Fix errors, make idempotency

avm/ptn/authorization/resource-role-assignment/README.md

@@ -29,7 +29,7 @@ The following section provides usage examples for the module, which were used to
 
 ### Example 1: _Resource Role Assignments_
 
-This module deploys a Role Assignment at a Resource scope using minimal parameters.
+This module deploys a Resource Role Assignment using minimal parameters.
 
 
 <details>
@@ -41,12 +41,12 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
   name: 'resourceRoleAssignmentDeployment'
   params: {
     // Required parameters
-    name: 'arramin001'
+    name: '<name>'
     principalId: '<principalId>'
     resourceId: '<resourceId>'
     roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
     // Non-required parameters
-    location: '<location>'
+    enableTelemetry: false
     principalType: 'ServicePrincipal'
   }
 }
@@ -66,7 +66,7 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
   "parameters": {
     // Required parameters
     "name": {
-      "value": "arramin001"
+      "value": "<name>"
     },
     "principalId": {
       "value": "<principalId>"
@@ -78,8 +78,8 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
       "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
+    "enableTelemetry": {
+      "value": false
     },
     "principalType": {
       "value": "ServicePrincipal"
@@ -105,12 +105,11 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
   name: 'resourceRoleAssignmentDeployment'
   params: {
     // Required parameters
-    name: 'arrawaf001'
+    name: '<name>'
     principalId: '<principalId>'
-    resourceId: ''
+    resourceId: '<resourceId>'
     roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
     // Non-required parameters
-    location: '<location>'
     principalType: 'ServicePrincipal'
   }
 }
@@ -130,21 +129,18 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
   "parameters": {
     // Required parameters
     "name": {
-      "value": "arrawaf001"
+      "value": "<name>"
     },
     "principalId": {
       "value": "<principalId>"
     },
     "resourceId": {
-      "value": ""
+      "value": "<resourceId>"
     },
     "roleDefinitionId": {
       "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
     },
     // Non-required parameters
-    "location": {
-      "value": "<location>"
-    },
     "principalType": {
       "value": "ServicePrincipal"
     }
@@ -165,15 +161,14 @@ module resourceRoleAssignment 'br/public:avm/ptn/authorization/resource-role-ass
 | [`name`](#parameter-name) | string | The unique guid name for the role assignment. |
 | [`principalId`](#parameter-principalid) | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). |
 | [`resourceId`](#parameter-resourceid) | string | The scope for the role assignment, fully qualified resourceId. |
-| [`roleDefinitionId`](#parameter-roledefinitionid) | string | You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+| [`roleDefinitionId`](#parameter-roledefinitionid) | string | The role definition ID for the role assignment. |
 
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`description`](#parameter-description) | string | The Description of role assignment. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
-| [`location`](#parameter-location) | string | Location deployment metadata. |
 | [`principalType`](#parameter-principaltype) | string | The principal type of the assigned principal ID. |
 | [`roleName`](#parameter-rolename) | string | The name for the role, used for logging. |
 
@@ -200,7 +195,7 @@ The scope for the role assignment, fully qualified resourceId.
 
 ### Parameter: `roleDefinitionId`
 
-You can provide the role definition as a fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.
+The role definition ID for the role assignment.
 
 - Required: Yes
 - Type: string
@@ -221,14 +216,6 @@ Enable/Disable usage telemetry for module.
 - Type: bool
 - Default: `True`
 
-### Parameter: `location`
-
-Location deployment metadata.
-
-- Required: No
-- Type: string
-- Default: `[deployment().location]`
-
 ### Parameter: `principalType`
 
 The principal type of the assigned principal ID.
@@ -262,6 +249,7 @@ The name for the role, used for logging.
 | Output | Type | Description |
 | :-- | :-- | :-- |
 | `name` | string | The GUID of the Role Assignment. |
+| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. |
 | `resourceId` | string | The resource ID of the Role Assignment. |
 | `roleName` | string | The name for the role, used for logging. |
 

avm/ptn/authorization/resource-role-assignment/main.bicep

@@ -2,17 +2,15 @@ metadata name = 'ResourceRole Assignments (All scopes)'
 metadata description = 'This module deploys a Role Assignment for a specific resource.'
 metadata owner = 'Azure/module-maintainers'
 
-targetScope = 'subscription'
-
-// TODO: maybe a multiple roles assigned to a single principal?
+// targetScope = 'subscription'
 
 @sys.description('Required. The scope for the role assignment, fully qualified resourceId.')
 param resourceId string
 
 @sys.description('Required. The unique guid name for the role assignment.')
 param name string
 
-@sys.description('Required. You can provide the role definition as a fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+@sys.description('Required. The role definition ID for the role assignment.')
 param roleDefinitionId string
 
 @sys.description('Optional. The name for the role, used for logging.')
@@ -35,38 +33,33 @@ param principalType string = ''
 @sys.description('Optional. The Description of role assignment.')
 param description string = ''
 
-@sys.description('Optional. Location deployment metadata.')
-param location string = deployment().location
-
 @sys.description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
 // =============== //
 //   Definitions   //
 // =============== //
 
-resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
-  if (enableTelemetry) {
-    name: '46d3xbcp.ptn.authorization-resourceroleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
-    properties: {
-      mode: 'Incremental'
-      template: {
-        '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
-        contentVersion: '#_moduleVersion_#.0'
-        resources: []
-        outputs: {
-          telemetry: {
-            type: 'String'
-            value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
-          }
+resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
+  name: '46d3xbcp.ptn.authorization-resourceroleassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name), 0, 4)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '#_moduleVersion_#.0'
+      resources: []
+      outputs: {
+        telemetry: {
+          type: 'String'
+          value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
         }
       }
     }
-    location: location
   }
+}
 
 resource resourceRoleAssignment 'Microsoft.Resources/deployments@2023-07-01' = {
-  name: take('rra-${name}-${last(split(resourceId,'/'))}', 64)
+  name: '${guid(resourceId, roleDefinitionId)}-ResourceRoleAssignment'
   properties: {
     mode: 'Incremental'
     expressionEvaluationOptions: {
@@ -81,7 +74,7 @@ resource resourceRoleAssignment 'Microsoft.Resources/deployments@2023-07-01' = {
         value: name
       }
       roleDefinitionId: {
-        value: roleDefinitionId
+        value: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
       }
       principalId: {
         value: principalId
@@ -104,3 +97,6 @@ output roleName string = roleName
 
 @sys.description('The resource ID of the Role Assignment.')
 output resourceId string = resourceRoleAssignment.properties.outputs.roleAssignmentId.value
+
+@sys.description('The name of the resource group the role assignment was applied at.')
+output resourceGroupName string = resourceGroup().name

avm/ptn/authorization/resource-role-assignment/main.json

@@ -216,4 +216,4 @@
       "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', take(format('rra-{0}-{1}', parameters('name'), last(split(parameters('resourceId'), '/'))), 64)), '2023-07-01').outputs.roleAssignmentId.value]"
     }
   }
-}
+}

avm/ptn/authorization/resource-role-assignment/modules/generic-role-assignment.json

@@ -40,7 +40,7 @@
             "scope": "[parameters('scope')]",
             "name": "[parameters('name')]",
             "properties": {
-                "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
+                "roleDefinitionId": "[parameters('roleDefinitionId')]",
                 "principalId": "[parameters('principalId')]",
                 "principalType": "[parameters('principalType')]",
                 "description": "[parameters('description')]"