Skip to content

Commit

Permalink
feat: add RBAC conditions to sub-vending module (Azure#3545)
Browse files Browse the repository at this point in the history
## Description

Added RBAC constrained delegation feature to role assignments

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.ptn.lz.sub-vending](https://github.com/sebassem/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml/badge.svg?branch=avm-lz-sub-vending-rbac-delegation)](https://github.com/sebassem/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [X] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
  • Loading branch information
sebassem authored Oct 22, 2024
1 parent 0e43ed0 commit 048797b
Show file tree
Hide file tree
Showing 10 changed files with 2,149 additions and 1,022 deletions.
259 changes: 254 additions & 5 deletions avm/ptn/lz/sub-vending/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,8 @@ The following section provides usage examples for the module, which were used to
- [Using only defaults.](#example-1-using-only-defaults)
- [Hub and spoke topology.](#example-2-hub-and-spoke-topology)
- [Vwan topology.](#example-3-vwan-topology)
- [Using RBAC conditions.](#example-3-using-rbac-conditions)
- [Vwan topology.](#example-4-vwan-topology)

### Example 1: _Using only defaults._

Expand Down Expand Up @@ -396,7 +397,173 @@ param virtualNetworkUseRemoteGateways = false
</details>
<p>

### Example 3: _Vwan topology._
### Example 3: _Using RBAC conditions._

This instance deploys the module with RBAC conditions for the role assignments.


<details>

<summary>via Bicep module</summary>

```bicep
module subVending 'br/public:avm/ptn/lz/sub-vending:<version>' = {
name: 'subVendingDeployment'
params: {
resourceProviders: {}
roleAssignmentEnabled: true
roleAssignments: [
{
definition: '/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168'
principalId: '896b1162-be44-4b28-888a-d01acc1b4271'
relativeScope: ''
roleAssignmentCondition: {
roleConditionType: {
principleTypesToAssign: [
'Group'
'ServicePrincipal'
]
rolesToAssign: [
'b24988ac-6180-42a0-ab88-20f7382dd24c'
]
templateName: 'constrainRolesAndPrincipalTypes'
}
}
}
]
subscriptionAliasEnabled: true
subscriptionAliasName: '<subscriptionAliasName>'
subscriptionBillingScope: '<subscriptionBillingScope>'
subscriptionDisplayName: '<subscriptionDisplayName>'
subscriptionManagementGroupAssociationEnabled: true
subscriptionManagementGroupId: 'bicep-lz-vending-automation-child'
subscriptionTags: {
namePrefix: '<namePrefix>'
serviceShort: '<serviceShort>'
}
subscriptionWorkload: 'Production'
}
}
```

</details>
<p>

<details>

<summary>via JSON parameters file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceProviders": {
"value": {}
},
"roleAssignmentEnabled": {
"value": true
},
"roleAssignments": {
"value": [
{
"definition": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"principalId": "896b1162-be44-4b28-888a-d01acc1b4271",
"relativeScope": "",
"roleAssignmentCondition": {
"roleConditionType": {
"principleTypesToAssign": [
"Group",
"ServicePrincipal"
],
"rolesToAssign": [
"b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"templateName": "constrainRolesAndPrincipalTypes"
}
}
}
]
},
"subscriptionAliasEnabled": {
"value": true
},
"subscriptionAliasName": {
"value": "<subscriptionAliasName>"
},
"subscriptionBillingScope": {
"value": "<subscriptionBillingScope>"
},
"subscriptionDisplayName": {
"value": "<subscriptionDisplayName>"
},
"subscriptionManagementGroupAssociationEnabled": {
"value": true
},
"subscriptionManagementGroupId": {
"value": "bicep-lz-vending-automation-child"
},
"subscriptionTags": {
"value": {
"namePrefix": "<namePrefix>",
"serviceShort": "<serviceShort>"
}
},
"subscriptionWorkload": {
"value": "Production"
}
}
}
```

</details>
<p>

<details>

<summary>via Bicep parameters file</summary>

```bicep-params
using 'br/public:avm/ptn/lz/sub-vending:<version>'
param resourceProviders = {}
param roleAssignmentEnabled = true
param roleAssignments = [
{
definition: '/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168'
principalId: '896b1162-be44-4b28-888a-d01acc1b4271'
relativeScope: ''
roleAssignmentCondition: {
roleConditionType: {
principleTypesToAssign: [
'Group'
'ServicePrincipal'
]
rolesToAssign: [
'b24988ac-6180-42a0-ab88-20f7382dd24c'
]
templateName: 'constrainRolesAndPrincipalTypes'
}
}
}
]
param subscriptionAliasEnabled = true
param subscriptionAliasName = '<subscriptionAliasName>'
param subscriptionBillingScope = '<subscriptionBillingScope>'
param subscriptionDisplayName = '<subscriptionDisplayName>'
param subscriptionManagementGroupAssociationEnabled = true
param subscriptionManagementGroupId = 'bicep-lz-vending-automation-child'
param subscriptionTags = {
namePrefix: '<namePrefix>'
serviceShort: '<serviceShort>'
}
param subscriptionWorkload = 'Production'
```

</details>
<p>

### Example 4: _Vwan topology._

This instance deploys a subscription with a vwan network topology.

Expand Down Expand Up @@ -702,7 +869,7 @@ The name of the storage account for the deployment script.

- Required: No
- Type: string
- Default: `[format('stgds{0}', substring(uniqueString(deployment().name, parameters('virtualNetworkLocation')), 0, 4))]`
- Default: `[format('stgds{0}', substring(uniqueString(deployment().name, parameters('virtualNetworkLocation')), 0, 10))]`

### Parameter: `deploymentScriptVirtualNetworkName`

Expand Down Expand Up @@ -837,6 +1004,88 @@ Supply an array of objects containing the details of the role assignments to cre
- Type: array
- Default: `[]`

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`definition`](#parameter-roleassignmentsdefinition) | string | The role definition ID or name. |
| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the user, group, or service principal. |
| [`relativeScope`](#parameter-roleassignmentsrelativescope) | string | The relative scope of the role assignment. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`roleAssignmentCondition`](#parameter-roleassignmentsroleassignmentcondition) | object | The condition for the role assignment. |

### Parameter: `roleAssignments.definition`

The role definition ID or name.

- Required: Yes
- Type: string

### Parameter: `roleAssignments.principalId`

The principal ID of the user, group, or service principal.

- Required: Yes
- Type: string

### Parameter: `roleAssignments.relativeScope`

The relative scope of the role assignment.

- Required: Yes
- Type: string

### Parameter: `roleAssignments.roleAssignmentCondition`

The condition for the role assignment.

- Required: No
- Type: object

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`roleConditionType`](#parameter-roleassignmentsroleassignmentconditionroleconditiontype) | object | The type of template for the role assignment condition. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`conditionVersion`](#parameter-roleassignmentsroleassignmentconditionconditionversion) | string | The version of the condition template. |
| [`delegationCode`](#parameter-roleassignmentsroleassignmentconditiondelegationcode) | string | The code for a custom condition if no template is used. The user should supply their own custom code if the available templates are not matching their requirements. If a value is provided, this will overwrite any added template. All single quotes needs to be skipped using '. |

### Parameter: `roleAssignments.roleAssignmentCondition.roleConditionType`

The type of template for the role assignment condition.

- Required: No
- Type: object

### Parameter: `roleAssignments.roleAssignmentCondition.conditionVersion`

The version of the condition template.

- Required: No
- Type: string
- Allowed:
```Bicep
[
'2.0'
]
```

### Parameter: `roleAssignments.roleAssignmentCondition.delegationCode`

The code for a custom condition if no template is used. The user should supply their own custom code if the available templates are not matching their requirements. If a value is provided, this will overwrite any added template. All single quotes needs to be skipped using '.

- Required: No
- Type: string

### Parameter: `subscriptionAliasEnabled`

Whether to create a new Subscription using the Subscription Alias resource. If `false`, supply an existing Subscription''s ID in the parameter named `existingSubscriptionId` instead to deploy resources to an existing Subscription.
Expand Down Expand Up @@ -1085,10 +1334,10 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm/ptn/authorization/role-assignment:0.1.0` | Remote reference |
| `br/public:avm/ptn/authorization/role-assignment:0.1.1` | Remote reference |
| `br/public:avm/res/managed-identity/user-assigned-identity:0.2.2` | Remote reference |
| `br/public:avm/res/network/network-security-group:0.3.0` | Remote reference |
| `br/public:avm/res/network/virtual-network:0.4.1` | Remote reference |
| `br/public:avm/res/network/virtual-network:0.5.0` | Remote reference |
| `br/public:avm/res/resources/deployment-script:0.2.3` | Remote reference |
| `br/public:avm/res/resources/resource-group:0.2.4` | Remote reference |
| `br/public:avm/res/storage/storage-account:0.9.1` | Remote reference |
Expand Down
9 changes: 6 additions & 3 deletions avm/ptn/lz/sub-vending/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ This is the orchestration module that is used and called by a consumer of the mo

targetScope = 'managementGroup'

//Imports
import { roleAssignmentType } from 'modules/subResourceWrapper.bicep'

// PARAMETERS

// Subscription Parameters
Expand Down Expand Up @@ -196,9 +199,9 @@ Each object must contain the following `keys`:
1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope
2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group.
''')
param roleAssignments array = []
param roleAssignments roleAssignmentType = []

@sys.description('Optional. Enable/Disable usage telemetry for module.')
@description('Optional. Enable/Disable usage telemetry for module.')
param enableTelemetry bool = true

@description('Optional. The name of the resource group to create the deployment script for resource providers registration.')
Expand All @@ -221,7 +224,7 @@ param deploymentScriptNetworkSecurityGroupName string = 'nsg-${deployment().loca
param virtualNetworkDeploymentScriptAddressPrefix string = '192.168.0.0/24'

@description('Optional. The name of the storage account for the deployment script.')
param deploymentScriptStorageAccountName string = 'stgds${substring(uniqueString(deployment().name, virtualNetworkLocation), 0, 4)}'
param deploymentScriptStorageAccountName string = 'stgds${substring(uniqueString(deployment().name, virtualNetworkLocation), 0, 10)}'

@description('Optional. The location of the deployment script. Use region shortnames e.g. uksouth, eastus, etc.')
param deploymentScriptLocation string = deployment().location
Expand Down
Loading

0 comments on commit 048797b

Please sign in to comment.