diff --git a/avm/ptn/authorization/resource-role-assignment/README.md b/avm/ptn/authorization/resource-role-assignment/README.md index ee73b251f47..24f14609dc9 100644 --- a/avm/ptn/authorization/resource-role-assignment/README.md +++ b/avm/ptn/authorization/resource-role-assignment/README.md @@ -29,7 +29,7 @@ The following section provides usage examples for the module, which were used to ### Example 1: _Resource Role Assignments_ -This module deploys a Resource Role Assignment using minimal parameters. +This module deploys a Resource Role Assignment using all parameters.
@@ -46,8 +46,9 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass resourceId: '' roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Non-required parameters - enableTelemetry: false + description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.' principalType: 'ServicePrincipal' + roleName: 'Storage Blob Data Reader' } } ``` @@ -78,11 +79,14 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" }, // Non-required parameters - "enableTelemetry": { - "value": false + "description": { + "value": "Assign Storage Blob Data Reader role to the managed identity on the storage account." }, "principalType": { "value": "ServicePrincipal" + }, + "roleName": { + "value": "Storage Blob Data Reader" } } } @@ -93,7 +97,7 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass ### Example 2: _Resource Role Assignments_ -This module deploys a Role Assignment at a Resource scope using common parameters. +This module deploys a Resource Role Assignment using minimal parameters.
diff --git a/avm/ptn/authorization/resource-role-assignment/main.json b/avm/ptn/authorization/resource-role-assignment/main.json index 687ef9d62cd..d329caba51b 100644 --- a/avm/ptn/authorization/resource-role-assignment/main.json +++ b/avm/ptn/authorization/resource-role-assignment/main.json @@ -1,11 +1,11 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "15111475392680889649" + "templateHash": "9912378437381690323" }, "name": "ResourceRole Assignments (All scopes)", "description": "This module deploys a Role Assignment for a specific resource.", @@ -27,7 +27,7 @@ "roleDefinitionId": { "type": "string", "metadata": { - "description": "Required. You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Required. The role definition ID for the role assignment." } }, "roleName": { @@ -65,13 +65,6 @@ "description": "Optional. The Description of role assignment." } }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location deployment metadata." - } - }, "enableTelemetry": { "type": "bool", "defaultValue": true, @@ -123,7 +116,7 @@ "scope": "[[parameters('scope')]", "name": "[[parameters('name')]", "properties": { - "roleDefinitionId": "[[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]", + "roleDefinitionId": "[[parameters('roleDefinitionId')]", "principalId": "[[parameters('principalId')]", "principalType": "[[parameters('principalType')]", "description": "[[parameters('description')]" @@ -143,7 +136,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.ptn.authorization-resourceroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.ptn.authorization-resourceroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -157,13 +150,12 @@ } } } - }, - "location": "[parameters('location')]" + } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2023-07-01", - "name": "[take(format('rra-{0}-{1}', parameters('name'), last(split(parameters('resourceId'), '/'))), 64)]", + "name": "[format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('roleDefinitionId')))]", "properties": { "mode": "Incremental", "expressionEvaluationOptions": { @@ -178,7 +170,7 @@ "value": "[parameters('name')]" }, "roleDefinitionId": { - "value": "[parameters('roleDefinitionId')]" + "value": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" }, "principalId": { "value": "[parameters('principalId')]" @@ -213,7 +205,14 @@ "metadata": { "description": "The resource ID of the Role Assignment." }, - "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', take(format('rra-{0}-{1}', parameters('name'), last(split(parameters('resourceId'), '/'))), 64)), '2023-07-01').outputs.roleAssignmentId.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('roleDefinitionId')))), '2023-07-01').outputs.roleAssignmentId.value]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[resourceGroup().name]" } } } diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/dependencies.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep similarity index 100% rename from avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/dependencies.bicep rename to avm/ptn/authorization/resource-role-assignment/tests/e2e/all/dependencies.bicep diff --git a/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep similarity index 82% rename from avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep rename to avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep index 0d96a39f14b..79c09f8eaa0 100644 --- a/avm/ptn/authorization/resource-role-assignment/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/ptn/authorization/resource-role-assignment/tests/e2e/all/main.test.bicep @@ -1,6 +1,6 @@ targetScope = 'subscription' metadata name = 'Resource Role Assignments' -metadata description = 'This module deploys a Role Assignment at a Resource scope using common parameters.' +metadata description = 'This module deploys a Resource Role Assignment using all parameters.' // ========== // // Parameters // @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.resourceroleas param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'arrawaf' +param serviceShort string = 'arraall' @description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') param namePrefix string = '#_namePrefix_#' @@ -52,12 +52,14 @@ module testDeployment '../../../main.bicep' = [ params: { name: guid( nestedDependencies.outputs.managedIdentityPrincipalId, - nestedDependencies.outputs.storageAccountResourceId, + nestedDependencies.outputs.storageAccountResourceId ) resourceId: nestedDependencies.outputs.storageAccountResourceId principalId: nestedDependencies.outputs.managedIdentityPrincipalId principalType: 'ServicePrincipal' - roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + roleName: 'Storage Blob Data Reader' + description: 'Assign Storage Blob Data Reader role to the managed identity on the storage account.' } } ]