@ -1,5 +1,5 @@ targetScope = 'managementGroup' -metadata name = 'Role Assignments (Resource Group)' +metadata name = 'Role Assignments (Resource Group scope)' metadata description = 'This module deploys a Role Assignment at a Resource Group scope using minimal parameters.' // ========== // From db54a2a9357445c0ae340e0f20f25acd3418238f Mon Sep 17 00:00:00 2001 From: Nate Arnold Date: Mon, 15 Apr 2024 08:23:03 -0600 Subject: [PATCH 40/42] Update avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep Co-authored-by: Alexander Sehr --- .../role-assignment/tests/e2e/sub.min/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 50748f67ef..93eae447c2 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -57,7 +57,7 @@ module testDeployment '../../../main.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { principalId: nestedDependencies.outputs.managedIdentityPrincipalId - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId From 4497f0a4ff8b7af0fdfadc5fb4f8108087da7c06 Mon Sep 17 00:00:00 2001 From: arnoldna Date: Mon, 15 Apr 2024 09:05:12 -0600 Subject: [PATCH 41/42] Removed resource group from subscription scope tests --- avm/ptn/authorization/role-assignment/README.md | 16 ++++------------ .../tests/e2e/sub.common/main.test.bicep | 1 - .../tests/e2e/sub.min/main.test.bicep | 1 - 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index 1f074f0fbe..cf41a30910 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -33,7 +33,7 @@ The following section provides usage examples for the module, which were used to - [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) - [Role Assignments (Management Group scope)](#example-2-role-assignments-management-group-scope) - [Role Assignments (Resource Group)](#example-3-role-assignments-resource-group) -- [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) +- [Role Assignments (Resource Group scope)](#example-4-role-assignments-resource-group-scope) - [Role Assignments (Subscription scope)](#example-5-role-assignments-subscription-scope) - [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) @@ -225,7 +225,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Role Assignments (Resource Group)_ +### Example 4: _Role Assignments (Resource Group scope)_ This module deploys a Role Assignment at a Resource Group scope using minimal parameters. @@ -309,7 +309,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: description: 'Role Assignment (subscription scope)' location: '' principalType: 'ServicePrincipal' - resourceGroupName: '' subscriptionId: '' } } @@ -344,9 +343,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "principalType": { "value": "ServicePrincipal" }, - "resourceGroupName": { - "value": "" - }, "subscriptionId": { "value": "" } @@ -372,11 +368,10 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleDefinitionIdOrName: '' // Non-required parameters location: '' principalType: 'ServicePrincipal' - resourceGroupName: '' subscriptionId: '' } } @@ -399,7 +394,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" + "value": "" }, // Non-required parameters "location": { @@ -408,9 +403,6 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "principalType": { "value": "ServicePrincipal" }, - "resourceGroupName": { - "value": "" - }, "subscriptionId": { "value": "" } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep index 29eae8a4c0..eadb2ab2e4 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep @@ -62,6 +62,5 @@ module testDeployment '../../../main.bicep' = { principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId - resourceGroupName: resourceGroupName } } diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep index 93eae447c2..4b1543c60b 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep @@ -61,6 +61,5 @@ module testDeployment '../../../main.bicep' = { principalType: 'ServicePrincipal' location: resourceLocation subscriptionId: subscriptionId - resourceGroupName: resourceGroupName } } From 8507909368bf720c3db2d2903934e9b26399225f Mon Sep 17 00:00:00 2001 From: arnoldna Date: Wed, 17 Apr 2024 14:32:44 -0600 Subject: [PATCH 42/42] Updated test names --- .../authorization/role-assignment/README.md | 76 +++++++++---------- .../dependencies.bicep | 0 .../interim.dependencies.bicep | 0 .../{mg.min => mg.defaults}/main.test.bicep | 0 .../e2e/{mg.min => mg.max}/dependencies.bicep | 0 .../interim.dependencies.bicep | 0 .../e2e/{mg.common => mg.max}/main.test.bicep | 2 +- .../dependencies.bicep | 0 .../{rg.min => rg.default}/main.test.bicep | 0 .../e2e/{rg.min => rg.max}/dependencies.bicep | 0 .../e2e/{rg.common => rg.max}/main.test.bicep | 2 +- .../dependencies.bicep | 0 .../interim.dependencies.bicep | 0 .../{sub.min => sub.default}/main.test.bicep | 0 .../{sub.min => sub.max}/dependencies.bicep | 0 .../interim.dependencies.bicep | 0 .../{sub.common => sub.max}/main.test.bicep | 2 +- 17 files changed, 41 insertions(+), 41 deletions(-) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.common => mg.defaults}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.common => mg.defaults}/interim.dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.min => mg.defaults}/main.test.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.min => mg.max}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.min => mg.max}/interim.dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{mg.common => mg.max}/main.test.bicep (98%) rename avm/ptn/authorization/role-assignment/tests/e2e/{rg.common => rg.default}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{rg.min => rg.default}/main.test.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{rg.min => rg.max}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{rg.common => rg.max}/main.test.bicep (98%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.common => sub.default}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.common => sub.default}/interim.dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.min => sub.default}/main.test.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.min => sub.max}/dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.min => sub.max}/interim.dependencies.bicep (100%) rename avm/ptn/authorization/role-assignment/tests/e2e/{sub.common => sub.max}/main.test.bicep (98%) diff --git a/avm/ptn/authorization/role-assignment/README.md b/avm/ptn/authorization/role-assignment/README.md index cf41a30910..bbe4b6d33e 100644 --- a/avm/ptn/authorization/role-assignment/README.md +++ b/avm/ptn/authorization/role-assignment/README.md @@ -32,14 +32,14 @@ The following section provides usage examples for the module, which were used to - [Role Assignments (Management Group scope)](#example-1-role-assignments-management-group-scope) - [Role Assignments (Management Group scope)](#example-2-role-assignments-management-group-scope) -- [Role Assignments (Resource Group)](#example-3-role-assignments-resource-group) -- [Role Assignments (Resource Group scope)](#example-4-role-assignments-resource-group-scope) +- [Role Assignments (Resource Group scope)](#example-3-role-assignments-resource-group-scope) +- [Role Assignments (Resource Group)](#example-4-role-assignments-resource-group) - [Role Assignments (Subscription scope)](#example-5-role-assignments-subscription-scope) - [Role Assignments (Subscription scope)](#example-6-role-assignments-subscription-scope) ### Example 1: _Role Assignments (Management Group scope)_ -This module deploys a Role Assignment at a Management Group scope using common parameters. +This module deploys a Role Assignment at a Management Group scope using minimal parameters.

@@ -52,11 +52,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Management Group Reader' + roleDefinitionIdOrName: 'Resource Policy Contributor' // Non-required parameters - description: 'Role Assignment (management group scope)' location: '' - managementGroupId: '' principalType: 'ServicePrincipal' } } @@ -79,18 +77,12 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Management Group Reader" + "value": "Resource Policy Contributor" }, // Non-required parameters - "description": { - "value": "Role Assignment (management group scope)" - }, "location": { "value": "" }, - "managementGroupId": { - "value": "" - }, "principalType": { "value": "ServicePrincipal" } @@ -103,7 +95,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: ### Example 2: _Role Assignments (Management Group scope)_ -This module deploys a Role Assignment at a Management Group scope using minimal parameters. +This module deploys a Role Assignment at a Management Group scope using common parameters.
@@ -116,9 +108,11 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Resource Policy Contributor' + roleDefinitionIdOrName: 'Management Group Reader' // Non-required parameters + description: 'Role Assignment (management group scope)' location: '' + managementGroupId: '' principalType: 'ServicePrincipal' } } @@ -141,12 +135,18 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Resource Policy Contributor" + "value": "Management Group Reader" }, // Non-required parameters + "description": { + "value": "Role Assignment (management group scope)" + }, "location": { "value": "" }, + "managementGroupId": { + "value": "" + }, "principalType": { "value": "ServicePrincipal" } @@ -157,9 +157,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 3: _Role Assignments (Resource Group)_ +### Example 3: _Role Assignments (Resource Group scope)_ -This module deploys a Role Assignment at a Resource Group scope using common parameters. +This module deploys a Role Assignment at a Resource Group scope using minimal parameters.

@@ -172,9 +172,8 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' // Non-required parameters - description: 'Role Assignment (resource group scope)' location: '' principalType: 'ServicePrincipal' resourceGroupName: '' @@ -200,12 +199,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Reader" + "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" }, // Non-required parameters - "description": { - "value": "Role Assignment (resource group scope)" - }, "location": { "value": "" }, @@ -225,9 +221,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment:

-### Example 4: _Role Assignments (Resource Group scope)_ +### Example 4: _Role Assignments (Resource Group)_ -This module deploys a Role Assignment at a Resource Group scope using minimal parameters. +This module deploys a Role Assignment at a Resource Group scope using common parameters.

@@ -240,8 +236,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + roleDefinitionIdOrName: 'Reader' // Non-required parameters + description: 'Role Assignment (resource group scope)' location: '' principalType: 'ServicePrincipal' resourceGroupName: '' @@ -267,9 +264,12 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11" + "value": "Reader" }, // Non-required parameters + "description": { + "value": "Role Assignment (resource group scope)" + }, "location": { "value": "" }, @@ -291,7 +291,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: ### Example 5: _Role Assignments (Subscription scope)_ -This module deploys a Role Assignment at a Subscription scope using common parameters. +This module deploys a Role Assignment at a Subscription scope using minimal parameters.
@@ -304,9 +304,8 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: 'Reader' + roleDefinitionIdOrName: '' // Non-required parameters - description: 'Role Assignment (subscription scope)' location: '' principalType: 'ServicePrincipal' subscriptionId: '' @@ -331,12 +330,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "Reader" + "value": "" }, // Non-required parameters - "description": { - "value": "Role Assignment (subscription scope)" - }, "location": { "value": "" }, @@ -355,7 +351,7 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: ### Example 6: _Role Assignments (Subscription scope)_ -This module deploys a Role Assignment at a Subscription scope using minimal parameters. +This module deploys a Role Assignment at a Subscription scope using common parameters.
@@ -368,8 +364,9 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: params: { // Required parameters principalId: '' - roleDefinitionIdOrName: '' + roleDefinitionIdOrName: 'Reader' // Non-required parameters + description: 'Role Assignment (subscription scope)' location: '' principalType: 'ServicePrincipal' subscriptionId: '' @@ -394,9 +391,12 @@ module roleAssignment 'br/public:avm/ptn/authorization/role-assignment: "value": "" }, "roleDefinitionIdOrName": { - "value": "" + "value": "Reader" }, // Non-required parameters + "description": { + "value": "Role Assignment (subscription scope)" + }, "location": { "value": "" }, diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.common/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/interim.dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.common/interim.dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/interim.dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/main.test.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.min/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.defaults/main.test.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.max/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.min/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.max/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.max/interim.dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.min/interim.dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.max/interim.dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/mg.max/main.test.bicep similarity index 98% rename from avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/mg.max/main.test.bicep index 9947a1d4af..b7e9d1bd87 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/mg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/mg.max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignment param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aramgcom' +param serviceShort string = 'aramgmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.default/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/rg.common/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/rg.default/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.default/main.test.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/rg.min/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/rg.default/main.test.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.max/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/rg.min/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/rg.max/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/rg.max/main.test.bicep similarity index 98% rename from avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/rg.max/main.test.bicep index 5f22a1c277..b154901d94 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/rg.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/rg.max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignment param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arargcom' +param serviceShort string = 'arargmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.default/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.common/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.default/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.default/interim.dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.common/interim.dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.default/interim.dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.default/main.test.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.min/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.default/main.test.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.max/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.min/dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.max/dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.max/interim.dependencies.bicep similarity index 100% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.min/interim.dependencies.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.max/interim.dependencies.bicep diff --git a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep b/avm/ptn/authorization/role-assignment/tests/e2e/sub.max/main.test.bicep similarity index 98% rename from avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep rename to avm/ptn/authorization/role-assignment/tests/e2e/sub.max/main.test.bicep index eadb2ab2e4..0f41d75951 100644 --- a/avm/ptn/authorization/role-assignment/tests/e2e/sub.common/main.test.bicep +++ b/avm/ptn/authorization/role-assignment/tests/e2e/sub.max/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.roleassignment param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arasubcom' +param serviceShort string = 'arasubmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#'