Microsoft.Authorization: Publish templates on different scopes by AlexanderSehr · Pull Request #1033 · Azure/ResourceModules

AlexanderSehr · 2022-02-22T08:51:14Z

Change

Features

Change model for nested files to be treated as child modules to align with other modules for publishing. This is a breaking change for the MS authorisation namespace
Updates on parameters metadata and add limits where they apply.
Testing now across all different scope types for each module where applicable.
added cuaID support for resource group scope deployments and outputs for resource group name to align with pester tests requirements.
added guidance and examples for using the modules across different scopes
Modules (root and children) are now publishable to template specs and bicep registry
Workflows for this namespace now point to the root deploy instead of the subscription child as the SP now supports management group deployments

Other changes

dependency pipeline additional policy assignment at management group scope.

known issues:

resource removal at the resource group level does not work. Will be resolved in another issue. This will render the pipelines red for this namespace if they support resource group scope. See Resource Removal issue when the root module (deploy.bicep) is management group scope and child module (deploy.bicep) is resource group scope #1042

GitHub workflows [setting remove modules to `false`]

Screenshots

Type of Change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update (Wiki)

github-actions · 2022-02-22T21:48:18Z

Unit Test Results

    1 files ±    0 1 suites ±0 49s ⏱️ - 3m 3s
    4 tests -   31 4 ✔️ - 31     0 💤 ±    0 0 ❌ ±0
134 runs - 368 4 ✔️ - 31 130 💤 - 337 0 ❌ ±0

Results for commit bf8879f. ± Comparison against base commit 3bd8c62.

This pull request removes 35 and adds 4 tests. Note that renamed tests count towards both.

/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/apiVersionSets] used resource type [service/apiVersionSets] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/apis/policies] used resource type [service/apis/policies] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/apis] used resource type [service/apis/policies] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/apis] used resource type [service/apis] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/authorizationServers] used resource type [service/authorizationServers] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/backends] used resource type [service/backends] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/caches] used resource type [service/caches] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/identityProviders] used resource type [service/identityProviders] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/namedValues] used resource type [service/namedValues] should use on of the recent API version(s). Currently using [2021-08-01]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.ApiManagement/service/policies] used resource type [service/policies] should use on of the recent API version(s). Currently using [2021-08-01]
…

/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.Authorization/roleDefinitions/managementGroup] used resource type [roleDefinitions] should use on of the recent API version(s). Currently using [2018-01-01-preview]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.Authorization/roleDefinitions/resourceGroup] used resource type [roleDefinitions] should use on of the recent API version(s). Currently using [2018-01-01-preview]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.Authorization/roleDefinitions/subscription] used resource type [roleDefinitions] should use on of the recent API version(s). Currently using [2018-01-01-preview]
/home/runner/work/ResourceModules/ResourceModules/arm/.global/global.module.tests.ps1 ‑ API version tests [All apiVersions in the template should be 'recent'].In [Microsoft.Authorization/roleDefinitions] used resource type [roleDefinitions] should use on of the recent API version(s). Currently using [2018-01-01-preview]

♻️ This comment has been updated with latest results.

arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json

arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json

arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.parameters.json

arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json

arm/Microsoft.Authorization/roleAssignments/.parameters/mg.parameters.json

arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json

arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json

arm/Microsoft.Authorization/policyAssignments/readme.md

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>

.azuredevops/platformPipelines/platform.dependencies.yml

...s/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep

Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>

…ultiPrincipals/.bicep/nested_rbac.bicep Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>

Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>

…Modules into users/alsehr/rbac

AlexanderSehr added 6 commits February 18, 2022 17:12

Split role assignment module into child modules

d0fc757

Update to latest

b20ec85

Updated Test deployment & folder path

63fb853

Update to latest

3e70842

Added version files

ba49e6f

Updated dependency pipeline

65821df

AlexanderSehr linked an issue Feb 22, 2022 that may be closed by this pull request

Microsoft.Authorization Namespace: Should publish templates for different scopes #1032

Closed

AlexanderSehr assigned AlexanderSehr and ahmadabdalla Feb 22, 2022

AlexanderSehr added [cat] modules category: modules [cat] pipelines category: pipelines [cat] publishing category: publishing enhancement New feature or request labels Feb 22, 2022

AlexanderSehr added this to the v 0.5 milestone Feb 22, 2022

AlexanderSehr and others added 4 commits February 22, 2022 12:16

Update to latest

66e6d55

Update to latest

497336f

Fixed dependency pipeline

4f66ed1

initial commit for adding testing policy def

e48a540

ahmadabdalla added 8 commits February 23, 2022 09:47

update policy definitions

1a87c5e

update to latest

4bee410

policy assignments

a123df6

fixed pester errors for rg level assignments

7fb8306

removed mg and sub cuaid nested templates

ef8bb38

fixed resource group not scope

9e43d64

Updated Policy definitions

73faa68

attempt to get the publishing to work on child modules

cf91057

ahmadabdalla marked this pull request as draft February 23, 2022 23:31

ahmadabdalla added 2 commits February 24, 2022 10:38

updated policy assignments module

45c8acf

updated dep. pipeline and policy exemptions module

de07e9b