From d0fc757cc857e1230725cd3f38e473a19e7af695 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 18 Feb 2022 17:12:56 +0100 Subject: [PATCH 01/43] Split role assignment module into child modules --- .../ms.authorization.roleassignments.yml | 2 +- .../roleAssignments/deploy.bicep | 6 ++-- .../deploy.bicep} | 0 .../managementGroups/readme.md | 35 ++++++++++++++++++ .../deploy.bicep} | 0 .../roleAssignments/resourceGroups/readme.md | 36 +++++++++++++++++++ .../deploy.bicep} | 0 .../roleAssignments/subscriptions/readme.md | 35 ++++++++++++++++++ 8 files changed, 110 insertions(+), 4 deletions(-) rename arm/Microsoft.Authorization/roleAssignments/{.bicep/nested_rbac_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md rename arm/Microsoft.Authorization/roleAssignments/{.bicep/nested_rbac_rg.bicep => resourceGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md rename arm/Microsoft.Authorization/roleAssignments/{.bicep/nested_rbac_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index d3428165a6..2be8f8f53e 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -98,7 +98,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_rbac_sub.bicep' + templateFilePath: '${{ env.modulePath }}/subscriptions/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index baf5ec09f7..c0fdd84ffb 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -44,7 +44,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -59,7 +59,7 @@ module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGr } } -module roleAssignment_sub '.bicep/nested_rbac_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -74,7 +74,7 @@ module roleAssignment_sub '.bicep/nested_rbac_sub.bicep' = if (empty(managementG } } -module roleAssignment_rg '.bicep/nested_rbac_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep rename to arm/Microsoft.Authorization/roleAssignments/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md new file mode 100644 index 0000000000..bc2e91eb4f --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md @@ -0,0 +1,35 @@ +# Authorization RoleAssignments ManagementGroups `[Microsoft.Authorization/roleAssignments/managementGroups]` + +This module deploys Authorization RoleAssignments ManagementGroups. +// TODO: Replace Resource and fill in description + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | +| `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | +| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `description` | string | | | Optional. Description of role assignment | +| `managementGroupId` | string | | | Required. Group ID of the Management Group to assign the RBAC role to | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment | +| `resourceId` | string | The scope this Role Assignment applies to | +| `scope` | string | The resource ID of the Role Assignment | + +## Template references + +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep rename to arm/Microsoft.Authorization/roleAssignments/resourceGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md new file mode 100644 index 0000000000..2604a9b840 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md @@ -0,0 +1,36 @@ +# Authorization RoleAssignments ResourceGroups `[Microsoft.Authorization/roleAssignments/resourceGroups]` + +This module deploys Authorization RoleAssignments ResourceGroups. +// TODO: Replace Resource and fill in description + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | +| `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | +| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `description` | string | | | Optional. Description of role assignment | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. Name of the Resource Group to assign the RBAC role to. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment | +| `resourceId` | string | The scope this Role Assignment applies to | +| `scope` | string | The resource ID of the Role Assignment | + +## Template references + +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep rename to arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md new file mode 100644 index 0000000000..76cdd2cd01 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md @@ -0,0 +1,35 @@ +# Authorization RoleAssignments Subscriptions `[Microsoft.Authorization/roleAssignments/subscriptions]` + +This module deploys Authorization RoleAssignments Subscriptions. +// TODO: Replace Resource and fill in description + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | +| `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | +| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `description` | string | | | Optional. Description of role assignment | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Assignment | +| `resourceId` | string | The scope this Role Assignment applies to | +| `scope` | string | The resource ID of the Role Assignment | + +## Template references + +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) From b20ec857fd9c47501a21e19ca0343dcd521bbf06 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 20 Feb 2022 12:57:42 +0100 Subject: [PATCH 02/43] Update to latest --- .../roleAssignments/managementGroups/readme.md | 5 ++--- .../roleAssignments/resourceGroups/readme.md | 5 ++--- .../roleAssignments/subscriptions/readme.md | 5 ++--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md index bc2e91eb4f..9d10b0252d 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md @@ -1,7 +1,6 @@ -# Authorization RoleAssignments ManagementGroups `[Microsoft.Authorization/roleAssignments/managementGroups]` +# Role Assignment on Management Group Scope `[Microsoft.Authorization/roleAssignments]` -This module deploys Authorization RoleAssignments ManagementGroups. -// TODO: Replace Resource and fill in description +With this module you can perform role assignments on a Management Group level ## Resource Types diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md index 2604a9b840..5f01618e69 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md @@ -1,7 +1,6 @@ -# Authorization RoleAssignments ResourceGroups `[Microsoft.Authorization/roleAssignments/resourceGroups]` +# Role Assignment on Resource Group Scope `[Microsoft.Authorization/roleAssignments]` -This module deploys Authorization RoleAssignments ResourceGroups. -// TODO: Replace Resource and fill in description +With this module you can perform role assignments on a Resource Group level ## Resource Types diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md index 76cdd2cd01..af7cd4eec4 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md @@ -1,7 +1,6 @@ -# Authorization RoleAssignments Subscriptions `[Microsoft.Authorization/roleAssignments/subscriptions]` +# Role Assignment on Subscription Scope `[Microsoft.Authorization/roleAssignments]` -This module deploys Authorization RoleAssignments Subscriptions. -// TODO: Replace Resource and fill in description +With this module you can perform role assignments on a Subscription level ## Resource Types From 63fb853dd78cef64836c0496df574ec73fdd4713 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 20 Feb 2022 13:38:13 +0100 Subject: [PATCH 03/43] Updated Test deployment & folder path --- .../jobs.validateModuleDeployment.yml | 2 +- .../templates/validateModuleDeployment/action.yml | 2 +- docs/wiki/TestingDesign.md | 2 +- .../Test-TemplateWithParameterFile.ps1 | 13 ++++++++++++- utilities/tools/Test-ModuleLocally.ps1 | 2 +- 5 files changed, 16 insertions(+), 5 deletions(-) rename utilities/pipelines/{resourceValidation => resourceDeployment}/Test-TemplateWithParameterFile.ps1 (92%) diff --git a/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml b/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml index 373c58ab2c..0d263d687a 100644 --- a/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml +++ b/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml @@ -216,7 +216,7 @@ jobs: pwsh: true inline: | # Load used functions - . (Join-Path '$(moduleRepoRoot)' '$(pipelineFunctionsPath)' 'resourceValidation' 'Test-TemplateWithParameterFile.ps1') + . (Join-Path '$(moduleRepoRoot)' '$(pipelineFunctionsPath)' 'resourceDeployment' 'Test-TemplateWithParameterFile.ps1') if(-not [String]::IsNullOrEmpty('${{ deploymentBlock.templateFilePath }}')) { $templateFilePath = Join-Path '$(moduleRepoRoot)' '${{ deploymentBlock.templateFilePath }}' diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 7de3f13a47..8723340ce7 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -138,7 +138,7 @@ runs: Write-Output "::group::Validate [${{ inputs.templateFilePath }}]" # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceValidation' 'Test-TemplateWithParameterFile.ps1') + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceDeployment' 'Test-TemplateWithParameterFile.ps1') # ----------- # # INVOKE TEST # diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index 1e2d6619fb..3c00246a99 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -85,7 +85,7 @@ If all other tests passed, the deployment tests are the ultimate module validati Most of the resources are deleted by default after their deployment, to keep costs down and to be able to retest resource modules from scratch in the next run. However, the removal step can be skipped in case further investigation on the deployed resource is needed. For further details, please refer to the (./PipelinesUsage) section. -This happens using the `.github/actions/templates/validateModuleDeploy/scripts/Test-TemplateWithParameterFile.ps1` script. +This happens using the `utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1` script. > **Note**
Currently the list of the parameter file used to test the module is hardcoded in the module specific workflow, as the **parameterFilePaths** in the _job_deploy_module_ and _job_tests_module_deploy_validate_ jobs. diff --git a/utilities/pipelines/resourceValidation/Test-TemplateWithParameterFile.ps1 b/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 similarity index 92% rename from utilities/pipelines/resourceValidation/Test-TemplateWithParameterFile.ps1 rename to utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 index dd7eee6f35..eb28bb0ecd 100644 --- a/utilities/pipelines/resourceValidation/Test-TemplateWithParameterFile.ps1 +++ b/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 @@ -27,6 +27,9 @@ Optional. ID of the subscription to deploy into. Mandatory if deploying into a s .PARAMETER managementGroupId Optional. Name of the management group to deploy into. Mandatory if deploying into a management group (management group level) +.PARAMETER additionalParameters +Optional. Additional parameters you can provide with the deployment. E.g. @{ resourceGroupName = 'myResourceGroup' } + .EXAMPLE Test-TemplateWithParameterFile templateFilePath 'ARM/KeyVault/deploy.json' -parameterFilePath 'ARM/KeyVault/.parameters/parameters.json' -location 'WestEurope' -resourceGroupName 'aLegendaryRg' @@ -57,7 +60,10 @@ function Test-TemplateWithParameterFile { [string] $subscriptionId, [Parameter(Mandatory = $false)] - [string] $managementGroupId + [string] $managementGroupId, + + [Parameter(Mandatory = $false)] + [Hashtable] $additionalParameters ) begin { @@ -77,6 +83,11 @@ function Test-TemplateWithParameterFile { } $ValidationErrors = $null + # Additional parameter object provided yes/no + if ($additionalParameters) { + $DeploymentInputs += $additionalParameters + } + $deploymentScope = Get-ScopeOfTemplateFile -TemplateFilePath $templateFilePath ####################### diff --git a/utilities/tools/Test-ModuleLocally.ps1 b/utilities/tools/Test-ModuleLocally.ps1 index 1cbe8f9e72..39a60c2be8 100644 --- a/utilities/tools/Test-ModuleLocally.ps1 +++ b/utilities/tools/Test-ModuleLocally.ps1 @@ -123,7 +123,7 @@ function Test-ModuleLocally { . (Join-Path $PSScriptRoot '../pipelines/tokensReplacement/Convert-TokensInFile.ps1') # Load Modules Validation / Deployment Scripts . (Join-Path $PSScriptRoot '../pipelines/resourceDeployment/New-ModuleDeployment.ps1') - . (Join-Path $PSScriptRoot '../pipelines/resourceValidation/Test-TemplateWithParameterFile.ps1') + . (Join-Path $PSScriptRoot '../pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1') } process { From 3e708426da5e43a6525f6dce46573cac909b7fec Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 20 Feb 2022 15:03:20 +0100 Subject: [PATCH 04/43] Update to latest --- .../resourceDeployment/Test-TemplateWithParameterFile.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 b/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 index eb28bb0ecd..6624f6ef8a 100644 --- a/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 +++ b/utilities/pipelines/resourceDeployment/Test-TemplateWithParameterFile.ps1 @@ -109,7 +109,7 @@ function Test-TemplateWithParameterFile { if ($subscriptionId) { $Context = Get-AzContext -ListAvailable | Where-Object Subscription -Match $subscriptionId if ($Context) { - $Context | Set-AzContext + $null = $Context | Set-AzContext } } if ($PSCmdlet.ShouldProcess('Subscription level deployment', 'Test')) { From ba49e6f8b7ef3a08870f2e41cda0f8f67e0d8a6d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 22 Feb 2022 09:41:41 +0100 Subject: [PATCH 05/43] Added version files --- .../roleAssignments/managementGroups/version.json | 4 ++++ .../roleAssignments/resourceGroups/version.json | 4 ++++ .../roleAssignments/subscriptions/version.json | 4 ++++ 3 files changed, 12 insertions(+) create mode 100644 arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json b/arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json b/arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} From 65821df78600fb8ebadaee0c620733939590d8bf Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 22 Feb 2022 09:46:03 +0100 Subject: [PATCH 06/43] Updated dependency pipeline --- .../modulePipelines/ms.authorization.roleassignments.yml | 4 ++-- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- .github/workflows/platform.dependencies.yml | 2 +- .../.bicep/nested_rbac.bicep | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml index b5797df0d5..db8c2d092a 100644 --- a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml +++ b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml @@ -43,9 +43,9 @@ stages: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_rbac_sub.bicep + templateFilePath: $(modulePath)/subscriptions/deploy.bicep - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_rbac_sub.bicep + templateFilePath: $(modulePath)/subscriptions/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index dd0300fa33..0924d5b8e2 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -800,7 +800,7 @@ stages: - deploy_msi variables: resourceType: 'Microsoft.Authorization/roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + templateFilePath: $(modulesPath)/$(resourceType)/subscriptions/deploy.bicep msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] jobs: - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 3876a9afac..af68b7fecc 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1135,7 +1135,7 @@ jobs: - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' + templateFilePath: 'arm/${{ env.namespace }}/subscriptions/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep index e4faecb330..b2f641d5e4 100644 --- a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep @@ -302,7 +302,7 @@ module roleAssignments_mg '../../../../arm/Microsoft.Authorization/roleAssignmen } }] -module roleAssignments_sub '../../../../arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep' = [for principalId in principalIds: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignments_sub '../../../../arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep' = [for principalId in principalIds: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleAssignments_sub-${guid(deployment().name, location, principalId)}' scope: subscription(subscriptionId) params: { From 66e6d55b8230d754115bf01e0ecd299a8d3a8eca Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 22 Feb 2022 12:16:39 +0100 Subject: [PATCH 07/43] Update to latest --- .../policyAssignments/deploy.bicep | 6 +-- .../deploy.bicep} | 0 .../managementGroups/readme.md | 41 ++++++++++++++++++ .../managementGroups/version.json | 4 ++ .../policyAssignments/readme.md | 2 + .../deploy.bicep} | 0 .../resourceGroups/readme.md | 43 +++++++++++++++++++ .../resourceGroups/version.json | 4 ++ .../deploy.bicep} | 0 .../policyAssignments/subscriptions/readme.md | 41 ++++++++++++++++++ .../subscriptions/version.json | 4 ++ .../policyDefinitions/deploy.bicep | 4 +- .../deploy.bicep} | 0 .../managementGroups/readme.md | 34 +++++++++++++++ .../managementGroups/version.json | 4 ++ .../policyDefinitions/readme.md | 2 + .../deploy.bicep} | 0 .../policyDefinitions/subscriptions/readme.md | 34 +++++++++++++++ .../subscriptions/version.json | 4 ++ .../policyExemptions/deploy.bicep | 6 +-- .../deploy.bicep} | 0 .../managementGroups/readme.md | 35 +++++++++++++++ .../managementGroups/version.json | 4 ++ .../policyExemptions/readme.md | 2 + .../deploy.bicep} | 0 .../policyExemptions/resourceGroups/readme.md | 36 ++++++++++++++++ .../resourceGroups/version.json | 4 ++ .../deploy.bicep} | 0 .../policyExemptions/subscriptions/readme.md | 35 +++++++++++++++ .../subscriptions/version.json | 4 ++ .../policySetDefinitions/deploy.bicep | 4 +- .../deploy.bicep} | 0 .../managementGroups/readme.md | 33 ++++++++++++++ .../managementGroups/version.json | 4 ++ .../policySetDefinitions/readme.md | 2 + .../deploy.bicep} | 0 .../subscriptions/readme.md | 33 ++++++++++++++ .../subscriptions/version.json | 4 ++ .../managementGroups/readme.md | 4 +- .../roleAssignments/resourceGroups/readme.md | 4 +- .../roleAssignments/subscriptions/readme.md | 4 +- .../roleDefinitions/deploy.bicep | 6 +-- .../deploy.bicep} | 0 .../managementGroups/readme.md | 32 ++++++++++++++ .../managementGroups/version.json | 4 ++ .../deploy.bicep} | 0 .../roleDefinitions/resourceGroups/readme.md | 35 +++++++++++++++ .../resourceGroups/version.json | 4 ++ .../deploy.bicep} | 0 .../roleDefinitions/subscriptions/readme.md | 34 +++++++++++++++ .../subscriptions/version.json | 4 ++ .../virtualHubs/hubRouteTables/readme.md | 1 - .../vaults/backupStorageConfig/readme.md | 1 - .../storageAccounts/blobServices/readme.md | 1 - .../storageAccounts/queueServices/readme.md | 1 - 55 files changed, 545 insertions(+), 23 deletions(-) rename arm/Microsoft.Authorization/policyAssignments/{.bicep/nested_policyAssignments_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json rename arm/Microsoft.Authorization/policyAssignments/{.bicep/nested_policyAssignments_rg.bicep => resourceGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json rename arm/Microsoft.Authorization/policyAssignments/{.bicep/nested_policyAssignments_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json rename arm/Microsoft.Authorization/policyDefinitions/{.bicep/nested_policyDefinitions_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json rename arm/Microsoft.Authorization/policyDefinitions/{.bicep/nested_policyDefinitions_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json rename arm/Microsoft.Authorization/policyExemptions/{.bicep/nested_policyExemptions_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json rename arm/Microsoft.Authorization/policyExemptions/{.bicep/nested_policyExemptions_rg.bicep => resourceGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json rename arm/Microsoft.Authorization/policyExemptions/{.bicep/nested_policyExemptions_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json rename arm/Microsoft.Authorization/policySetDefinitions/{.bicep/nested_policySetDefinition_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json rename arm/Microsoft.Authorization/policySetDefinitions/{.bicep/nested_policySetDefinition_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json rename arm/Microsoft.Authorization/roleDefinitions/{.bicep/nested_roleDefinitions_mg.bicep => managementGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md create mode 100644 arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json rename arm/Microsoft.Authorization/roleDefinitions/{.bicep/nested_roleDefinitions_rg.bicep => resourceGroups/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md create mode 100644 arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json rename arm/Microsoft.Authorization/roleDefinitions/{.bicep/nested_roleDefinitions_sub.bicep => subscriptions/deploy.bicep} (100%) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md create mode 100644 arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index e2de855d0a..acb03bd824 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -54,7 +54,7 @@ param notScopes array = [] @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyAssignment_mg '.bicep/nested_policyAssignments_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -74,7 +74,7 @@ module policyAssignment_mg '.bicep/nested_policyAssignments_mg.bicep' = if (!emp } } -module policyAssignment_sub '.bicep/nested_policyAssignments_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -94,7 +94,7 @@ module policyAssignment_sub '.bicep/nested_policyAssignments_sub.bicep' = if (em } } -module policyAssignment_rg '.bicep/nested_policyAssignments_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep rename to arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md new file mode 100644 index 0000000000..82b33b5738 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md @@ -0,0 +1,41 @@ +# Policy Assignment on Management Group level `[Microsoft.Authorization/policyAssignments/managementGroups]` + +With this module you can perform policy assignments on a management group level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyAssignments` | 2021-06-01 | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. This message will be part of response in case of policy violation. | +| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | +| `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `managementGroupId` | string | | | Required. The Target Scope for the Policy. The name of the management group for the policy assignment | +| `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | +| `notScopes` | array | `[]` | | Optional. The policy excluded scopes | +| `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Assignment Name | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | + +## Template references + +- [Policyassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json b/arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index ece9977e3b..66b2488d46 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -1,5 +1,7 @@ # Policy Assignments `[Microsoft.Authorization/policyAssignments]` +With this module you can perform policy assignments. + ## Resource types | Resource Type | API Version | diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep rename to arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md new file mode 100644 index 0000000000..0a6758e588 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md @@ -0,0 +1,43 @@ +# Policy Assignment on Resource Group level `[Microsoft.Authorization/policyAssignments/resourceGroups]` + +With this module you can perform policy assignments on a resource group level + + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyAssignments` | 2021-06-01 | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. This message will be part of response in case of policy violation. | +| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | +| `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | +| `notScopes` | array | `[]` | | Optional. The policy excluded scopes | +| `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Assignment Name | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | + +## Template references + +- [Policyassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep b/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep rename to arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md new file mode 100644 index 0000000000..48d82c2380 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md @@ -0,0 +1,41 @@ +# Policy Assignment on Subscription level `[Microsoft.Authorization/policyAssignments/subscriptions]` + +With this module you can perform policy assignments on a subscription level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyAssignments` | 2021-06-01 | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. This message will be part of response in case of policy violation. | +| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | +| `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | +| `location` | string | `[deployment().location]` | | Optional. Location for all resources. | +| `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | +| `notScopes` | array | `[]` | | Optional. The policy excluded scopes | +| `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Assignment Name | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | + +## Template references + +- [Policyassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json b/arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index c106eba896..6a5cc654c6 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -38,7 +38,7 @@ param subscriptionId string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyDefinition_mg '.bicep/nested_policyDefinitions_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policyDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -53,7 +53,7 @@ module policyDefinition_mg '.bicep/nested_policyDefinitions_mg.bicep' = if (empt } } -module policyDefinition_sub '.bicep/nested_policyDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policyDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-Sub-Module' scope: subscription(subscriptionId) params: { diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep rename to arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md new file mode 100644 index 0000000000..6a4d35587b --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md @@ -0,0 +1,34 @@ +# Policy Definitions on Management Group level `[Microsoft.Authorization/policyDefinitions/managementGroups]` + +With this module you can create policy definitions on a management group level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyDefinitions` | 2021-06-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The policy definition description. | +| `displayName` | string | | | Optional. The display name of the policy definition. | +| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| `name` | string | | | Required. Specifies the name of the policy definition. | +| `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | +| `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Definition Name | +| `resourceId` | string | Policy Definition resource ID | +| `roleDefinitionIds` | array | Policy Definition Role Definition IDs | + +## Template references + +- [Policydefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index ad5bf2f763..8f00903311 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -1,5 +1,7 @@ # Policy Definitions `[Microsoft.Authorization/policyDefinitions]` +With this module you can create policy set definitions. + ## Resource types | Resource Type | API Version | diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep rename to arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md new file mode 100644 index 0000000000..5397f2e9a0 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md @@ -0,0 +1,34 @@ +# Policy Definitions on Subscription level `[Microsoft.Authorization/policyDefinitions/subscriptions]` + +With this module you can create policy definitions on a subscription level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyDefinitions` | 2021-06-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The policy definition description. | +| `displayName` | string | | | Optional. The display name of the policy definition. | +| `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | +| `name` | string | | | Required. Specifies the name of the policy definition. | +| `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | +| `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Definition Name | +| `resourceId` | string | Policy Definition resource ID | +| `roleDefinitionIds` | array | Policy Definition Role Definition IDs | + +## Template references + +- [Policydefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyDefinitions) diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index e04247f6fc..65a2778ea9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -41,7 +41,7 @@ param resourceGroupName string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyExemption_mg '.bicep/nested_policyExemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -57,7 +57,7 @@ module policyExemption_mg '.bicep/nested_policyExemptions_mg.bicep' = if (!empty } } -module policyExemption_sub '.bicep/nested_policyExemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-Sub-Module' scope: subscription(subscriptionId) params: { @@ -73,7 +73,7 @@ module policyExemption_sub '.bicep/nested_policyExemptions_sub.bicep' = if (empt } } -module policyExemption_rg '.bicep/nested_policyExemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyExemption_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep rename to arm/Microsoft.Authorization/policyExemptions/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md b/arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md new file mode 100644 index 0000000000..1e5f410351 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md @@ -0,0 +1,35 @@ +# Policy Exemptions on Management Group level `[Microsoft.Authorization/policyExemptions/managementGroups]` + +With this module you can create policy exemptions on a management group level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyExemptions` | 2020-07-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The description of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | +| `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | +| `managementGroupId` | string | | | Required. The group ID of the management group to be exempted from the policy assignment. | +| `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Exemption Name | +| `resourceId` | string | Policy Exemption resource ID | +| `scope` | string | Policy Exemption Scope | + +## Template references + +- [Policyexemptions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-07-01-preview/policyExemptions) diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json b/arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index db8449870b..b537817716 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -1,5 +1,7 @@ # Policy Exemptions `[Microsoft.Authorization/policyExemptions]` +With this module you can create policy exemptions. + ## Resource types | Resource Type | API Version | diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep rename to arm/Microsoft.Authorization/policyExemptions/resourceGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md new file mode 100644 index 0000000000..3a36e1fdfc --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md @@ -0,0 +1,36 @@ +# Policy Exemptions on Resource Group level `[Microsoft.Authorization/policyExemptions/resourceGroups]` + +With this module you can create policy exemptions on a resource group level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyExemptions` | 2020-07-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The description of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | +| `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | +| `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Exemption Name | +| `resourceId` | string | Policy Exemption resource ID | +| `scope` | string | Policy Exemption Scope | + +## Template references + +- [Policyexemptions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-07-01-preview/policyExemptions) diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json b/arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep b/arm/Microsoft.Authorization/policyExemptions/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep rename to arm/Microsoft.Authorization/policyExemptions/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md new file mode 100644 index 0000000000..a96807e870 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md @@ -0,0 +1,35 @@ +# Policy Exemptions on Subscription level `[Microsoft.Authorization/policyExemptions/subscriptions]` + +With this module you can create policy exemptions on a subscription level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyExemptions` | 2020-07-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The description of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | +| `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | +| `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Exemption Name | +| `resourceId` | string | Policy Exemption resource ID | +| `scope` | string | Policy Exemption Scope | + +## Template references + +- [Policyexemptions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-07-01-preview/policyExemptions) diff --git a/arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json b/arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index e234da767e..d2a2a600bf 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -31,7 +31,7 @@ param parameters object = {} @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policySetDefinition_mg '.bicep/nested_policySetDefinition_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policySetDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -46,7 +46,7 @@ module policySetDefinition_mg '.bicep/nested_policySetDefinition_mg.bicep' = if } } -module policySetDefinition_sub '.bicep/nested_policySetDefinition_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policySetDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-Sub-Module' scope: subscription(subscriptionId) params: { diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep rename to arm/Microsoft.Authorization/policySetDefinitions/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md new file mode 100644 index 0000000000..26c9588940 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md @@ -0,0 +1,33 @@ +# Policy Set Definitions on Management Group level `[Microsoft.Authorization/policySetDefinitions/managementGroups]` + +With this module you can create policy set definitions on a management group level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policySetDefinitions` | 2021-06-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The Description name of the Set Definition (Initiative) | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). | +| `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | +| `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Set Definition Name | +| `resourceId` | string | Policy Set Definition resource ID | + +## Template references + +- [Policysetdefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 89f8b7d897..2de57e5d25 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -1,5 +1,7 @@ # Policy Set Definitions `[Microsoft.Authorization/policySetDefinitions]` +With this module you can create policy set definitions. + ## Resource types | Resource Type | API Version | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep b/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep rename to arm/Microsoft.Authorization/policySetDefinitions/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md new file mode 100644 index 0000000000..97cfbf9f54 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md @@ -0,0 +1,33 @@ +# Policy Set Definitions on Subscription level `[Microsoft.Authorization/policySetDefinitions/subscriptions]` + +With this module you can create policy set definitions on a subscription level. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policySetDefinitions` | 2021-06-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `description` | string | | | Optional. The Description name of the Set Definition (Initiative) | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). | +| `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | +| `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Set Definition Name | +| `resourceId` | string | Policy Set Definition resource ID | + +## Template references + +- [Policysetdefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policySetDefinitions) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md index 9d10b0252d..5d66ef0119 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md @@ -1,6 +1,6 @@ -# Role Assignment on Management Group Scope `[Microsoft.Authorization/roleAssignments]` +# Role Assignment on Management Group level `[Microsoft.Authorization/roleAssignments/managementGroups]` -With this module you can perform role assignments on a Management Group level +With this module you can perform role assignments on a management group level ## Resource Types diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md index 5f01618e69..fdff86db44 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md @@ -1,6 +1,6 @@ -# Role Assignment on Resource Group Scope `[Microsoft.Authorization/roleAssignments]` +# Role Assignment on Resource Group level `[Microsoft.Authorization/roleAssignments/resourceGroups]` -With this module you can perform role assignments on a Resource Group level +With this module you can perform role assignments on a resource group level ## Resource Types diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md index af7cd4eec4..eb156268e1 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md @@ -1,6 +1,6 @@ -# Role Assignment on Subscription Scope `[Microsoft.Authorization/roleAssignments]` +# Role Assignment on Subscription level `[Microsoft.Authorization/roleAssignments/subscriptions]` -With this module you can perform role assignments on a Subscription level +With this module you can perform role assignments on a subscription level ## Resource Types diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 70da565a26..d34a1eb62f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -33,7 +33,7 @@ param location string = deployment().location @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -module roleDefinition_mg '.bicep/nested_roleDefinitions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -46,7 +46,7 @@ module roleDefinition_mg '.bicep/nested_roleDefinitions_mg.bicep' = if (!empty(m } } -module roleDefinition_sub '.bicep/nested_roleDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-Sub-Module' scope: subscription(subscriptionId) params: { @@ -61,7 +61,7 @@ module roleDefinition_sub '.bicep/nested_roleDefinitions_sub.bicep' = if (empty( } } -module roleDefinition_rg '.bicep/nested_roleDefinitions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleDefinition_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep b/arm/Microsoft.Authorization/roleDefinitions/managementGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep rename to arm/Microsoft.Authorization/roleDefinitions/managementGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md new file mode 100644 index 0000000000..67cbee6559 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md @@ -0,0 +1,32 @@ +# Role Definitions on Management Group level `[Microsoft.Authorization/roleDefinitions/managementGroups]` + +With this module you can create role definitions on a management group level + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleDefinitions` | 2018-01-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. List of allowed actions. | +| `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | +| `description` | string | | | Optional. Description of the custom RBAC role to be created. | +| `managementGroupId` | string | | | Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. | +| `notActions` | array | `[]` | | Optional. List of denied actions. | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | +| `scope` | string | The scope this Role Definition applies to | + +## Template references + +- [Roledefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2018-01-01-preview/roleDefinitions) diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep rename to arm/Microsoft.Authorization/roleDefinitions/resourceGroups/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md new file mode 100644 index 0000000000..489a8f9e96 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md @@ -0,0 +1,35 @@ +# Role Definitions on Resource Group level `[Microsoft.Authorization/roleDefinitions/resourceGroups]` + +With this module you can create role definitions on a resource group level + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleDefinitions` | 2018-01-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. List of allowed actions. | +| `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | +| `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | +| `description` | string | | | Optional. Description of the custom RBAC role to be created. | +| `notActions` | array | `[]` | | Optional. List of denied actions. | +| `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | +| `scope` | string | The scope this Role Definition applies to | + +## Template references + +- [Roledefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2018-01-01-preview/roleDefinitions) diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json b/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep b/arm/Microsoft.Authorization/roleDefinitions/subscriptions/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep rename to arm/Microsoft.Authorization/roleDefinitions/subscriptions/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md new file mode 100644 index 0000000000..b6ddd12199 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md @@ -0,0 +1,34 @@ +# Role Definitions on Subscription level `[Microsoft.Authorization/roleDefinitions/subscriptions]` + +With this module you can create role definitions on a subscription level + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleDefinitions` | 2018-01-01-preview | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `actions` | array | `[]` | | Optional. List of allowed actions. | +| `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | +| `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | +| `description` | string | | | Optional. Description of the custom RBAC role to be created. | +| `notActions` | array | `[]` | | Optional. List of denied actions. | +| `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The GUID of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | +| `scope` | string | The scope this Role Definition applies to | + +## Template references + +- [Roledefinitions](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2018-01-01-preview/roleDefinitions) diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.Network/virtualHubs/hubRouteTables/readme.md b/arm/Microsoft.Network/virtualHubs/hubRouteTables/readme.md index 0305c25995..3898449310 100644 --- a/arm/Microsoft.Network/virtualHubs/hubRouteTables/readme.md +++ b/arm/Microsoft.Network/virtualHubs/hubRouteTables/readme.md @@ -2,7 +2,6 @@ This module deploys virtual hub route tables. - ## Resource Types | Resource Type | API Version | diff --git a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md index d4bedcaad6..e4502785b6 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md @@ -17,7 +17,6 @@ This module deploys the Backup Storage Configuration for the Recovery Service Va | `recoveryVaultName` | string | | | Required. Name of the Azure Recovery Service Vault | | `storageModelType` | string | `GeoRedundant` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Optional. Change Vault Storage Type (Works if vault has not registered any backup instance) | - ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md index 73bf955e50..fabfe84131 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md @@ -31,7 +31,6 @@ This module can be used to deploy a blob service into a storage account. | `name` | string | `default` | | Optional. The name of the blob service | | `storageAccountName` | string | | | Required. Name of the Storage Account. | - ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md index c22e0b3c80..7b87611be7 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md @@ -27,7 +27,6 @@ This module can be used to deploy a file share service into a storage account. | `queues` | _[queues](queues/readme.md)_ array | `[]` | | Optional. Queues to create. | | `storageAccountName` | string | | | Required. Name of the Storage Account. | - ## Outputs | Output Name | Type | Description | From 497336f6d2d1cbc7761b6c2df0e09f98e5d4f512 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 22 Feb 2022 12:19:25 +0100 Subject: [PATCH 08/43] Update to latest --- .../policyAssignments/resourceGroups/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md index 0a6758e588..df0e6a6e0c 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md @@ -2,7 +2,6 @@ With this module you can perform policy assignments on a resource group level - ## Resource Types | Resource Type | API Version | From 4f66ed1b6ca470a3589f5e415f2cd857afe8feb9 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 22 Feb 2022 12:26:05 +0100 Subject: [PATCH 09/43] Fixed dependency pipeline --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- .github/workflows/platform.dependencies.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0924d5b8e2..7d931b6740 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -91,7 +91,7 @@ stages: - deploy_rg variables: resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + templateFilePath: $(modulesPath)/$(resourceType)/subscriptions/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml parameters: diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index af68b7fecc..8dab1d89bc 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -146,7 +146,7 @@ jobs: - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + templateFilePath: 'arm/${{ env.namespace }}/subscriptions/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' From e48a540611ffc04524fb4eb8c19c318f1eda611d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 08:44:11 +1100 Subject: [PATCH 10/43] initial commit for adding testing policy def --- .../ms.authorization.policydefinitions.yml | 10 ++- .../.parameters/mg.min.parameters.json | 38 ++++++++++ .../.parameters/mg.parameters.json | 72 +++++++++++++++++++ ...arameters.json => sub.min.parameters.json} | 2 +- .../{parameters.json => sub.parameters.json} | 6 +- .../policyDefinitions/deploy.bicep | 1 + .../managementGroups/deploy.bicep | 1 + .../subscriptions/deploy.bicep | 1 + 8 files changed, 125 insertions(+), 6 deletions(-) create mode 100644 arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json rename arm/Microsoft.Authorization/policyDefinitions/.parameters/{min.parameters.json => sub.min.parameters.json} (94%) rename arm/Microsoft.Authorization/policyDefinitions/.parameters/{parameters.json => sub.parameters.json} (90%) diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml index a82a689df1..bbe8334fe3 100644 --- a/.github/workflows/ms.authorization.policydefinitions.yml +++ b/.github/workflows/ms.authorization.policydefinitions.yml @@ -81,7 +81,13 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.min.parameters.json', + 'mg.parameters.json', + 'sub.min.parameters.json', + 'sub.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +104,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyDefinitions_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..4d6ac36de5 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-min-policyDef" + }, + "policyRule": { + "value": { + "if": { + "allOf": [ + { + "equals": "Microsoft.KeyVault/vaults", + "field": "type" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + }, + "parameters": { + "value": { + "effect": { + "allowedValues": [ + "Audit" + ], + "defaultValue": "Audit", + "type": "String" + } + } + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json new file mode 100644 index 0000000000..e35340c887 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-policyDef" + }, + "displayName": { + "value": "[DisplayName] This policy definition is deployed at subscription scope" + }, + "description": { + "value": "[Description] This policy definition is deployed at subscription scope" + }, + "policyRule": { + "value": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "exists": "false" + } + ] + }, + "then": { + "effect": "modify", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f" + ], + "operations": [ + { + "operation": "add", + "field": "[concat('tags[', parameters('tagName'), ']')]", + "value": "[parameters('tagValue')]" + } + ] + } + } + } + }, + "parameters": { + "value": { + "tagName": { + "type": "String", + "metadata": { + "displayName": "Tag Name", + "description": "Name of the tag, such as 'environment'" + } + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "Tag Value", + "description": "Value of the tag, such as 'production'" + } + } + } + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/min.parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.min.parameters.json similarity index 94% rename from arm/Microsoft.Authorization/policyDefinitions/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.min.parameters.json index 2ec0f2a318..f2cd03cfb5 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.parameters/min.parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-deny-keyvault-public-min" + "value": "<>-sub-min-policyDef" }, "policyRule": { "value": { diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.parameters.json similarity index 90% rename from arm/Microsoft.Authorization/policyDefinitions/.parameters/parameters.json rename to arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.parameters.json index 0758fa8e21..e445127518 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/sub.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-add-tag-to-sub-policy" + "value": "<>-sub-policyDef" }, "displayName": { - "value": "[Test] This policy adds tags to a subscription" + "value": "[DisplayName] This policy definition is deployed at subscription scope" }, "description": { - "value": "This is the description of a policy that adds tags to a subscription" + "value": "[Description] This policy definition is deployed at subscription scope" }, "policyRule": { "value": { diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 6a5cc654c6..389d41a77f 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -5,6 +5,7 @@ targetScope = 'managementGroup' param name string @sys.description('Optional. The display name of the policy definition.') +@maxLength(128) param displayName string = '' @sys.description('Optional. The policy definition description.') diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep index 4e64f8d450..61e7d91a6a 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep @@ -5,6 +5,7 @@ targetScope = 'managementGroup' param name string @sys.description('Optional. The display name of the policy definition.') +@maxLength(128) param displayName string = '' @sys.description('Optional. The policy definition description.') diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep index 17475973c2..b280456df9 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep @@ -5,6 +5,7 @@ targetScope = 'subscription' param name string @sys.description('Optional. The display name of the policy definition.') +@maxLength(128) param displayName string = '' @sys.description('Optional. The policy definition description.') From 1a87c5e7a4a926c68b93efb479cfb14e45e9d9e2 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 09:47:53 +1100 Subject: [PATCH 11/43] update policy definitions --- .../policyDefinitions/.parameters/mg.parameters.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json index e35340c887..7196de6154 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.parameters.json @@ -6,10 +6,10 @@ "value": "<>-mg-policyDef" }, "displayName": { - "value": "[DisplayName] This policy definition is deployed at subscription scope" + "value": "[DisplayName] This policy definition is deployed at the management group scope" }, "description": { - "value": "[Description] This policy definition is deployed at subscription scope" + "value": "[Description] This policy definition is deployed at the management group scope" }, "policyRule": { "value": { From 4bee410b12e90f381a325954475fb51539e67627 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 10:29:41 +1100 Subject: [PATCH 12/43] update to latest --- .../policyDefinitions/managementGroups/deploy.bicep | 4 ++-- .../policyDefinitions/managementGroups/readme.md | 4 ++-- .../policyDefinitions/subscriptions/deploy.bicep | 4 ++-- .../policyDefinitions/subscriptions/readme.md | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep index 61e7d91a6a..8646713449 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep @@ -1,10 +1,10 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy definition.') +@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters') @maxLength(64) param name string -@sys.description('Optional. The display name of the policy definition.') +@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md index 6a4d35587b..46a1c4b29b 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md @@ -13,11 +13,11 @@ With this module you can create policy definitions on a management group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | -| `displayName` | string | | | Optional. The display name of the policy definition. | +| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters | | `managementGroupId` | string | | | Required. The group ID of the Management Group | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `name` | string | | | Required. Specifies the name of the policy definition. | +| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep index b280456df9..fbb9cdc258 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep @@ -1,10 +1,10 @@ targetScope = 'subscription' -@sys.description('Required. Specifies the name of the policy definition.') +@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters') @maxLength(64) param name string -@sys.description('Optional. The display name of the policy definition.') +@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md index 5397f2e9a0..32059c69ed 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md @@ -13,10 +13,10 @@ With this module you can create policy definitions on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | -| `displayName` | string | | | Optional. The display name of the policy definition. | +| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `name` | string | | | Required. Specifies the name of the policy definition. | +| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | | `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | From a123df64a455f52defad77fd90be4529bddbe32f Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 12:54:45 +1100 Subject: [PATCH 13/43] policy assignments --- .../ms.authorization.policyassignments.yml | 12 +++- .../.parameters/mg.min.parameters.json | 15 +++++ .../.parameters/mg.parameters.json | 59 +++++++++++++++++++ .../.parameters/rg.min.parameters.json | 18 ++++++ .../{parameters.json => rg.parameters.json} | 9 ++- ...arameters.json => sub.min.parameters.json} | 2 +- .../.parameters/sub.parameters.json | 59 +++++++++++++++++++ .../policyAssignments/deploy.bicep | 10 ++-- .../managementGroups/deploy.bicep | 5 +- .../managementGroups/readme.md | 4 +- .../policyAssignments/readme.md | 4 +- .../resourceGroups/deploy.bicep | 7 ++- .../resourceGroups/readme.md | 4 +- .../subscriptions/deploy.bicep | 7 ++- .../policyAssignments/subscriptions/readme.md | 4 +- 15 files changed, 192 insertions(+), 27 deletions(-) create mode 100644 arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/.parameters/rg.min.parameters.json rename arm/Microsoft.Authorization/policyAssignments/.parameters/{parameters.json => rg.parameters.json} (80%) rename arm/Microsoft.Authorization/policyAssignments/.parameters/{min.parameters.json => sub.min.parameters.json} (88%) create mode 100644 arm/Microsoft.Authorization/policyAssignments/.parameters/sub.parameters.json diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml index d35c7f00e3..d3f7ab32f1 100644 --- a/.github/workflows/ms.authorization.policyassignments.yml +++ b/.github/workflows/ms.authorization.policyassignments.yml @@ -81,7 +81,15 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.parameters.json', + 'mg.min.parameters.json', + 'sub.parameters.json', + 'sub.min.parameters.json', + 'rg.parameters.json', + 'rg.min.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +106,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyAssignments_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..c5094de728 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-min-mg-polAss" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json new file mode 100644 index 0000000000..f140b8c7ed --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-polAss" + }, + "displayName": { + "value": "[Display Name] Policy Assignment at the management group scope" + }, + "description": { + "value": "[Description] Policy Assignment at the management group scope" + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" + }, + "parameters": { + "value": { + "tagName": { + "value": "env" + }, + "tagValue": { + "value": "prod" + } + } + }, + "nonComplianceMessage": { + "value": "Violated Policy Assignment - This is a Non Compliance Message" + }, + "enforcementMode": { + "value": "DoNotEnforce" + }, + "metadata": { + "value": { + "category": "Security", + "version": "1.0" + } + }, + "location": { + "value": "australiaeast" + }, + "notScopes": { + "value": [ + "/subscriptions/<>/resourceGroups/validation-rg" + ] + }, + "identity": { + "value": "SystemAssigned" + }, + "roleDefinitionIds": { + "value": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.min.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.min.parameters.json new file mode 100644 index 0000000000..de4e5052aa --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.min.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-min-rg-polAss" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json similarity index 80% rename from arm/Microsoft.Authorization/policyAssignments/.parameters/parameters.json rename to arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json index a38772fd79..fba7dfcce4 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-pass-tag" + "value": "<>-rg-polAss" }, "displayName": { - "value": "Add a tag to resources" + "value": "[Display Name] Policy Assignment at the resource group scope" }, "description": { - "value": "Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups." + "value": "[Description] Policy Assignment at the resource group scope" }, "policyDefinitionId": { "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" @@ -54,6 +54,9 @@ }, "subscriptionId": { "value": "<>" + }, + "resourceGroupName": { + "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/min.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/sub.min.parameters.json similarity index 88% rename from arm/Microsoft.Authorization/policyAssignments/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/policyAssignments/.parameters/sub.min.parameters.json index 71ca5bea76..ebadf2e43b 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/min.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/sub.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-pass-vm-disk" + "value": "<>-min-sub-polAss" }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/sub.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/sub.parameters.json new file mode 100644 index 0000000000..cc671f092a --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/sub.parameters.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-sub-polAss" + }, + "displayName": { + "value": "[Display Name] Policy Assignment at the subscription scope" + }, + "description": { + "value": "[Description] Policy Assignment at the subscription scope" + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26" + }, + "parameters": { + "value": { + "tagName": { + "value": "env" + }, + "tagValue": { + "value": "prod" + } + } + }, + "nonComplianceMessage": { + "value": "Violated Policy Assignment - This is a Non Compliance Message" + }, + "enforcementMode": { + "value": "DoNotEnforce" + }, + "metadata": { + "value": { + "category": "Security", + "version": "1.0" + } + }, + "location": { + "value": "australiaeast" + }, + "notScopes": { + "value": [ + "/subscriptions/<>/resourceGroups/validation-rg" + ] + }, + "identity": { + "value": "SystemAssigned" + }, + "roleDefinitionIds": { + "value": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "subscriptionId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index acb03bd824..5699fad6f2 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -1,12 +1,15 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy assignment.') -@maxLength(24) +@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.') param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@maxLength(128) +param displayName string = '' + @sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') param policyDefinitionId string @@ -23,9 +26,6 @@ param identity string = 'SystemAssigned' @sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] -@sys.description('Optional. The display name of the policy assignment.') -param displayName string = '' - @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep index a1346f585c..3009920754 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy assignment.') +@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.') @maxLength(24) param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' @sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md index 82b33b5738..db38102b28 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md @@ -14,13 +14,13 @@ With this module you can perform policy assignments on a management group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Required. The Target Scope for the Policy. The name of the management group for the policy assignment | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 66b2488d46..c19f4e56c3 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -14,13 +14,13 @@ With this module you can perform policy assignments. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. The Target Scope for the Policy. The name of the management group for the policy assignment | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep index 83a284f970..f1b21efb20 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'resourceGroup' -@sys.description('Required. Specifies the name of the policy assignment.') -@maxLength(24) +@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope.') +@maxLength(64) param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' @sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md index df0e6a6e0c..432624e156 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md @@ -14,12 +14,12 @@ With this module you can perform policy assignments on a resource group level | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep index 4de3291814..2033d624c9 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'subscription' -@sys.description('Required. Specifies the name of the policy assignment.') -@maxLength(24) +@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope.') +@maxLength(64) param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' @sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md index 48d82c2380..a8e98af6ed 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md @@ -14,12 +14,12 @@ With this module you can perform policy assignments on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy assignment. | +| `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | From 7fb83060204b301dde86f90a37976386f3a4d39d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 13:48:03 +1100 Subject: [PATCH 14/43] fixed pester errors for rg level assignments --- .../policyAssignments/deploy.bicep | 4 ++++ .../managementGroups/.bicep/nested_cuaId.bicep | 1 + .../policyAssignments/readme.md | 1 + .../resourceGroups/.bicep/nested_cuaId.bicep | 1 + .../policyAssignments/resourceGroups/deploy.bicep | 11 +++++++++++ .../policyAssignments/resourceGroups/readme.md | 2 ++ .../subscriptions/.bicep/nested_cuaId.bicep | 1 + 7 files changed, 21 insertions(+) create mode 100644 arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index 5699fad6f2..4331603af1 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -54,6 +54,9 @@ param notScopes array = [] @sys.description('Optional. Location for all resources.') param location string = deployment().location +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +param cuaId string = '' + module policyAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module' scope: managementGroup(managementGroupId) @@ -111,6 +114,7 @@ module policyAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementG notScopes: !empty(notScopes) ? notScopes : [] subscriptionId: subscriptionId location: location + cuaId: !empty(cuaId) ? cuaId : '' } } diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index c19f4e56c3..8a6ceccb31 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -13,6 +13,7 @@ With this module you can perform policy assignments. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep index f1b21efb20..ed76a420f7 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep @@ -56,6 +56,14 @@ param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') param resourceGroupName string = resourceGroup().name +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + var identity_var = identity == 'SystemAssigned' ? { type: identity } : null @@ -93,3 +101,6 @@ output principalId string = identity == 'SystemAssigned' ? policyAssignment.iden @sys.description('Policy Assignment resource ID') output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) + +@sys.description('The name of the resource group the policy was assigned to') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md index 432624e156..afffcaa00f 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md @@ -13,6 +13,7 @@ With this module you can perform policy assignments on a resource group level | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | @@ -34,6 +35,7 @@ With this module you can perform policy assignments on a resource group level | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | | `principalId` | string | Policy Assignment principal ID | +| `resourceGroupName` | string | The name of the resource group the policy was assigned to | | `resourceId` | string | Policy Assignment resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + From ef8bb38f6bcf1e755bc3bd37bff27cccac7d3ab8 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 13:48:42 +1100 Subject: [PATCH 15/43] removed mg and sub cuaid nested templates --- .../policyAssignments/managementGroups/.bicep/nested_cuaId.bicep | 1 - .../policyAssignments/subscriptions/.bicep/nested_cuaId.bicep | 1 - 2 files changed, 2 deletions(-) delete mode 100644 arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep delete mode 100644 arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep deleted file mode 100644 index 8b13789179..0000000000 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroups/.bicep/nested_cuaId.bicep +++ /dev/null @@ -1 +0,0 @@ - diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep deleted file mode 100644 index 8b13789179..0000000000 --- a/arm/Microsoft.Authorization/policyAssignments/subscriptions/.bicep/nested_cuaId.bicep +++ /dev/null @@ -1 +0,0 @@ - From 9e43d645c3094b70ad95e50c7e57df0ac3709c18 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 23 Feb 2022 14:40:47 +1100 Subject: [PATCH 16/43] fixed resource group not scope --- .../policyAssignments/.parameters/rg.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json index fba7dfcce4..e28b39cfd1 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/rg.parameters.json @@ -41,7 +41,7 @@ }, "notScopes": { "value": [ - "/subscriptions/<>/resourceGroups/validation-rg" + "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" ] }, "identity": { From 73faa68cf201e84262c65a6a36ce193119b2099e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 10:12:46 +1100 Subject: [PATCH 17/43] Updated Policy definitions --- .../policyDefinitions/deploy.bicep | 4 +-- .../deploy.bicep | 0 .../readme.md | 0 .../version.json | 0 .../policyDefinitions/readme.md | 25 +++++++++++++++++-- .../deploy.bicep | 0 .../{subscriptions => subscription}/readme.md | 0 .../version.json | 0 8 files changed, 25 insertions(+), 4 deletions(-) rename arm/Microsoft.Authorization/policyDefinitions/{managementGroups => managementGroup}/deploy.bicep (100%) rename arm/Microsoft.Authorization/policyDefinitions/{managementGroups => managementGroup}/readme.md (100%) rename arm/Microsoft.Authorization/policyDefinitions/{managementGroups => managementGroup}/version.json (100%) rename arm/Microsoft.Authorization/policyDefinitions/{subscriptions => subscription}/deploy.bicep (100%) rename arm/Microsoft.Authorization/policyDefinitions/{subscriptions => subscription}/readme.md (100%) rename arm/Microsoft.Authorization/policyDefinitions/{subscriptions => subscription}/version.json (100%) diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 389d41a77f..72aa9b6919 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -39,7 +39,7 @@ param subscriptionId string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policyDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -54,7 +54,7 @@ module policyDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscript } } -module policyDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policyDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-Sub-Module' scope: subscription(subscriptionId) params: { diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/managementGroups/readme.md rename to arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/managementGroups/version.json rename to arm/Microsoft.Authorization/policyDefinitions/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 8f00903311..3d379bace8 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -1,6 +1,6 @@ # Policy Definitions `[Microsoft.Authorization/policyDefinitions]` -With this module you can create policy set definitions. +With this module you can create policy definitions across the management group or subscription scope. ## Resource types @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -45,6 +45,27 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an } ``` +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policydefinition 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policydefinitions.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policydefinition 'yourpath/arm/Microsoft.Authorization.policyDefinitions/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/subscriptions/readme.md rename to arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/policyDefinitions/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyDefinitions/subscriptions/version.json rename to arm/Microsoft.Authorization/policyDefinitions/subscription/version.json From cf910574f4c84435645c50a42f71c03eb2f7ab2d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 10:26:49 +1100 Subject: [PATCH 18/43] attempt to get the publishing to work on child modules --- .../policyDefinitions/managementGroup/deploy.bicep | 4 ++-- .../policyDefinitions/managementGroup/readme.md | 6 +++--- .../policyDefinitions/subscription/deploy.bicep | 4 ++-- .../policyDefinitions/subscription/readme.md | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep index 8646713449..f9bb25c103 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep @@ -1,10 +1,10 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters') +@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters.') @maxLength(64) param name string -@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters') +@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md index 46a1c4b29b..014c559462 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Definitions on Management Group level `[Microsoft.Authorization/policyDefinitions/managementGroups]` +# Policy Definitions on Management Group level `[Microsoft.Authorization/policyDefinitions/managementGroup]` With this module you can create policy definitions on a management group level. @@ -13,11 +13,11 @@ With this module you can create policy definitions on a management group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | -| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters | +| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `managementGroupId` | string | | | Required. The group ID of the Management Group | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters | +| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep index fbb9cdc258..b99c23225c 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep @@ -1,10 +1,10 @@ targetScope = 'subscription' -@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters') +@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters.') @maxLength(64) param name string -@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters') +@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md index 32059c69ed..4f47add459 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md @@ -1,4 +1,4 @@ -# Policy Definitions on Subscription level `[Microsoft.Authorization/policyDefinitions/subscriptions]` +# Policy Definitions on Subscription level `[Microsoft.Authorization/policyDefinitions/subscription]` With this module you can create policy definitions on a subscription level. @@ -13,10 +13,10 @@ With this module you can create policy definitions on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | -| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters | +| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters | +| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | | `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | From 45c8acf08adcb5f88a1d64041d066aebb09cd5f7 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 10:38:12 +1100 Subject: [PATCH 19/43] updated policy assignments module --- .../policyAssignments/deploy.bicep | 8 +++--- .../deploy.bicep | 2 +- .../readme.md | 4 +-- .../version.json | 0 .../policyAssignments/readme.md | 27 ++++++++++++++++--- .../.bicep/nested_cuaId.bicep | 0 .../deploy.bicep | 2 +- .../readme.md | 4 +-- .../version.json | 0 .../deploy.bicep | 2 +- .../{subscriptions => subscription}/readme.md | 4 +-- .../version.json | 0 12 files changed, 37 insertions(+), 16 deletions(-) rename arm/Microsoft.Authorization/policyAssignments/{managementGroups => managementGroup}/deploy.bicep (98%) rename arm/Microsoft.Authorization/policyAssignments/{managementGroups => managementGroup}/readme.md (96%) rename arm/Microsoft.Authorization/policyAssignments/{managementGroups => managementGroup}/version.json (100%) rename arm/Microsoft.Authorization/policyAssignments/{resourceGroups => resourceGroup}/.bicep/nested_cuaId.bicep (100%) rename arm/Microsoft.Authorization/policyAssignments/{resourceGroups => resourceGroup}/deploy.bicep (99%) rename arm/Microsoft.Authorization/policyAssignments/{resourceGroups => resourceGroup}/readme.md (97%) rename arm/Microsoft.Authorization/policyAssignments/{resourceGroups => resourceGroup}/version.json (100%) rename arm/Microsoft.Authorization/policyAssignments/{subscriptions => subscription}/deploy.bicep (98%) rename arm/Microsoft.Authorization/policyAssignments/{subscriptions => subscription}/readme.md (96%) rename arm/Microsoft.Authorization/policyAssignments/{subscriptions => subscription}/version.json (100%) diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index 4331603af1..a9dba4cb84 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -6,7 +6,7 @@ param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' @@ -57,7 +57,7 @@ param location string = deployment().location @sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' -module policyAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -77,7 +77,7 @@ module policyAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(manageme } } -module policyAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -97,7 +97,7 @@ module policyAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementG } } -module policyAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep similarity index 98% rename from arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep index 3009920754..1c7d42b156 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep @@ -7,7 +7,7 @@ param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md similarity index 96% rename from arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md rename to arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md index db38102b28..47dea3ecd4 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Assignment on Management Group level `[Microsoft.Authorization/policyAssignments/managementGroups]` +# Policy Assignment on Management Group level `[Microsoft.Authorization/policyAssignments/managementGroup]` With this module you can perform policy assignments on a management group level. @@ -14,7 +14,7 @@ With this module you can perform policy assignments on a management group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json b/arm/Microsoft.Authorization/policyAssignments/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/managementGroups/version.json rename to arm/Microsoft.Authorization/policyAssignments/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 8a6ceccb31..6293ade1de 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -1,6 +1,6 @@ # Policy Assignments `[Microsoft.Authorization/policyAssignments]` -With this module you can perform policy assignments. +With this module you can perform policy assignments across the management group, subscription or resource group scope. ## Resource types @@ -15,7 +15,7 @@ With this module you can perform policy assignments. | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | @@ -40,7 +40,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -67,6 +67,27 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour > The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyAssignments.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policyassignment 'yourpath/arm/Microsoft.Authorization.policyAssignments/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/.bicep/nested_cuaId.bicep similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/resourceGroups/.bicep/nested_cuaId.bicep rename to arm/Microsoft.Authorization/policyAssignments/resourceGroup/.bicep/nested_cuaId.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep similarity index 99% rename from arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep rename to arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep index ed76a420f7..99ac551905 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep @@ -7,7 +7,7 @@ param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md similarity index 97% rename from arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md rename to arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md index afffcaa00f..49e46a91c9 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Assignment on Resource Group level `[Microsoft.Authorization/policyAssignments/resourceGroups]` +# Policy Assignment on Resource Group level `[Microsoft.Authorization/policyAssignments/resourceGroup]` With this module you can perform policy assignments on a resource group level @@ -15,7 +15,7 @@ With this module you can perform policy assignments on a resource group level | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/resourceGroups/version.json rename to arm/Microsoft.Authorization/policyAssignments/resourceGroup/version.json diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep similarity index 98% rename from arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep index 2033d624c9..b0fb8f6696 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep @@ -7,7 +7,7 @@ param name string @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' -@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md similarity index 96% rename from arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md rename to arm/Microsoft.Authorization/policyAssignments/subscription/readme.md index a8e98af6ed..9d7739e350 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md @@ -1,4 +1,4 @@ -# Policy Assignment on Subscription level `[Microsoft.Authorization/policyAssignments/subscriptions]` +# Policy Assignment on Subscription level `[Microsoft.Authorization/policyAssignments/subscription]` With this module you can perform policy assignments on a subscription level. @@ -14,7 +14,7 @@ With this module you can perform policy assignments on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | -| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | diff --git a/arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json b/arm/Microsoft.Authorization/policyAssignments/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyAssignments/subscriptions/version.json rename to arm/Microsoft.Authorization/policyAssignments/subscription/version.json From de07e9ba76016048df7de75724991b2f60ab607f Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 11:39:52 +1100 Subject: [PATCH 20/43] updated dep. pipeline and policy exemptions module --- .../ms.authorization.policyexemptions.yml | 12 +++++-- .github/workflows/platform.dependencies.yml | 4 +-- .../policyAssignments/readme.md | 2 +- .../.parameters/mg.min.parameters.json | 15 +++++++++ .../.parameters/mg.parameters.json | 29 +++++++++++++++++ .../.parameters/rg.min.parameters.json | 18 +++++++++++ .../.parameters/rg.parameters.json | 32 +++++++++++++++++++ ...arameters.json => sub.min.parameters.json} | 4 +-- .../{parameters.json => sub.parameters.json} | 6 ++-- .../policyExemptions/deploy.bicep | 16 ++++++---- .../deploy.bicep | 7 ++-- .../readme.md | 6 ++-- .../version.json | 0 .../policyExemptions/readme.md | 30 ++++++++++++++--- .../resourceGroup/.bicep/nested_cuaId.bicep | 1 + .../deploy.bicep | 18 +++++++++-- .../readme.md | 8 +++-- .../version.json | 0 .../deploy.bicep | 7 ++-- .../{subscriptions => subscription}/readme.md | 6 ++-- .../version.json | 0 .../parameters/mg.parameters.json | 18 +++++++++++ .../{parameters.json => sub.parameters.json} | 4 +-- 23 files changed, 203 insertions(+), 40 deletions(-) create mode 100644 arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json create mode 100644 arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json rename arm/Microsoft.Authorization/policyExemptions/.parameters/{min.parameters.json => sub.min.parameters.json} (63%) rename arm/Microsoft.Authorization/policyExemptions/.parameters/{parameters.json => sub.parameters.json} (61%) rename arm/Microsoft.Authorization/policyExemptions/{managementGroups => managementGroup}/deploy.bicep (91%) rename arm/Microsoft.Authorization/policyExemptions/{managementGroups => managementGroup}/readme.md (91%) rename arm/Microsoft.Authorization/policyExemptions/{managementGroups => managementGroup}/version.json (100%) create mode 100644 arm/Microsoft.Authorization/policyExemptions/resourceGroup/.bicep/nested_cuaId.bicep rename arm/Microsoft.Authorization/policyExemptions/{resourceGroups => resourceGroup}/deploy.bicep (82%) rename arm/Microsoft.Authorization/policyExemptions/{resourceGroups => resourceGroup}/readme.md (84%) rename arm/Microsoft.Authorization/policyExemptions/{resourceGroups => resourceGroup}/version.json (100%) rename arm/Microsoft.Authorization/policyExemptions/{subscriptions => subscription}/deploy.bicep (94%) rename arm/Microsoft.Authorization/policyExemptions/{subscriptions => subscription}/readme.md (92%) rename arm/Microsoft.Authorization/policyExemptions/{subscriptions => subscription}/version.json (100%) create mode 100644 utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json rename utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/{parameters.json => sub.parameters.json} (85%) diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml index 3401aef4d4..f9a30d8819 100644 --- a/.github/workflows/ms.authorization.policyexemptions.yml +++ b/.github/workflows/ms.authorization.policyexemptions.yml @@ -81,7 +81,15 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.parameters.json', + 'mg.min.parameters.json', + 'sub.parameters.json', + 'sub.min.parameters.json', + 'rg.parameters.json', + 'rg.min.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +106,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyExemptions_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 8dab1d89bc..722e1c81c5 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -137,7 +137,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -146,7 +146,7 @@ jobs: - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: 'arm/${{ env.namespace }}/subscriptions/deploy.bicep' + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 6293ade1de..ad22c4e1f2 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -81,7 +81,7 @@ The solution is to have the option of directly targeting the sub-module that ach **Bicep Registry Reference** ```bicep -module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyAssignments.subscription:version' = {} +module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyassignments.subscription:version' = {} ``` **Local Path Reference** ```bicep diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..0300425950 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-min-mg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + }, + "policyAssignmentId": { + "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json new file mode 100644 index 0000000000..312021abda --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + }, + "displayName": { + "value": "[Test] policy exempt -abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz -abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + }, + "policyAssignmentId": { + "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" + }, + "exemptionCategory": { + "value": "Waiver" + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "expiresOn": { + "value": "2025-10-02T03:57:00.000Z" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json new file mode 100644 index 0000000000..629f9be0b9 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-min-rg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + }, + "policyAssignmentId": { + "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json new file mode 100644 index 0000000000..bf7a2934fa --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-rg-polexem" + }, + "displayName": { + "value": "[Test] policy exempt-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + }, + "policyAssignmentId": { + "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" + }, + "exemptionCategory": { + "value": "Waiver" + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "expiresOn": { + "value": "2025-10-02T03:57:00.000Z" + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json similarity index 63% rename from arm/Microsoft.Authorization/policyExemptions/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json index 576dba2987..37a9783dd5 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-pexe-loc-rg-min" + "value": "<>-min-sub-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" }, "policyAssignmentId": { - "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-pass-loc-rg" + "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" }, "subscriptionId": { "value": "<>" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json similarity index 61% rename from arm/Microsoft.Authorization/policyExemptions/.parameters/parameters.json rename to arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json index 9e88cce8f3..b36c1bc7f0 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-pexe-loc-rg" + "value": "<>-sub-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" }, "displayName": { - "value": "[Test] policy exempt" + "value": "[Test] policy exempt-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" }, "policyAssignmentId": { - "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-pass-loc-rg" + "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" }, "exemptionCategory": { "value": "Waiver" diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 65a2778ea9..2a06e93c2d 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -1,10 +1,11 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy exemption.') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.') +@maxLength(256) param name string -@sys.description('Optional. The display name of the policy exemption.') +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(256) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') @@ -41,7 +42,9 @@ param resourceGroupName string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyExemption_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +param cuaId string = '' +module policyExemption_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -57,7 +60,7 @@ module policyExemption_mg 'managementGroups/deploy.bicep' = if (!empty(managemen } } -module policyExemption_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-Sub-Module' scope: subscription(subscriptionId) params: { @@ -73,7 +76,7 @@ module policyExemption_sub 'subscriptions/deploy.bicep' = if (empty(managementGr } } -module policyExemption_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyExemption_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -87,6 +90,7 @@ module policyExemption_rg 'resourceGroups/deploy.bicep' = if (empty(managementGr expiresOn: !empty(expiresOn) ? expiresOn : '' subscriptionId: subscriptionId resourceGroupName: resourceGroupName + cuaId: !empty(cuaId) ? cuaId : '' } } diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep similarity index 91% rename from arm/Microsoft.Authorization/policyExemptions/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep index 0452dca7d6..16de6572ed 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep @@ -1,10 +1,11 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy exemption.') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope.') +@maxLength(256) param name string -@sys.description('Optional. The display name of the policy exemption.') +@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') +@maxLength(256) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md similarity index 91% rename from arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md rename to arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md index 1e5f410351..33383aabe6 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Exemptions on Management Group level `[Microsoft.Authorization/policyExemptions/managementGroups]` +# Policy Exemptions on Management Group level `[Microsoft.Authorization/policyExemptions/managementGroup]` With this module you can create policy exemptions on a management group level. @@ -13,12 +13,12 @@ With this module you can create policy exemptions on a management group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The description of the policy exemption. | -| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `managementGroupId` | string | | | Required. The group ID of the management group to be exempted from the policy assignment. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json b/arm/Microsoft.Authorization/policyExemptions/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/managementGroups/version.json rename to arm/Microsoft.Authorization/policyExemptions/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index b537817716..dfe26a8f27 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -1,6 +1,6 @@ # Policy Exemptions `[Microsoft.Authorization/policyExemptions]` -With this module you can create policy exemptions. +With this module you can create policy exemptions across the management group, subscription or resource group scope. ## Resource types @@ -12,14 +12,15 @@ With this module you can create policy exemptions. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. The description of the policy exemption. | -| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | @@ -35,7 +36,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -62,6 +63,27 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour > The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policyexemption 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyexemptions.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policyexemption 'yourpath/arm/Microsoft.Authorization.policyExemptions/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep similarity index 82% rename from arm/Microsoft.Authorization/policyExemptions/resourceGroups/deploy.bicep rename to arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep index a5e16a419f..81be1d9de7 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep @@ -1,10 +1,11 @@ targetScope = 'resourceGroup' -@sys.description('Required. Specifies the name of the policy exemption.') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope.') +@maxLength(256) param name string -@sys.description('Optional. The display name of the policy exemption.') +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(256) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') @@ -35,6 +36,14 @@ param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The name of the resource group to be exempted from the policy assignment.') param resourceGroupName string = resourceGroup().name +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { name: name properties: { @@ -56,3 +65,6 @@ output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Mic @sys.description('Policy Exemption Scope') output scope string = resourceGroup().id + +@sys.description('The name of the resource group the policy exemption was applied at') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md similarity index 84% rename from arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md rename to arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md index 3a36e1fdfc..c35eaaf7f9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Exemptions on Resource Group level `[Microsoft.Authorization/policyExemptions/resourceGroups]` +# Policy Exemptions on Resource Group level `[Microsoft.Authorization/policyExemptions/resourceGroup]` With this module you can create policy exemptions on a resource group level. @@ -12,12 +12,13 @@ With this module you can create policy exemptions on a resource group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. The description of the policy exemption. | -| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. | @@ -28,6 +29,7 @@ With this module you can create policy exemptions on a resource group level. | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | +| `resourceGroupName` | string | The name of the resource group the policy exemption was applied at | | `resourceId` | string | Policy Exemption resource ID | | `scope` | string | Policy Exemption Scope | diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/resourceGroups/version.json rename to arm/Microsoft.Authorization/policyExemptions/resourceGroup/version.json diff --git a/arm/Microsoft.Authorization/policyExemptions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep similarity index 94% rename from arm/Microsoft.Authorization/policyExemptions/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep index 281adcd048..90f58474b6 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep @@ -1,10 +1,11 @@ targetScope = 'subscription' -@sys.description('Required. Specifies the name of the policy exemption.') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope.') +@maxLength(256) param name string -@sys.description('Optional. The display name of the policy exemption.') +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(256) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') diff --git a/arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md similarity index 92% rename from arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md rename to arm/Microsoft.Authorization/policyExemptions/subscription/readme.md index a96807e870..428baf3dba 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md @@ -1,4 +1,4 @@ -# Policy Exemptions on Subscription level `[Microsoft.Authorization/policyExemptions/subscriptions]` +# Policy Exemptions on Subscription level `[Microsoft.Authorization/policyExemptions/subscription]` With this module you can create policy exemptions on a subscription level. @@ -13,11 +13,11 @@ With this module you can create policy exemptions on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The description of the policy exemption. | -| `displayName` | string | | | Optional. The display name of the policy exemption. | +| `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | diff --git a/arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json b/arm/Microsoft.Authorization/policyExemptions/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/policyExemptions/subscriptions/version.json rename to arm/Microsoft.Authorization/policyExemptions/subscription/version.json diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json new file mode 100644 index 0000000000..4cbf610055 --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-<>-mg-pass-loc-rg" + }, + "displayName": { + "value": "Audit resource location matches resource group location (management group scope)" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json similarity index 85% rename from utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/parameters.json rename to utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json index 5d6b6faadb..158ceeb152 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "adp-<>-pass-loc-rg" + "value": "adp-<>-sb-pass-loc-rg" }, "displayName": { - "value": "Audit resource location matches resource group location" + "value": "Audit resource location matches resource group location (subscription scope)" }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" From c8b2cc5401dfea4f5b6a4ec68246ffc17dc6e66b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 12:12:31 +1100 Subject: [PATCH 21/43] fixed intentional issue on name lengths for exemptions --- .../policyExemptions/.parameters/mg.min.parameters.json | 4 ++-- .../policyExemptions/.parameters/mg.parameters.json | 4 ++-- .../policyExemptions/.parameters/rg.min.parameters.json | 2 +- .../policyExemptions/.parameters/rg.parameters.json | 2 +- .../policyExemptions/.parameters/sub.min.parameters.json | 2 +- .../policyExemptions/.parameters/sub.parameters.json | 4 ++-- arm/Microsoft.Authorization/policyExemptions/deploy.bicep | 6 +++--- .../policyExemptions/managementGroup/deploy.bicep | 6 +++--- arm/Microsoft.Authorization/policyExemptions/readme.md | 2 +- .../policyExemptions/resourceGroup/deploy.bicep | 4 ++-- .../policyExemptions/subscription/deploy.bicep | 4 ++-- 11 files changed, 20 insertions(+), 20 deletions(-) diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json index 0300425950..ca0ca243c5 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-min-mg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "<>-min-mg-polexem" }, "policyAssignmentId": { - "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" + "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" }, "managementGroupId": { "value": "<>" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json index 312021abda..2c76ecb64a 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-mg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "<>-mg-polexem" }, "displayName": { - "value": "[Test] policy exempt -abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz -abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "[Display Name] policy exempt (management group scope)" }, "policyAssignmentId": { "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json index 629f9be0b9..2573b17fe7 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-min-rg-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "<>-min-rg-polexem" }, "policyAssignmentId": { "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json index bf7a2934fa..68fda77deb 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/rg.parameters.json @@ -6,7 +6,7 @@ "value": "<>-rg-polexem" }, "displayName": { - "value": "[Test] policy exempt-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "[Display Name] policy exempt (resource group scope)" }, "policyAssignmentId": { "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json index 37a9783dd5..920e7d2add 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-min-sub-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "<>-min-sub-polexem" }, "policyAssignmentId": { "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json index b36c1bc7f0..02b3e9037c 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/sub.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-sub-polexem-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "<>-sub-polexem" }, "displayName": { - "value": "[Test] policy exempt-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz-abcdefghijklmnopqrstuvwxyz" + "value": "[Display Name] policy exempt (subscription scope)" }, "policyAssignmentId": { "value": "/subscriptions/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 2a06e93c2d..5c5a2801a9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -1,11 +1,11 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.') -@maxLength(256) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes.') +@maxLength(64) param name string @sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(256) +@maxLength(128) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep index 16de6572ed..ae3ba11e10 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep @@ -1,11 +1,11 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope.') -@maxLength(256) +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope.') +@maxLength(64) param name string @sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.') -@maxLength(256) +@maxLength(128) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index dfe26a8f27..27c0c2c55b 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -20,7 +20,7 @@ With this module you can create policy exemptions across the management group, s | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep index 81be1d9de7..b12dd8ec33 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep @@ -1,11 +1,11 @@ targetScope = 'resourceGroup' @sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope.') -@maxLength(256) +@maxLength(64) param name string @sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(256) +@maxLength(128) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep index 90f58474b6..8b1f7a5f89 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep @@ -1,11 +1,11 @@ targetScope = 'subscription' @sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope.') -@maxLength(256) +@maxLength(64) param name string @sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') -@maxLength(256) +@maxLength(128) param displayName string = '' @sys.description('Optional. The description of the policy exemption.') From b620440ff50303daa4cf51bd6ebb96809cc50171 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 12:26:42 +1100 Subject: [PATCH 22/43] fixed mg min parameter for exemption --- .../policyExemptions/.parameters/mg.min.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json index ca0ca243c5..5a51d4ba59 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json @@ -6,7 +6,7 @@ "value": "<>-min-mg-polexem" }, "policyAssignmentId": { - "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-sb-pass-loc-rg" + "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" }, "managementGroupId": { "value": "<>" From 254f67877f303ef2383d6dcdf4005cd28a931503 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 14:37:45 +1100 Subject: [PATCH 23/43] policy set updates --- .../ms.authorization.policysetdefinitions.yml | 10 ++- .../policyDefinitions/deploy.bicep | 4 +- .../policyDefinitions/readme.md | 4 +- .../.parameters/mg.min.parameters.json | 26 ++++++++ .../.parameters/mg.parameters.json | 66 +++++++++++++++++++ ...arameters.json => sub.min.parameters.json} | 2 +- .../{parameters.json => sub.parameters.json} | 10 +-- .../policySetDefinitions/deploy.bicep | 11 ++-- .../deploy.bicep | 9 +-- .../readme.md | 8 +-- .../version.json | 0 .../policySetDefinitions/readme.md | 31 +++++++-- .../deploy.bicep | 7 +- .../{subscriptions => subscription}/readme.md | 8 +-- .../version.json | 0 15 files changed, 159 insertions(+), 37 deletions(-) create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.parameters.json rename arm/Microsoft.Authorization/policySetDefinitions/.parameters/{min.parameters.json => sub.min.parameters.json} (93%) rename arm/Microsoft.Authorization/policySetDefinitions/.parameters/{parameters.json => sub.parameters.json} (88%) rename arm/Microsoft.Authorization/policySetDefinitions/{managementGroups => managementGroup}/deploy.bicep (89%) rename arm/Microsoft.Authorization/policySetDefinitions/{managementGroups => managementGroup}/readme.md (85%) rename arm/Microsoft.Authorization/policySetDefinitions/{managementGroups => managementGroup}/version.json (100%) rename arm/Microsoft.Authorization/policySetDefinitions/{subscriptions => subscription}/deploy.bicep (89%) rename arm/Microsoft.Authorization/policySetDefinitions/{subscriptions => subscription}/readme.md (86%) rename arm/Microsoft.Authorization/policySetDefinitions/{subscriptions => subscription}/version.json (100%) diff --git a/.github/workflows/ms.authorization.policysetdefinitions.yml b/.github/workflows/ms.authorization.policysetdefinitions.yml index 36601975aa..09264ddb36 100644 --- a/.github/workflows/ms.authorization.policysetdefinitions.yml +++ b/.github/workflows/ms.authorization.policysetdefinitions.yml @@ -81,7 +81,13 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.min.parameters.json', + 'mg.parameters.json', + 'sub.min.parameters.json', + 'sub.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +104,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_policySetDefinition_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 72aa9b6919..1c6a9c8093 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -1,10 +1,10 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy definition.') +@sys.description('Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope.') @maxLength(64) param name string -@sys.description('Optional. The display name of the policy definition.') +@sys.description('Optional. The display name of the policy definition. Maximum length is 128 characters.') @maxLength(128) param displayName string = '' diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 3d379bace8..9d6679bad7 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -13,12 +13,12 @@ With this module you can create policy definitions across the management group o | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | -| `displayName` | string | | | Optional. The display name of the policy definition. | +| `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | -| `name` | string | | | Required. Specifies the name of the policy definition. | +| `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | | `subscriptionId` | string | | | Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..65bdd565f6 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-min-policySet" + }, + "policyDefinitions": { + "value": [ + { + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + } + ] + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.parameters.json new file mode 100644 index 0000000000..029e2d47c8 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.parameters.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-mg-policySet" + }, + "displayName": { + "value": "[DisplayName] This policy set definition is deployed at management group scope" + }, + "description": { + "value": "[Description] This policy set definition is deployed at management group scope" + }, + "policyDefinitionGroups": { + "value": [ + { + "name": "Network" + }, + { + "name": "ARM" + } + ] + }, + "policyDefinitions": { + "value": [ + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "policyDefinitionReferenceId": "Allowed locations_1" + }, + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "policyDefinitionReferenceId": "Allowed locations for resource groups_1" + } + ] + }, + "metadata": { + "value": { + "category": "Security", + "version": "1" + } + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/min.parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.min.parameters.json similarity index 93% rename from arm/Microsoft.Authorization/policySetDefinitions/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.min.parameters.json index 79e975f267..f6a7e68f64 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/min.parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "test-policySetExample-min" + "value": "<>-sub-min-policySet" }, "policyDefinitions": { "value": [ diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.parameters.json similarity index 88% rename from arm/Microsoft.Authorization/policySetDefinitions/.parameters/parameters.json rename to arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.parameters.json index 9d2dad9482..16a92428b1 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/sub.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "test-policySetExample" - }, - "description": { - "value": "[Test] Set of security policies" + "value": "<>-sub-policySet" }, "displayName": { - "value": "[Test] contoso security Policies" + "value": "[DisplayName] This policy set definition is deployed at subscription scope" + }, + "description": { + "value": "[Description] This policy set definition is deployed at subscription scope" }, "policyDefinitionGroups": { "value": [ diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index d2a2a600bf..25515d0c4a 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') +@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope.') @maxLength(64) param name string -@sys.description('Optional. The display name of the Set Definition (Initiative)') +@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' -@sys.description('Optional. The Description name of the Set Definition (Initiative)') +@sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' @sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') @@ -31,7 +32,7 @@ param parameters object = {} @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policySetDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policySetDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -46,7 +47,7 @@ module policySetDefinition_mg 'managementGroups/deploy.bicep' = if (empty(subscr } } -module policySetDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policySetDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-Sub-Module' scope: subscription(subscriptionId) params: { diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep similarity index 89% rename from arm/Microsoft.Authorization/policySetDefinitions/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep index f2d10aed20..e72a36e57a 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope.') +@maxLength(24) param name string -@sys.description('Optional. The display name of the Set Definition (Initiative)') +@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' -@sys.description('Optional. The Description name of the Set Definition (Initiative)') +@sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' @sys.description('Required. The group ID of the Management Group') diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md similarity index 85% rename from arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md rename to arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md index 26c9588940..4d75f039aa 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Policy Set Definitions on Management Group level `[Microsoft.Authorization/policySetDefinitions/managementGroups]` +# Policy Set Definitions on Management Group level `[Microsoft.Authorization/policySetDefinitions/managementGroup]` With this module you can create policy set definitions on a management group level. @@ -12,11 +12,11 @@ With this module you can create policy set definitions on a management group lev | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `description` | string | | | Optional. The Description name of the Set Definition (Initiative) | -| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `description` | string | | | Optional. The description name of the Set Definition (Initiative) | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `managementGroupId` | string | | | Required. The group ID of the Management Group | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). | +| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/policySetDefinitions/managementGroups/version.json rename to arm/Microsoft.Authorization/policySetDefinitions/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 2de57e5d25..5a425b9f67 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -1,6 +1,6 @@ # Policy Set Definitions `[Microsoft.Authorization/policySetDefinitions]` -With this module you can create policy set definitions. +With this module you can create policy set definitions across the management group or subscription scope. ## Resource types @@ -12,12 +12,12 @@ With this module you can create policy set definitions. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `description` | string | | | Optional. The Description name of the Set Definition (Initiative) | -| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `description` | string | | | Optional. The description name of the Set Definition (Initiative) | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). | +| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -45,6 +45,27 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an } ``` +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module policysetdefinition 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policysetdefinitions.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module policysetdefinition 'yourpath/arm/Microsoft.Authorization.policySetDefinitions/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep similarity index 89% rename from arm/Microsoft.Authorization/policySetDefinitions/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep index 9b0eb89634..236bc90c5c 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep @@ -1,13 +1,14 @@ targetScope = 'subscription' -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') +@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope.') @maxLength(64) param name string -@sys.description('Optional. The display name of the Set Definition (Initiative)') +@sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') +@maxLength(128) param displayName string = '' -@sys.description('Optional. The Description name of the Set Definition (Initiative)') +@sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' @sys.description('Optional. The subscription ID of the subscription') diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md similarity index 86% rename from arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md rename to arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md index 97cfbf9f54..11a83a542b 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md @@ -1,4 +1,4 @@ -# Policy Set Definitions on Subscription level `[Microsoft.Authorization/policySetDefinitions/subscriptions]` +# Policy Set Definitions on Subscription level `[Microsoft.Authorization/policySetDefinitions/subscription]` With this module you can create policy set definitions on a subscription level. @@ -12,10 +12,10 @@ With this module you can create policy set definitions on a subscription level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `description` | string | | | Optional. The Description name of the Set Definition (Initiative) | -| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative) | +| `description` | string | | | Optional. The description name of the Set Definition (Initiative) | +| `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). | +| `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/policySetDefinitions/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/policySetDefinitions/subscriptions/version.json rename to arm/Microsoft.Authorization/policySetDefinitions/subscription/version.json From 1fd3fd2f62d666e8d132e74cc5fb1bdc143c60b6 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:19:18 +1100 Subject: [PATCH 24/43] role assignments --- .../ms.authorization.roleassignments.yml | 12 +++++++-- .../.parameters/mg.min.parameters.json | 15 +++++++++++ .../.parameters/mg.parameters.json | 21 +++++++++++++++ .../.parameters/rg.min.parameters.json | 18 +++++++++++++ .../.parameters/rg.parameters.json | 24 +++++++++++++++++ ...arameters.json => sub.min.parameters.json} | 0 .../{parameters.json => sub.parameters.json} | 2 +- .../roleAssignments/deploy.bicep | 10 ++++--- .../deploy.bicep | 0 .../readme.md | 2 +- .../version.json | 0 .../roleAssignments/readme.md | 26 +++++++++++++++++-- .../resourceGroup/.bicep/nested_cuaId.bicep | 1 + .../deploy.bicep | 11 ++++++++ .../readme.md | 4 ++- .../version.json | 0 .../deploy.bicep | 0 .../{subscriptions => subscription}/readme.md | 2 +- .../version.json | 0 19 files changed, 137 insertions(+), 11 deletions(-) create mode 100644 arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/.parameters/mg.parameters.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/.parameters/rg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/.parameters/rg.parameters.json rename arm/Microsoft.Authorization/roleAssignments/.parameters/{min.parameters.json => sub.min.parameters.json} (100%) rename arm/Microsoft.Authorization/roleAssignments/.parameters/{parameters.json => sub.parameters.json} (89%) rename arm/Microsoft.Authorization/roleAssignments/{managementGroups => managementGroup}/deploy.bicep (100%) rename arm/Microsoft.Authorization/roleAssignments/{managementGroups => managementGroup}/readme.md (97%) rename arm/Microsoft.Authorization/roleAssignments/{managementGroups => managementGroup}/version.json (100%) create mode 100644 arm/Microsoft.Authorization/roleAssignments/resourceGroup/.bicep/nested_cuaId.bicep rename arm/Microsoft.Authorization/roleAssignments/{resourceGroups => resourceGroup}/deploy.bicep (98%) rename arm/Microsoft.Authorization/roleAssignments/{resourceGroups => resourceGroup}/readme.md (89%) rename arm/Microsoft.Authorization/roleAssignments/{resourceGroups => resourceGroup}/version.json (100%) rename arm/Microsoft.Authorization/roleAssignments/{subscriptions => subscription}/deploy.bicep (100%) rename arm/Microsoft.Authorization/roleAssignments/{subscriptions => subscription}/readme.md (98%) rename arm/Microsoft.Authorization/roleAssignments/{subscriptions => subscription}/version.json (100%) diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index 2be8f8f53e..6c2576ac42 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -81,7 +81,15 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.parameters.json', + 'mg.min.parameters.json', + 'sub.parameters.json', + 'sub.min.parameters.json', + 'rg.parameters.json', + 'rg.min.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +106,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/subscriptions/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..1bc735ba28 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefinitionIdOrName": { + "value": "Storage Queue Data Reader" + }, + "principalId": { + "value": "<>" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.parameters.json new file mode 100644 index 0000000000..e6362b62aa --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefinitionIdOrName": { + "value": "Backup Reader" + }, + "description": { + "value": "Role Assignment (management group scope)" + }, + "principalId": { + "value": "<>" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.min.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.min.parameters.json new file mode 100644 index 0000000000..6011dc7e99 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.min.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefinitionIdOrName": { + "value": "Storage Queue Data Reader" + }, + "principalId": { + "value": "<>" + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.parameters.json new file mode 100644 index 0000000000..faf9fc3d90 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/rg.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefinitionIdOrName": { + "value": "Backup Reader" + }, + "description": { + "value": "Role Assignment (resource group scope)" + }, + "principalId": { + "value": "<>" + }, + "principalType": { + "value": "ServicePrincipal" + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/min.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/sub.min.parameters.json similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/roleAssignments/.parameters/sub.min.parameters.json diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/sub.parameters.json similarity index 89% rename from arm/Microsoft.Authorization/roleAssignments/.parameters/parameters.json rename to arm/Microsoft.Authorization/roleAssignments/.parameters/sub.parameters.json index 938f9a4d6a..346ba64c04 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/sub.parameters.json @@ -6,7 +6,7 @@ "value": "Backup Reader" }, "description": { - "value": "Custom Role Assignment Sub" + "value": "Role Assignment (subscription scope)" }, "principalId": { "value": "<>" diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index c0fdd84ffb..0242ebe3c3 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -44,7 +44,10 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -module roleAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +param cuaId string = '' + +module roleAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -59,7 +62,7 @@ module roleAssignment_mg 'managementGroups/deploy.bicep' = if (!empty(management } } -module roleAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -74,7 +77,7 @@ module roleAssignment_sub 'subscriptions/deploy.bicep' = if (empty(managementGro } } -module roleAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -87,6 +90,7 @@ module roleAssignment_rg 'resourceGroups/deploy.bicep' = if (empty(managementGro delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' + cuaId: !empty(cuaId) ? cuaId : '' } } diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md similarity index 97% rename from arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md rename to arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md index 5d66ef0119..1befe75a12 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Role Assignment on Management Group level `[Microsoft.Authorization/roleAssignments/managementGroups]` +# Role Assignment on Management Group level `[Microsoft.Authorization/roleAssignments/managementGroup]` With this module you can perform role assignments on a management group level diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json b/arm/Microsoft.Authorization/roleAssignments/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/managementGroups/version.json rename to arm/Microsoft.Authorization/roleAssignments/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 6f06757fc1..0311940961 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -1,6 +1,6 @@ # Role Assignments `[Microsoft.Authorization/roleAssignments]` -This module deploys Role Assignments. +This module deploys Role Assignments across the management group, subscription or resource group scope. ## Resource types @@ -14,6 +14,7 @@ This module deploys Role Assignments. | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | @@ -34,7 +35,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -61,6 +62,27 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour > The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module roleassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.roleassignments.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module rolassignment 'yourpath/arm/Microsoft.Authorization.roleAssignments/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep similarity index 98% rename from arm/Microsoft.Authorization/roleAssignments/resourceGroups/deploy.bicep rename to arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep index f851fed2a8..f58cdf69e3 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep @@ -38,6 +38,9 @@ param conditionVersion string = '2.0' ]) param principalType string = '' +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +param cuaId string = '' + var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' @@ -324,6 +327,11 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId) properties: { @@ -345,3 +353,6 @@ output scope string = resourceGroup().id @sys.description('The scope this Role Assignment applies to') output resourceId string = az.resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) + +@sys.description('The name of the resource group the role assignment was applied at') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md similarity index 89% rename from arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md rename to arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md index fdff86db44..2cce24a0d8 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md @@ -1,4 +1,4 @@ -# Role Assignment on Resource Group level `[Microsoft.Authorization/roleAssignments/resourceGroups]` +# Role Assignment on Resource Group level `[Microsoft.Authorization/roleAssignments/resourceGroup]` With this module you can perform role assignments on a resource group level @@ -14,6 +14,7 @@ With this module you can perform role assignments on a resource group level | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | @@ -27,6 +28,7 @@ With this module you can perform role assignments on a resource group level | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | +| `resourceGroupName` | string | The name of the resource group the role assignment was applied at | | `resourceId` | string | The scope this Role Assignment applies to | | `scope` | string | The resource ID of the Role Assignment | diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/resourceGroups/version.json rename to arm/Microsoft.Authorization/roleAssignments/resourceGroup/version.json diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md similarity index 98% rename from arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md rename to arm/Microsoft.Authorization/roleAssignments/subscription/readme.md index eb156268e1..062643cc61 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md @@ -1,4 +1,4 @@ -# Role Assignment on Subscription level `[Microsoft.Authorization/roleAssignments/subscriptions]` +# Role Assignment on Subscription level `[Microsoft.Authorization/roleAssignments/subscription]` With this module you can perform role assignments on a subscription level diff --git a/arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json b/arm/Microsoft.Authorization/roleAssignments/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleAssignments/subscriptions/version.json rename to arm/Microsoft.Authorization/roleAssignments/subscription/version.json From f763f38dfd4bb7b2559562571774a7995fd56d61 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:41:23 +1100 Subject: [PATCH 25/43] role definitions --- .../ms.authorization.roledefinitions.yml | 12 ++++- .../roleAssignments/readme.md | 2 +- .../.parameters/mg.min.parameters.json | 18 ++++++++ .../.parameters/mg.parameters.json | 43 +++++++++++++++++ .../.parameters/rg.min.parameters.json | 21 +++++++++ .../.parameters/rg.parameters.json | 46 +++++++++++++++++++ ...arameters.json => sub.min.parameters.json} | 3 -- .../{parameters.json => sub.parameters.json} | 0 .../roleDefinitions/deploy.bicep | 10 ++-- .../deploy.bicep | 0 .../readme.md | 2 +- .../version.json | 0 .../roleDefinitions/readme.md | 26 ++++++++++- .../resourceGroup/.bicep/nested_cuaId.bicep | 1 + .../deploy.bicep | 11 +++++ .../readme.md | 4 +- .../version.json | 0 .../deploy.bicep | 0 .../{subscriptions => subscription}/readme.md | 2 +- .../version.json | 0 20 files changed, 187 insertions(+), 14 deletions(-) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.min.parameters.json create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json rename arm/Microsoft.Authorization/roleDefinitions/.parameters/{min.parameters.json => sub.min.parameters.json} (84%) rename arm/Microsoft.Authorization/roleDefinitions/.parameters/{parameters.json => sub.parameters.json} (100%) rename arm/Microsoft.Authorization/roleDefinitions/{managementGroups => managementGroup}/deploy.bicep (100%) rename arm/Microsoft.Authorization/roleDefinitions/{managementGroups => managementGroup}/readme.md (97%) rename arm/Microsoft.Authorization/roleDefinitions/{managementGroups => managementGroup}/version.json (100%) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/resourceGroup/.bicep/nested_cuaId.bicep rename arm/Microsoft.Authorization/roleDefinitions/{resourceGroups => resourceGroup}/deploy.bicep (84%) rename arm/Microsoft.Authorization/roleDefinitions/{resourceGroups => resourceGroup}/readme.md (88%) rename arm/Microsoft.Authorization/roleDefinitions/{resourceGroups => resourceGroup}/version.json (100%) rename arm/Microsoft.Authorization/roleDefinitions/{subscriptions => subscription}/deploy.bicep (100%) rename arm/Microsoft.Authorization/roleDefinitions/{subscriptions => subscription}/readme.md (98%) rename arm/Microsoft.Authorization/roleDefinitions/{subscriptions => subscription}/version.json (100%) diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index f5d47a3eca..5dd95bcbfd 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -81,7 +81,15 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + [ + 'mg.parameters.json', + 'mg.min.parameters.json', + 'sub.parameters.json', + 'sub.min.parameters.json', + 'rg.parameters.json', + 'rg.min.parameters.json', + ] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +106,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_roleDefinitions_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 0311940961..e3f3b5b434 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -80,7 +80,7 @@ module roleassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.autho ``` **Local Path Reference** ```bicep -module rolassignment 'yourpath/arm/Microsoft.Authorization.roleAssignments/subscription/deploy.bicep' = {} +module roleassignment 'yourpath/arm/Microsoft.Authorization.roleAssignments/subscription/deploy.bicep' = {} ``` ## Outputs diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json new file mode 100644 index 0000000000..4e5c3aff21 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "<>-az-testRole-sub-min" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read" + ] + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json new file mode 100644 index 0000000000..bb00498b50 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "<>-az-testRole-sub" + }, + "description": { + "value": "Test Custom Role Definition Standard" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/*", + "Microsoft.Network/virtualNetworks/read" + ] + }, + "notActions": { + "value": [ + "Microsoft.Compute/images/write", + "Microsoft.Compute/images/delete", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ] + }, + "dataActions": { + "value": [ + "Microsoft.Storage/storageAccounts/blobServices/*/read" + ] + }, + "notDataActions": { + "value": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" + ] + }, + "assignableScopes": { + "value": [ + "/providers/managementGroups/<>" + ] + }, + "managementGroupId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.min.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.min.parameters.json new file mode 100644 index 0000000000..cf6825cc02 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.min.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "<>-az-testRole-rg-min" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read" + ] + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json new file mode 100644 index 0000000000..50c6f482e9 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "<>-az-testRole-sub" + }, + "description": { + "value": "Test Custom Role Definition Standard" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/*", + "Microsoft.Network/virtualNetworks/read" + ] + }, + "notActions": { + "value": [ + "Microsoft.Compute/images/write", + "Microsoft.Compute/images/delete", + "Microsoft.Network/virtualNetworks/subnets/join/action" + ] + }, + "dataActions": { + "value": [ + "Microsoft.Storage/storageAccounts/blobServices/*/read" + ] + }, + "notDataActions": { + "value": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" + ] + }, + "assignableScopes": { + "value": [ + "/subscriptions/<>/resourceGroups/<>" + ] + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/min.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.min.parameters.json similarity index 84% rename from arm/Microsoft.Authorization/roleDefinitions/.parameters/min.parameters.json rename to arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.min.parameters.json index 84d93c977a..87bbbc20b7 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/min.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.min.parameters.json @@ -5,9 +5,6 @@ "roleName": { "value": "<>-az-testRole-sub-min" }, - "description": { - "value": "Test Custom Role Definition Min" - }, "actions": { "value": [ "Microsoft.Compute/galleries/read", diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/.parameters/parameters.json rename to arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index d34a1eb62f..22ccab9783 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -33,7 +33,10 @@ param location string = deployment().location @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -module roleDefinition_mg 'managementGroups/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +param cuaId string = '' + +module roleDefinition_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -46,7 +49,7 @@ module roleDefinition_mg 'managementGroups/deploy.bicep' = if (!empty(management } } -module roleDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-Sub-Module' scope: subscription(subscriptionId) params: { @@ -61,7 +64,7 @@ module roleDefinition_sub 'subscriptions/deploy.bicep' = if (empty(managementGro } } -module roleDefinition_rg 'resourceGroups/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -74,6 +77,7 @@ module roleDefinition_rg 'resourceGroups/deploy.bicep' = if (empty(managementGro assignableScopes: !empty(assignableScopes) ? assignableScopes : [] subscriptionId: subscriptionId resourceGroupName: resourceGroupName + cuaId: !empty(cuaId) ? cuaId : '' } } diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/managementGroups/deploy.bicep rename to arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md similarity index 97% rename from arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md rename to arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md index 67cbee6559..274f2d8622 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md @@ -1,4 +1,4 @@ -# Role Definitions on Management Group level `[Microsoft.Authorization/roleDefinitions/managementGroups]` +# Role Definitions on Management Group level `[Microsoft.Authorization/roleDefinitions/managementGroup]` With this module you can create role definitions on a management group level diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/managementGroups/version.json rename to arm/Microsoft.Authorization/roleDefinitions/managementGroup/version.json diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index b801e79aa4..99926c6326 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -1,6 +1,6 @@ # Role Definitions `[Microsoft.Authorization/roleDefinitions]` -This module deploys custom RBAC Role Definitions. +This module deploys custom RBAC Role Definitions across the management group, subscription or resource group scope. ## Resource types @@ -14,6 +14,7 @@ This module deploys custom RBAC Role Definitions. | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | @@ -34,7 +35,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. ### Parameter Usage: `subscriptionId` @@ -61,6 +62,27 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour > The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +## Module Usage Guidance + +In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. + +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: + +```bicep +Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" +``` + +The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following: + +**Bicep Registry Reference** +```bicep +module roledefinition 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.roledefinitions.subscription:version' = {} +``` +**Local Path Reference** +```bicep +module roledefinition 'yourpath/arm/Microsoft.Authorization.roleDefinitions/subscription/deploy.bicep' = {} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/.bicep/nested_cuaId.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep similarity index 84% rename from arm/Microsoft.Authorization/roleDefinitions/resourceGroups/deploy.bicep rename to arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep index 853507ee64..3f26be34eb 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep @@ -27,6 +27,14 @@ param resourceGroupName string = resourceGroup().name @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { name: guid(roleName, subscriptionId, resourceGroupName) properties: { @@ -53,3 +61,6 @@ output scope string = resourceGroup().id @sys.description('The resource ID of the Role Definition') output resourceId string = roleDefinition.id + +@sys.description('The name of the resource group the role definition was created at') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md similarity index 88% rename from arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md rename to arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md index 489a8f9e96..6d1a05b397 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md @@ -1,4 +1,4 @@ -# Role Definitions on Resource Group level `[Microsoft.Authorization/roleDefinitions/resourceGroups]` +# Role Definitions on Resource Group level `[Microsoft.Authorization/roleDefinitions/resourceGroup]` With this module you can create role definitions on a resource group level @@ -14,6 +14,7 @@ With this module you can create role definitions on a resource group level | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `notActions` | array | `[]` | | Optional. List of denied actions. | @@ -27,6 +28,7 @@ With this module you can create role definitions on a resource group level | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | +| `resourceGroupName` | string | The name of the resource group the role definition was created at | | `resourceId` | string | The resource ID of the Role Definition | | `scope` | string | The scope this Role Definition applies to | diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/resourceGroups/version.json rename to arm/Microsoft.Authorization/roleDefinitions/resourceGroup/version.json diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/subscriptions/deploy.bicep rename to arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md similarity index 98% rename from arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md rename to arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md index b6ddd12199..b8e854491c 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md @@ -1,4 +1,4 @@ -# Role Definitions on Subscription level `[Microsoft.Authorization/roleDefinitions/subscriptions]` +# Role Definitions on Subscription level `[Microsoft.Authorization/roleDefinitions/subscription]` With this module you can create role definitions on a subscription level diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json b/arm/Microsoft.Authorization/roleDefinitions/subscription/version.json similarity index 100% rename from arm/Microsoft.Authorization/roleDefinitions/subscriptions/version.json rename to arm/Microsoft.Authorization/roleDefinitions/subscription/version.json From 18fc520e3c4a05b347e3edb81f1d1cf7051cd7b5 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:43:25 +1100 Subject: [PATCH 26/43] fixed parameters for role definitions --- .../roleDefinitions/.parameters/sub.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json index 758b62edf5..62e03ca98d 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/sub.parameters.json @@ -6,7 +6,7 @@ "value": "<>-az-testRole-sub" }, "description": { - "value": "Test Custom Role Definition Standard" + "value": "Test Custom Role Definition Standard (subscription scope)" }, "actions": { "value": [ From 7541db53b03ddfcbd736d2cd9eecd633df45732b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:43:37 +1100 Subject: [PATCH 27/43] updated names for role definitions --- .../roleDefinitions/.parameters/mg.min.parameters.json | 2 +- .../roleDefinitions/.parameters/mg.parameters.json | 4 ++-- .../roleDefinitions/.parameters/rg.parameters.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json index 4e5c3aff21..6e503be0b7 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "roleName": { - "value": "<>-az-testRole-sub-min" + "value": "<>-az-testRole-mg-min" }, "actions": { "value": [ diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json index bb00498b50..74ce7649f8 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "roleName": { - "value": "<>-az-testRole-sub" + "value": "<>-az-testRole-mg" }, "description": { - "value": "Test Custom Role Definition Standard" + "value": "Test Custom Role Definition Standard (management group scope)" }, "actions": { "value": [ diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json index 50c6f482e9..c27ff2f862 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "roleName": { - "value": "<>-az-testRole-sub" + "value": "<>-az-testRole-rg" }, "description": { - "value": "Test Custom Role Definition Standard" + "value": "Test Custom Role Definition Standard (resource group scope)" }, "actions": { "value": [ From 8a2a4d4ffdc713999f7cb2a2e23b83c520deab65 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:52:39 +1100 Subject: [PATCH 28/43] fix management group scope --- .../roleDefinitions/.parameters/mg.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json index 74ce7649f8..d49ce1cae3 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.parameters.json @@ -33,7 +33,7 @@ }, "assignableScopes": { "value": [ - "/providers/managementGroups/<>" + "/providers/Microsoft.Management/managementGroups/<>" ] }, "managementGroupId": { From a40feddddf1545ae8733664c9b74f875fdf7d44b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 09:32:48 +1100 Subject: [PATCH 29/43] updated ado pipelines + changed ID to Id on all ms. auth --- .../ms.authorization.policyassignments.yml | 16 ++++++++++++---- .../ms.authorization.policydefinitions.yml | 12 ++++++++---- .../ms.authorization.policyexemptions.yml | 16 ++++++++++++---- .../ms.authorization.policysetdefinitions.yml | 12 ++++++++---- .../ms.authorization.roleassignments.yml | 16 ++++++++++++---- .../ms.authorization.roledefinitions.yml | 16 ++++++++++++---- .../policyAssignments/deploy.bicep | 12 ++++++------ .../managementGroup/deploy.bicep | 8 ++++---- .../policyAssignments/managementGroup/readme.md | 8 ++++---- .../policyAssignments/readme.md | 12 ++++++------ .../policyAssignments/resourceGroup/deploy.bicep | 12 ++++++------ .../policyAssignments/resourceGroup/readme.md | 12 ++++++------ .../policyAssignments/subscription/deploy.bicep | 10 +++++----- .../policyAssignments/subscription/readme.md | 10 +++++----- .../policyDefinitions/deploy.bicep | 6 +++--- .../managementGroup/deploy.bicep | 4 ++-- .../policyDefinitions/managementGroup/readme.md | 4 ++-- .../policyDefinitions/readme.md | 6 +++--- .../policyDefinitions/subscription/deploy.bicep | 4 ++-- .../policyDefinitions/subscription/readme.md | 4 ++-- .../policyExemptions/deploy.bicep | 14 +++++++------- .../managementGroup/deploy.bicep | 8 ++++---- .../policyExemptions/managementGroup/readme.md | 8 ++++---- .../policyExemptions/readme.md | 14 +++++++------- .../policyExemptions/resourceGroup/deploy.bicep | 10 +++++----- .../policyExemptions/resourceGroup/readme.md | 10 +++++----- .../policyExemptions/subscription/deploy.bicep | 8 ++++---- .../policyExemptions/subscription/readme.md | 8 ++++---- .../policySetDefinitions/deploy.bicep | 8 ++++---- .../managementGroup/deploy.bicep | 6 +++--- .../managementGroup/readme.md | 6 +++--- .../policySetDefinitions/readme.md | 8 ++++---- .../subscription/deploy.bicep | 6 +++--- .../policySetDefinitions/subscription/readme.md | 6 +++--- .../roleAssignments/deploy.bicep | 16 ++++++++-------- .../roleAssignments/managementGroup/deploy.bicep | 10 +++++----- .../roleAssignments/managementGroup/readme.md | 10 +++++----- .../roleAssignments/readme.md | 16 ++++++++-------- .../roleAssignments/resourceGroup/deploy.bicep | 12 ++++++------ .../roleAssignments/resourceGroup/readme.md | 12 ++++++------ .../roleAssignments/subscription/deploy.bicep | 10 +++++----- .../roleAssignments/subscription/readme.md | 10 +++++----- .../roleDefinitions/deploy.bicep | 8 ++++---- .../roleDefinitions/managementGroup/deploy.bicep | 4 ++-- .../roleDefinitions/managementGroup/readme.md | 4 ++-- .../roleDefinitions/readme.md | 14 +++++++------- .../roleDefinitions/resourceGroup/deploy.bicep | 6 +++--- .../roleDefinitions/resourceGroup/readme.md | 6 +++--- .../roleDefinitions/subscription/deploy.bicep | 4 ++-- .../roleDefinitions/subscription/readme.md | 4 ++-- 50 files changed, 253 insertions(+), 213 deletions(-) diff --git a/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml b/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml index de861c4f52..7e045cf889 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml @@ -42,10 +42,18 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyAssignments_sub.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyAssignments_sub.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml index 4b2f2aaad4..41bfa990da 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml @@ -42,10 +42,14 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyDefinitions_sub.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyDefinitions_sub.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml b/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml index 7a879e7a96..f43f19850f 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml @@ -42,10 +42,18 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyExemptions_sub.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policyExemptions_sub.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml index 9744ad6659..56bade6aef 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml @@ -42,10 +42,14 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policySetDefinition_sub.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_policySetDefinition_sub.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml index db8c2d092a..b4ad7d6ad8 100644 --- a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml +++ b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml @@ -42,10 +42,18 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/subscriptions/deploy.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/subscriptions/deploy.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml index 476fbfa93e..044f4f0ad5 100644 --- a/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml @@ -42,10 +42,18 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - templateFilePath: $(modulePath)/.bicep/nested_roleDefinitions_sub.bicep - - path: $(modulePath)/.parameters/parameters.json - templateFilePath: $(modulePath)/.bicep/nested_roleDefinitions_sub.bicep + - path: $(modulePath)/.parameters/mg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/mg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/sub.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.min.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + - path: $(modulePath)/.parameters/rg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep - stage: Publishing displayName: Publish module diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index a9dba4cb84..628c445bed 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -10,7 +10,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -23,7 +23,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -42,7 +42,7 @@ param enforcementMode string = 'Default' @sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment') param managementGroupId string = '' -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') param subscriptionId string = '' @sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') @@ -54,7 +54,7 @@ param notScopes array = [] @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module policyAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -121,8 +121,8 @@ module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGr @sys.description('Policy Assignment Name') output name string = !empty(managementGroupId) ? policyAssignment_mg.outputs.name : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.name : policyAssignment_sub.outputs.name) -@sys.description('Policy Assignment principal ID') +@sys.description('Policy Assignment principal Id') output principalId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.principalId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.principalId : policyAssignment_sub.outputs.principalId) -@sys.description('Policy Assignment resource ID') +@sys.description('Policy Assignment resource Id') output resourceId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.resourceId : policyAssignment_sub.outputs.resourceId) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep index 1c7d42b156..a8210b33dc 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -85,8 +85,8 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal ID') +@sys.description('Policy Assignment principal Id') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource ID') +@sys.description('Policy Assignment resource Id') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md index 47dea3ecd4..4cd4b2e9bd 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md @@ -24,16 +24,16 @@ With this module you can perform policy assignments on a management group level. | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal ID | -| `resourceId` | string | Policy Assignment resource ID | +| `principalId` | string | Policy Assignment principal Id | +| `resourceId` | string | Policy Assignment resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index ad22c4e1f2..177242867a 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -13,7 +13,7 @@ With this module you can perform policy assignments across the management group, | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | @@ -25,10 +25,10 @@ With this module you can perform policy assignments across the management group, | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | | `resourceGroupName` | string | | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | ### Parameter Usage: `managementGroupId` @@ -93,8 +93,8 @@ module policyassignment 'yourpath/arm/Microsoft.Authorization.policyAssignments/ | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal ID | -| `resourceId` | string | Policy Assignment resource ID | +| `principalId` | string | Policy Assignment principal Id | +| `resourceId` | string | Policy Assignment resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep index 99ac551905..96e0a8d20b 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -50,13 +50,13 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -96,10 +96,10 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal ID') +@sys.description('Policy Assignment principal Id') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource ID') +@sys.description('Policy Assignment resource Id') output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) @sys.description('The name of the resource group the policy was assigned to') diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md index 49e46a91c9..8fd6ca4514 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md @@ -13,7 +13,7 @@ With this module you can perform policy assignments on a resource group level | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | @@ -24,19 +24,19 @@ With this module you can perform policy assignments on a resource group level | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal ID | +| `principalId` | string | Policy Assignment principal Id | | `resourceGroupName` | string | The name of the resource group the policy was assigned to | -| `resourceId` | string | Policy Assignment resource ID | +| `resourceId` | string | Policy Assignment resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep index b0fb8f6696..9667ffaf5f 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -50,7 +50,7 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') param subscriptionId string = subscription().subscriptionId var identity_var = identity == 'SystemAssigned' ? { @@ -85,8 +85,8 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal ID') +@sys.description('Policy Assignment principal Id') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource ID') +@sys.description('Policy Assignment resource Id') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md index 9d7739e350..dba6518de3 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md @@ -23,17 +23,17 @@ With this module you can perform policy assignments on a subscription level. | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | +| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal ID | -| `resourceId` | string | Policy Assignment resource ID | +| `principalId` | string | Policy Assignment principal Id | +| `resourceId` | string | Policy Assignment resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 1c6a9c8093..3908ee9b9c 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -30,10 +30,10 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +@sys.description('Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') param managementGroupId string = '' -@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') +@sys.description('Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @sys.description('Optional. Location for all resources.') @@ -72,7 +72,7 @@ module policyDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGr @sys.description('Policy Definition Name') output name string = !empty(managementGroupId) ? policyDefinition_mg.outputs.name : policyDefinition_sub.outputs.name -@sys.description('Policy Definition resource ID') +@sys.description('Policy Definition resource Id') output resourceId string = !empty(managementGroupId) ? policyDefinition_mg.outputs.resourceId : policyDefinition_sub.outputs.resourceId @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep index f9bb25c103..4b1a4fb459 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep @@ -30,7 +30,7 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Required. The group ID of the Management Group') +@sys.description('Required. The group Id of the Management Group') param managementGroupId string resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { @@ -49,7 +49,7 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' @sys.description('Policy Definition Name') output name string = policyDefinition.name -@sys.description('Policy Definition resource ID') +@sys.description('Policy Definition resource Id') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md index 014c559462..5e811eed6d 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md @@ -14,7 +14,7 @@ With this module you can create policy definitions on a management group level. | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `managementGroupId` | string | | | Required. The group Id of the Management Group | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | @@ -26,7 +26,7 @@ With this module you can create policy definitions on a management group level. | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource ID | +| `resourceId` | string | Policy Definition resource Id | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 9d6679bad7..8584204ada 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -15,13 +15,13 @@ With this module you can create policy definitions across the management group o | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | | | Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | -| `subscriptionId` | string | | | Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId | +| `subscriptionId` | string | | | Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -71,7 +71,7 @@ module policydefinition 'yourpath/arm/Microsoft.Authorization.policyDefinitions/ | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource ID | +| `resourceId` | string | Policy Definition resource Id | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep index b99c23225c..f332825350 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep @@ -30,7 +30,7 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Optional. The subscription ID of the subscription') +@sys.description('Optional. The subscription Id of the subscription') param subscriptionId string = subscription().subscriptionId resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { @@ -49,7 +49,7 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' @sys.description('Policy Definition Name') output name string = policyDefinition.name -@sys.description('Policy Definition resource ID') +@sys.description('Policy Definition resource Id') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md index 4f47add459..f2f5372c7d 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md @@ -19,14 +19,14 @@ With this module you can create policy definitions on a subscription level. | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource ID | +| `resourceId` | string | Policy Definition resource Id | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 5c5a2801a9..681150e4dd 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -21,28 +21,28 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') +@sys.description('Required. The resource Id of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter.') +@sys.description('Optional. The group Id of the management group to be exempted from the policy assignment. Cannot use with subscription Id parameter.') param managementGroupId string = '' -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter.') +@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment. Cannot use with management group Id parameter.') param subscriptionId string = '' -@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter.') +@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription Id parameter.') param resourceGroupName string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module policyExemption_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' @@ -97,7 +97,7 @@ module policyExemption_rg 'resourceGroup/deploy.bicep' = if (empty(managementGro @sys.description('Policy Exemption Name') output name string = !empty(managementGroupId) ? policyExemption_mg.outputs.name : (!empty(resourceGroupName) ? policyExemption_rg.outputs.name : policyExemption_sub.outputs.name) -@sys.description('Policy Exemption resource ID') +@sys.description('Policy Exemption resource Id') output resourceId string = !empty(managementGroupId) ? policyExemption_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyExemption_rg.outputs.resourceId : policyExemption_sub.outputs.resourceId) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep index ae3ba11e10..a6a9b99952 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep @@ -21,16 +21,16 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') +@sys.description('Required. The resource Id of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Required. The group ID of the management group to be exempted from the policy assignment.') +@sys.description('Required. The group Id of the management group to be exempted from the policy assignment.') param managementGroupId string resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { @@ -49,7 +49,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource ID') +@sys.description('Policy Exemption resource Id') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md index 33383aabe6..1ab6b4ae36 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md @@ -16,18 +16,18 @@ With this module you can create policy exemptions on a management group level. | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | -| `managementGroupId` | string | | | Required. The group ID of the management group to be exempted from the policy assignment. | +| `managementGroupId` | string | | | Required. The group Id of the management group to be exempted from the policy assignment. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. | -| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource ID | +| `resourceId` | string | Policy Exemption resource Id | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index 27c0c2c55b..3ce6a4f084 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -12,19 +12,19 @@ With this module you can create policy exemptions across the management group, s | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. The description of the policy exemption. | | `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter. | +| `managementGroupId` | string | | | Optional. The group Id of the management group to be exempted from the policy assignment. Cannot use with subscription Id parameter. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | -| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | -| `subscriptionId` | string | | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | +| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | +| `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription Id parameter. | +| `subscriptionId` | string | | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. Cannot use with management group Id parameter. | ### Parameter Usage: `managementGroupId` @@ -89,7 +89,7 @@ module policyexemption 'yourpath/arm/Microsoft.Authorization.policyExemptions/su | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource ID | +| `resourceId` | string | Policy Exemption resource Id | | `scope` | string | Policy Exemption Scope | ## Considerations diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep index b12dd8ec33..fe649841b7 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep @@ -21,22 +21,22 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') +@sys.description('Required. The resource Id of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The name of the resource group to be exempted from the policy assignment.') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -60,7 +60,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource ID') +@sys.description('Policy Exemption resource Id') output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md index c35eaaf7f9..0baf3edd97 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md @@ -12,17 +12,17 @@ With this module you can create policy exemptions on a resource group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. The description of the policy exemption. | | `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | -| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. | ## Outputs @@ -30,7 +30,7 @@ With this module you can create policy exemptions on a resource group level. | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | | `resourceGroupName` | string | The name of the resource group the policy exemption was applied at | -| `resourceId` | string | Policy Exemption resource ID | +| `resourceId` | string | Policy Exemption resource Id | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep index 8b1f7a5f89..8ca59a28e3 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep @@ -21,16 +21,16 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource ID of the policy assignment that is being exempted.') +@sys.description('Required. The resource Id of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment.') param subscriptionId string = subscription().subscriptionId resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { @@ -49,7 +49,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource ID') +@sys.description('Policy Exemption resource Id') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md index 428baf3dba..9718705707 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md @@ -18,16 +18,16 @@ With this module you can create policy exemptions on a subscription level. | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | -| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | +| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource ID | +| `resourceId` | string | Policy Exemption resource Id | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index 25515d0c4a..216ea8a2aa 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -11,16 +11,16 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +@sys.description('Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') param managementGroupId string = '' -@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') +@sys.description('Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -65,5 +65,5 @@ module policySetDefinition_sub 'subscription/deploy.bicep' = if (empty(managemen @sys.description('Policy Set Definition Name') output name string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.name : policySetDefinition_sub.outputs.name -@sys.description('Policy Set Definition resource ID') +@sys.description('Policy Set Definition resource Id') output resourceId string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.resourceId : policySetDefinition_sub.outputs.resourceId diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep index e72a36e57a..8fe2a20c56 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep @@ -11,13 +11,13 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Required. The group ID of the Management Group') +@sys.description('Required. The group Id of the Management Group') param managementGroupId string @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -42,5 +42,5 @@ resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021- @sys.description('Policy Set Definition Name') output name string = policySetDefinition.name -@sys.description('Policy Set Definition resource ID') +@sys.description('Policy Set Definition resource Id') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md index 4d75f039aa..194bcc6f71 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md @@ -14,19 +14,19 @@ With this module you can create policy set definitions on a management group lev | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `managementGroupId` | string | | | Required. The group Id of the Management Group | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource ID | +| `resourceId` | string | Policy Set Definition resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 5a425b9f67..023af4db1e 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -15,13 +15,13 @@ With this module you can create policy set definitions across the management gro | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | | | Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | -| `subscriptionId` | string | | | Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | +| `subscriptionId` | string | | | Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -71,7 +71,7 @@ module policysetdefinition 'yourpath/arm/Microsoft.Authorization.policySetDefini | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource ID | +| `resourceId` | string | Policy Set Definition resource Id | ## Considerations diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep index 236bc90c5c..28b5e2712e 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep @@ -11,13 +11,13 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Optional. The subscription ID of the subscription') +@sys.description('Optional. The subscription Id of the subscription') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -42,5 +42,5 @@ resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021- @sys.description('Policy Set Definition Name') output name string = policySetDefinition.name -@sys.description('Policy Set Definition resource ID') +@sys.description('Policy Set Definition resource Id') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md index 11a83a542b..107d434f06 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md @@ -18,15 +18,15 @@ With this module you can create policy set definitions on a subscription level. | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource ID | +| `resourceId` | string | Policy Set Definition resource Id | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 0242ebe3c3..a6f419f4ca 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -1,18 +1,18 @@ targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription Id is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param resourceGroupName string = '' -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param subscriptionId string = '' -@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') +@sys.description('Optional. Group Id of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') param managementGroupId string = '' @sys.description('Optional. Location for all resources.') @@ -33,7 +33,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID.') +@sys.description('Optional. The principal type of the assigned principal Id.') @allowed([ 'ServicePrincipal' 'Group' @@ -44,7 +44,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module roleAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -97,7 +97,7 @@ module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou @sys.description('The GUID of the Role Assignment') output name string = !empty(managementGroupId) ? roleAssignment_mg.outputs.name : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.name : roleAssignment_sub.outputs.name) -@sys.description('The resource ID of the Role Assignment') +@sys.description('The resource Id of the Role Assignment') output resourceId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.resourceId : roleAssignment_sub.outputs.resourceId) @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep index a08f85f4c7..7dd9765c84 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep @@ -1,12 +1,12 @@ targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Required. Group ID of the Management Group to assign the RBAC role to') +@sys.description('Required. Group Id of the Management Group to assign the RBAC role to') param managementGroupId string @sys.description('Optional. Description of role assignment') @@ -24,7 +24,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID.') +@sys.description('Optional. The principal type of the assigned principal Id.') @allowed([ 'ServicePrincipal' 'Group' @@ -337,7 +337,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource ID of the Role Assignment') +@sys.description('The resource Id of the Role Assignment') output scope string = tenantResourceId('Microsoft.Management/managementGroups', managementGroupId) @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md index 1befe75a12..8fc0c035cd 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md @@ -16,10 +16,10 @@ With this module you can perform role assignments on a management group level | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `managementGroupId` | string | | | Required. Group ID of the Management Group to assign the RBAC role to | -| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `managementGroupId` | string | | | Required. Group Id of the Management Group to assign the RBAC role to | +| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | ## Outputs @@ -27,7 +27,7 @@ With this module you can perform role assignments on a management group level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource ID of the Role Assignment | +| `scope` | string | The resource Id of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index e3f3b5b434..6383187532 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -14,16 +14,16 @@ This module deploys Role Assignments across the management group, subscription o | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | -| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | -| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | | | Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `managementGroupId` | string | | | Optional. Group Id of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | +| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | +| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription Id is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | | | Optional. Subscription Id of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | ### Parameter Usage: `managementGroupId` @@ -88,7 +88,7 @@ module roleassignment 'yourpath/arm/Microsoft.Authorization.roleAssignments/subs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | -| `resourceId` | string | The resource ID of the Role Assignment | +| `resourceId` | string | The resource Id of the Role Assignment | | `scope` | string | The scope this Role Assignment applies to | ## Considerations diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep index f58cdf69e3..dfb355b6a3 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep @@ -1,15 +1,15 @@ targetScope = 'resourceGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string @sys.description('Optional. Name of the Resource Group to assign the RBAC role to.') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') @@ -27,7 +27,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID.') +@sys.description('Optional. The principal type of the assigned principal Id.') @allowed([ 'ServicePrincipal' 'Group' @@ -38,7 +38,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') param cuaId string = '' var builtInRoleNames_var = { @@ -348,7 +348,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource ID of the Role Assignment') +@sys.description('The resource Id of the Role Assignment') output scope string = resourceGroup().id @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md index 2cce24a0d8..dd6f320961 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md @@ -14,14 +14,14 @@ With this module you can perform role assignments on a resource group level | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. Name of the Resource Group to assign the RBAC role to. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription Id of the subscription to assign the RBAC role to. | ## Outputs @@ -30,7 +30,7 @@ With this module you can perform role assignments on a resource group level | `name` | string | The GUID of the Role Assignment | | `resourceGroupName` | string | The name of the resource group the role assignment was applied at | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource ID of the Role Assignment | +| `scope` | string | The resource Id of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep index 757cb9eb4b..9c47e57db5 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep @@ -1,12 +1,12 @@ targetScope = 'subscription' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') @@ -24,7 +24,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID.') +@sys.description('Optional. The principal type of the assigned principal Id.') @allowed([ 'ServicePrincipal' 'Group' @@ -337,7 +337,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource ID of the Role Assignment') +@sys.description('The resource Id of the Role Assignment') output scope string = subscription().id @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md index 062643cc61..676a288cc1 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md @@ -16,10 +16,10 @@ With this module you can perform role assignments on a subscription level | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | | `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | +| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription Id of the subscription to assign the RBAC role to. | ## Outputs @@ -27,7 +27,7 @@ With this module you can perform role assignments on a subscription level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource ID of the Role Assignment | +| `scope` | string | The resource Id of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 22ccab9783..fd9f7b9a11 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -18,10 +18,10 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') +@sys.description('Optional. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') param managementGroupId string = '' -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') +@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') param subscriptionId string = '' @sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') @@ -33,7 +33,7 @@ param location string = deployment().location @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module roleDefinition_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -84,7 +84,7 @@ module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou @sys.description('The GUID of the Role Definition') output name string = !empty(managementGroupId) ? roleDefinition_mg.outputs.name : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.name : roleDefinition_sub.outputs.name) -@sys.description('The resource ID of the Role Definition') +@sys.description('The resource Id of the Role Definition') output resourceId string = !empty(managementGroupId) ? roleDefinition_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.resourceId : roleDefinition_sub.outputs.resourceId) @sys.description('The scope this Role Definition applies to') diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep index 107e10adee..9f417d0866 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep @@ -12,7 +12,7 @@ param actions array = [] @sys.description('Optional. List of denied actions.') param notActions array = [] -@sys.description('Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to.') +@sys.description('Required. The group Id of the Management Group where the Role Definition and Target Scope will be applied to.') param managementGroupId string @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') @@ -40,5 +40,5 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = tenantResourceId('Microsoft.Management/managementGroups', managementGroupId) -@sys.description('The resource ID of the Role Definition') +@sys.description('The resource Id of the Role Definition') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/roleDefinitions', roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md index 274f2d8622..73512671d9 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md @@ -15,7 +15,7 @@ With this module you can create role definitions on a management group level | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. | +| `managementGroupId` | string | | | Required. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | @@ -24,7 +24,7 @@ With this module you can create role definitions on a management group level | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource ID of the Role Definition | +| `resourceId` | string | The resource Id of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index 99926c6326..e9a1792495 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -14,16 +14,16 @@ This module deploys custom RBAC Role Definitions across the management group, su | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | +| `managementGroupId` | string | | | Optional. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `resourceGroupName` | string | | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | +| `subscriptionId` | string | | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | ### Parameter Usage: `managementGroupId` @@ -88,16 +88,16 @@ module roledefinition 'yourpath/arm/Microsoft.Authorization.roleDefinitions/subs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource ID of the Role Definition | +| `resourceId` | string | The resource Id of the Role Definition | | `roleDefinitionScope` | string | The scope this Role Definition applies to | ## Considerations This module can be deployed both at subscription or resource group level: -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription ID in the `subscriptionId` parameter. -- To deploy the module at the subscription level, provide an existing subscription ID in the `subscriptionId` parameter. -- To deploy the module at the management group level, provide an existing management group ID in the `managementGroupId` parameter. +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription Id in the `subscriptionId` parameter. +- To deploy the module at the subscription level, provide an existing subscription Id in the `subscriptionId` parameter. +- To deploy the module at the management group level, provide an existing management group Id in the `managementGroupId` parameter. ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep index 3f26be34eb..a92721326b 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep @@ -18,7 +18,7 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') @@ -27,7 +27,7 @@ param resourceGroupName string = resourceGroup().name @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -59,7 +59,7 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = resourceGroup().id -@sys.description('The resource ID of the Role Definition') +@sys.description('The resource Id of the Role Definition') output resourceId string = roleDefinition.id @sys.description('The name of the resource group the role definition was created at') diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md index 6d1a05b397..8b5992e675 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md @@ -14,14 +14,14 @@ With this module you can create role definitions on a resource group level | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. | ## Outputs @@ -29,7 +29,7 @@ With this module you can create role definitions on a resource group level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | | `resourceGroupName` | string | The name of the resource group the role definition was created at | -| `resourceId` | string | The resource ID of the Role Definition | +| `resourceId` | string | The resource Id of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep index 7141c3330f..0b46874a1f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep @@ -18,7 +18,7 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') @@ -48,5 +48,5 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = subscription().id -@sys.description('The resource ID of the Role Definition') +@sys.description('The resource Id of the Role Definition') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/roleDefinitions', roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md index b8e854491c..114d9c5b5e 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md @@ -19,14 +19,14 @@ With this module you can create role definitions on a subscription level | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource ID of the Role Definition | +| `resourceId` | string | The resource Id of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references From 9647ff4489493e637765d0628beeb7145f91bc15 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 09:59:35 +1100 Subject: [PATCH 30/43] Switched 'Id' to 'ID' to all ms auth. namespace --- .../policyAssignments/deploy.bicep | 12 ++++++------ .../managementGroup/deploy.bicep | 8 ++++---- .../managementGroup/readme.md | 8 ++++---- .../policyAssignments/readme.md | 12 ++++++------ .../resourceGroup/deploy.bicep | 12 ++++++------ .../policyAssignments/resourceGroup/readme.md | 12 ++++++------ .../subscription/deploy.bicep | 10 +++++----- .../policyAssignments/subscription/readme.md | 10 +++++----- .../policyDefinitions/deploy.bicep | 6 +++--- .../managementGroup/deploy.bicep | 4 ++-- .../managementGroup/readme.md | 4 ++-- .../policyDefinitions/readme.md | 6 +++--- .../subscription/deploy.bicep | 4 ++-- .../policyDefinitions/subscription/readme.md | 4 ++-- .../policyExemptions/deploy.bicep | 14 +++++++------- .../managementGroup/deploy.bicep | 8 ++++---- .../policyExemptions/managementGroup/readme.md | 8 ++++---- .../policyExemptions/readme.md | 14 +++++++------- .../resourceGroup/deploy.bicep | 10 +++++----- .../policyExemptions/resourceGroup/readme.md | 10 +++++----- .../policyExemptions/subscription/deploy.bicep | 8 ++++---- .../policyExemptions/subscription/readme.md | 8 ++++---- .../policySetDefinitions/deploy.bicep | 8 ++++---- .../managementGroup/deploy.bicep | 6 +++--- .../managementGroup/readme.md | 6 +++--- .../policySetDefinitions/readme.md | 8 ++++---- .../subscription/deploy.bicep | 6 +++--- .../subscription/readme.md | 6 +++--- .../roleAssignments/deploy.bicep | 18 +++++++++--------- .../managementGroup/deploy.bicep | 12 ++++++------ .../roleAssignments/managementGroup/readme.md | 12 ++++++------ .../roleAssignments/readme.md | 18 +++++++++--------- .../roleAssignments/resourceGroup/deploy.bicep | 14 +++++++------- .../roleAssignments/resourceGroup/readme.md | 14 +++++++------- .../roleAssignments/subscription/deploy.bicep | 12 ++++++------ .../roleAssignments/subscription/readme.md | 12 ++++++------ .../roleDefinitions/deploy.bicep | 8 ++++---- .../managementGroup/deploy.bicep | 4 ++-- .../roleDefinitions/managementGroup/readme.md | 4 ++-- .../roleDefinitions/readme.md | 14 +++++++------- .../roleDefinitions/resourceGroup/deploy.bicep | 6 +++--- .../roleDefinitions/resourceGroup/readme.md | 6 +++--- .../roleDefinitions/subscription/deploy.bicep | 4 ++-- .../roleDefinitions/subscription/readme.md | 4 ++-- 44 files changed, 197 insertions(+), 197 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index 628c445bed..a9dba4cb84 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -10,7 +10,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -23,7 +23,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -42,7 +42,7 @@ param enforcementMode string = 'Default' @sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment') param managementGroupId string = '' -@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') param subscriptionId string = '' @sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') @@ -54,7 +54,7 @@ param notScopes array = [] @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module policyAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -121,8 +121,8 @@ module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGr @sys.description('Policy Assignment Name') output name string = !empty(managementGroupId) ? policyAssignment_mg.outputs.name : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.name : policyAssignment_sub.outputs.name) -@sys.description('Policy Assignment principal Id') +@sys.description('Policy Assignment principal ID') output principalId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.principalId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.principalId : policyAssignment_sub.outputs.principalId) -@sys.description('Policy Assignment resource Id') +@sys.description('Policy Assignment resource ID') output resourceId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.resourceId : policyAssignment_sub.outputs.resourceId) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep index a8210b33dc..1c7d42b156 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -85,8 +85,8 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal Id') +@sys.description('Policy Assignment principal ID') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource Id') +@sys.description('Policy Assignment resource ID') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md index 4cd4b2e9bd..47dea3ecd4 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md @@ -24,16 +24,16 @@ With this module you can perform policy assignments on a management group level. | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal Id | -| `resourceId` | string | Policy Assignment resource Id | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 177242867a..ad22c4e1f2 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -13,7 +13,7 @@ With this module you can perform policy assignments across the management group, | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | @@ -25,10 +25,10 @@ With this module you can perform policy assignments across the management group, | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | `resourceGroupName` | string | | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | ### Parameter Usage: `managementGroupId` @@ -93,8 +93,8 @@ module policyassignment 'yourpath/arm/Microsoft.Authorization.policyAssignments/ | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal Id | -| `resourceId` | string | Policy Assignment resource Id | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep index 96e0a8d20b..99ac551905 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -50,13 +50,13 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -96,10 +96,10 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal Id') +@sys.description('Policy Assignment principal ID') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource Id') +@sys.description('Policy Assignment resource ID') output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) @sys.description('The name of the resource group the policy was assigned to') diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md index 8fd6ca4514..49e46a91c9 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md @@ -13,7 +13,7 @@ With this module you can perform policy assignments on a resource group level | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | @@ -24,19 +24,19 @@ With this module you can perform policy assignments on a resource group level | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal Id | +| `principalId` | string | Policy Assignment principal ID | | `resourceGroupName` | string | The name of the resource group the policy was assigned to | -| `resourceId` | string | Policy Assignment resource Id | +| `resourceId` | string | Policy Assignment resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep index 9667ffaf5f..b0fb8f6696 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep @@ -11,7 +11,7 @@ param description string = '' @maxLength(128) param displayName string = '' -@sys.description('Required. Specifies the Id of the policy definition or policy set definition being assigned.') +@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') param policyDefinitionId string @sys.description('Optional. Parameters for the policy assignment if needed.') @@ -24,7 +24,7 @@ param parameters object = {} ]) param identity string = 'SystemAssigned' -@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') +@sys.description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition') param roleDefinitionIds array = [] @sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') @@ -50,7 +50,7 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') param subscriptionId string = subscription().subscriptionId var identity_var = identity == 'SystemAssigned' ? { @@ -85,8 +85,8 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('Policy Assignment Name') output name string = policyAssignment.name -@sys.description('Policy Assignment principal Id') +@sys.description('Policy Assignment principal ID') output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' -@sys.description('Policy Assignment resource Id') +@sys.description('Policy Assignment resource ID') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md index dba6518de3..9d7739e350 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md @@ -23,17 +23,17 @@ With this module you can perform policy assignments on a subscription level. | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | -| `policyDefinitionId` | string | | | Required. Specifies the Id of the policy definition or policy set definition being assigned. | -| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription Id of the subscription for the policy assignment | +| `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | +| `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Assignment Name | -| `principalId` | string | Policy Assignment principal Id | -| `resourceId` | string | Policy Assignment resource Id | +| `principalId` | string | Policy Assignment principal ID | +| `resourceId` | string | Policy Assignment resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 3908ee9b9c..1c6a9c8093 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -30,10 +30,10 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') param managementGroupId string = '' -@sys.description('Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId') +@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @sys.description('Optional. Location for all resources.') @@ -72,7 +72,7 @@ module policyDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGr @sys.description('Policy Definition Name') output name string = !empty(managementGroupId) ? policyDefinition_mg.outputs.name : policyDefinition_sub.outputs.name -@sys.description('Policy Definition resource Id') +@sys.description('Policy Definition resource ID') output resourceId string = !empty(managementGroupId) ? policyDefinition_mg.outputs.resourceId : policyDefinition_sub.outputs.resourceId @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep index 4b1a4fb459..f9bb25c103 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep @@ -30,7 +30,7 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Required. The group Id of the Management Group') +@sys.description('Required. The group ID of the Management Group') param managementGroupId string resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { @@ -49,7 +49,7 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' @sys.description('Policy Definition Name') output name string = policyDefinition.name -@sys.description('Policy Definition resource Id') +@sys.description('Policy Definition resource ID') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md index 5e811eed6d..014c559462 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md @@ -14,7 +14,7 @@ With this module you can create policy definitions on a management group level. | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group Id of the Management Group | +| `managementGroupId` | string | | | Required. The group ID of the Management Group | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | @@ -26,7 +26,7 @@ With this module you can create policy definitions on a management group level. | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource Id | +| `resourceId` | string | Policy Definition resource ID | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 8584204ada..9d6679bad7 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -15,13 +15,13 @@ With this module you can create policy definitions across the management group o | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | -| `subscriptionId` | string | | | Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId | +| `subscriptionId` | string | | | Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -71,7 +71,7 @@ module policydefinition 'yourpath/arm/Microsoft.Authorization.policyDefinitions/ | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource Id | +| `resourceId` | string | Policy Definition resource ID | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep index f332825350..b99c23225c 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/deploy.bicep @@ -30,7 +30,7 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Optional. The subscription Id of the subscription') +@sys.description('Optional. The subscription ID of the subscription') param subscriptionId string = subscription().subscriptionId resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { @@ -49,7 +49,7 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' @sys.description('Policy Definition Name') output name string = policyDefinition.name -@sys.description('Policy Definition resource Id') +@sys.description('Policy Definition resource ID') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) @sys.description('Policy Definition Role Definition IDs') diff --git a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md index f2f5372c7d..4f47add459 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/subscription/readme.md @@ -19,14 +19,14 @@ With this module you can create policy definitions on a subscription level. | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | | `parameters` | object | `{object}` | | Optional. The policy definition parameters that can be used in policy definition references. | | `policyRule` | object | | | Required. The Policy Rule details for the Policy Definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Definition Name | -| `resourceId` | string | Policy Definition resource Id | +| `resourceId` | string | Policy Definition resource ID | | `roleDefinitionIds` | array | Policy Definition Role Definition IDs | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 681150e4dd..5c5a2801a9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -21,28 +21,28 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource Id of the policy assignment that is being exempted.') +@sys.description('Required. The resource ID of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The group Id of the management group to be exempted from the policy assignment. Cannot use with subscription Id parameter.') +@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter.') param managementGroupId string = '' -@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment. Cannot use with management group Id parameter.') +@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter.') param subscriptionId string = '' -@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription Id parameter.') +@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter.') param resourceGroupName string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module policyExemption_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' @@ -97,7 +97,7 @@ module policyExemption_rg 'resourceGroup/deploy.bicep' = if (empty(managementGro @sys.description('Policy Exemption Name') output name string = !empty(managementGroupId) ? policyExemption_mg.outputs.name : (!empty(resourceGroupName) ? policyExemption_rg.outputs.name : policyExemption_sub.outputs.name) -@sys.description('Policy Exemption resource Id') +@sys.description('Policy Exemption resource ID') output resourceId string = !empty(managementGroupId) ? policyExemption_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyExemption_rg.outputs.resourceId : policyExemption_sub.outputs.resourceId) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep index a6a9b99952..ae3ba11e10 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep @@ -21,16 +21,16 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource Id of the policy assignment that is being exempted.') +@sys.description('Required. The resource ID of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Required. The group Id of the management group to be exempted from the policy assignment.') +@sys.description('Required. The group ID of the management group to be exempted from the policy assignment.') param managementGroupId string resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { @@ -49,7 +49,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource Id') +@sys.description('Policy Exemption resource ID') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md index 1ab6b4ae36..33383aabe6 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md @@ -16,18 +16,18 @@ With this module you can create policy exemptions on a management group level. | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | -| `managementGroupId` | string | | | Required. The group Id of the management group to be exempted from the policy assignment. | +| `managementGroupId` | string | | | Required. The group ID of the management group to be exempted from the policy assignment. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. | -| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource Id | +| `resourceId` | string | Policy Exemption resource ID | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index 3ce6a4f084..27c0c2c55b 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -12,19 +12,19 @@ With this module you can create policy exemptions across the management group, s | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. The description of the policy exemption. | | `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group Id of the management group to be exempted from the policy assignment. Cannot use with subscription Id parameter. | +| `managementGroupId` | string | | | Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | -| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription Id parameter. | -| `subscriptionId` | string | | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. Cannot use with management group Id parameter. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `resourceGroupName` | string | | | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | +| `subscriptionId` | string | | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter. | ### Parameter Usage: `managementGroupId` @@ -89,7 +89,7 @@ module policyexemption 'yourpath/arm/Microsoft.Authorization.policyExemptions/su | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource Id | +| `resourceId` | string | Policy Exemption resource ID | | `scope` | string | Policy Exemption Scope | ## Considerations diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep index fe649841b7..b12dd8ec33 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep @@ -21,22 +21,22 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource Id of the policy assignment that is being exempted.') +@sys.description('Required. The resource ID of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The name of the resource group to be exempted from the policy assignment.') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -60,7 +60,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource Id') +@sys.description('Policy Exemption resource ID') output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md index 0baf3edd97..c35eaaf7f9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md @@ -12,17 +12,17 @@ With this module you can create policy exemptions on a resource group level. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `description` | string | | | Optional. The description of the policy exemption. | | `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | -| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | ## Outputs @@ -30,7 +30,7 @@ With this module you can create policy exemptions on a resource group level. | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | | `resourceGroupName` | string | The name of the resource group the policy exemption was applied at | -| `resourceId` | string | Policy Exemption resource Id | +| `resourceId` | string | Policy Exemption resource ID | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep index 8ca59a28e3..8b1f7a5f89 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep @@ -21,16 +21,16 @@ param metadata object = {} ]) param exemptionCategory string = 'Mitigated' -@sys.description('Required. The resource Id of the policy assignment that is being exempted.') +@sys.description('Required. The resource ID of the policy assignment that is being exempted.') param policyAssignmentId string -@sys.description('Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition.') +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription Id of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') param subscriptionId string = subscription().subscriptionId resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { @@ -49,7 +49,7 @@ resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-pr @sys.description('Policy Exemption Name') output name string = policyExemption.name -@sys.description('Policy Exemption resource Id') +@sys.description('Policy Exemption resource ID') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyExemptions', policyExemption.name) @sys.description('Policy Exemption Scope') diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md index 9718705707..428baf3dba 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md @@ -18,16 +18,16 @@ With this module you can create policy exemptions on a subscription level. | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | -| `policyAssignmentId` | string | | | Required. The resource Id of the policy assignment that is being exempted. | -| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference Id list when the associated policy assignment is an assignment of a policy set definition. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription to be exempted from the policy assignment. | +| `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | +| `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Exemption Name | -| `resourceId` | string | Policy Exemption resource Id | +| `resourceId` | string | Policy Exemption resource ID | | `scope` | string | Policy Exemption Scope | ## Template references diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index 216ea8a2aa..25515d0c4a 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -11,16 +11,16 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') param managementGroupId string = '' -@sys.description('Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId') +@sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -65,5 +65,5 @@ module policySetDefinition_sub 'subscription/deploy.bicep' = if (empty(managemen @sys.description('Policy Set Definition Name') output name string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.name : policySetDefinition_sub.outputs.name -@sys.description('Policy Set Definition resource Id') +@sys.description('Policy Set Definition resource ID') output resourceId string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.resourceId : policySetDefinition_sub.outputs.resourceId diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep index 8fe2a20c56..e72a36e57a 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep @@ -11,13 +11,13 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Required. The group Id of the Management Group') +@sys.description('Required. The group ID of the Management Group') param managementGroupId string @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -42,5 +42,5 @@ resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021- @sys.description('Policy Set Definition Name') output name string = policySetDefinition.name -@sys.description('Policy Set Definition resource Id') +@sys.description('Policy Set Definition resource ID') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md index 194bcc6f71..4d75f039aa 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md @@ -14,19 +14,19 @@ With this module you can create policy set definitions on a management group lev | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group Id of the Management Group | +| `managementGroupId` | string | | | Required. The group ID of the Management Group | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource Id | +| `resourceId` | string | Policy Set Definition resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 023af4db1e..5a425b9f67 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -15,13 +15,13 @@ With this module you can create policy set definitions across the management gro | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group Id of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | -| `subscriptionId` | string | | | Optional. The subscription Id of the subscription (Scope). Cannot be used with managementGroupId | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | +| `subscriptionId` | string | | | Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId | ### Parameter Usage: `managementGroupId` @@ -71,7 +71,7 @@ module policysetdefinition 'yourpath/arm/Microsoft.Authorization.policySetDefini | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource Id | +| `resourceId` | string | Policy Set Definition resource ID | ## Considerations diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep index 28b5e2712e..236bc90c5c 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/deploy.bicep @@ -11,13 +11,13 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Optional. The subscription Id of the subscription') +@sys.description('Optional. The subscription ID of the subscription') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} -@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters') +@sys.description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') param policyDefinitions array @sys.description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') @@ -42,5 +42,5 @@ resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2021- @sys.description('Policy Set Definition Name') output name string = policySetDefinition.name -@sys.description('Policy Set Definition resource Id') +@sys.description('Policy Set Definition resource ID') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md index 107d434f06..11a83a542b 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/subscription/readme.md @@ -18,15 +18,15 @@ With this module you can create policy set definitions on a subscription level. | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | | `policyDefinitionGroups` | array | `[]` | | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | -| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition Id, and optionally other properties like parameters | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id of the subscription | +| `policyDefinitions` | array | | | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Policy Set Definition Name | -| `resourceId` | string | Policy Set Definition resource Id | +| `resourceId` | string | Policy Set Definition resource ID | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index a6f419f4ca..090af9262a 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -1,18 +1,18 @@ targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription Id is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param resourceGroupName string = '' -@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param subscriptionId string = '' -@sys.description('Optional. Group Id of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') +@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') param managementGroupId string = '' @sys.description('Optional. Location for all resources.') @@ -21,7 +21,7 @@ param location string = deployment().location @sys.description('Optional. Description of role assignment') param description string = '' -@sys.description('Optional. Id of the delegated managed identity resource') +@sys.description('Optional. ID of the delegated managed identity resource') param delegatedManagedIdentityResourceId string = '' @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to') @@ -33,7 +33,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal Id.') +@sys.description('Optional. The principal type of the assigned principal ID.') @allowed([ 'ServicePrincipal' 'Group' @@ -44,7 +44,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module roleAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -97,7 +97,7 @@ module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou @sys.description('The GUID of the Role Assignment') output name string = !empty(managementGroupId) ? roleAssignment_mg.outputs.name : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.name : roleAssignment_sub.outputs.name) -@sys.description('The resource Id of the Role Assignment') +@sys.description('The resource ID of the Role Assignment') output resourceId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.resourceId : roleAssignment_sub.outputs.resourceId) @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep index 7dd9765c84..4cda3097f5 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep @@ -1,18 +1,18 @@ targetScope = 'managementGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Required. Group Id of the Management Group to assign the RBAC role to') +@sys.description('Required. Group ID of the Management Group to assign the RBAC role to') param managementGroupId string @sys.description('Optional. Description of role assignment') param description string = '' -@sys.description('Optional. Id of the delegated managed identity resource') +@sys.description('Optional. ID of the delegated managed identity resource') param delegatedManagedIdentityResourceId string = '' @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to') @@ -24,7 +24,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal Id.') +@sys.description('Optional. The principal type of the assigned principal ID.') @allowed([ 'ServicePrincipal' 'Group' @@ -337,7 +337,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource Id of the Role Assignment') +@sys.description('The resource ID of the Role Assignment') output scope string = tenantResourceId('Microsoft.Management/managementGroups', managementGroupId) @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md index 8fc0c035cd..9d56228aa0 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md @@ -14,12 +14,12 @@ With this module you can perform role assignments on a management group level | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `managementGroupId` | string | | | Required. Group Id of the Management Group to assign the RBAC role to | -| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `managementGroupId` | string | | | Required. Group ID of the Management Group to assign the RBAC role to | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | ## Outputs @@ -27,7 +27,7 @@ With this module you can perform role assignments on a management group level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource Id of the Role Assignment | +| `scope` | string | The resource ID of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 6383187532..7f73053f5c 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -14,16 +14,16 @@ This module deploys Role Assignments across the management group, subscription o | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. Group Id of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | -| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | -| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription Id is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | | | Optional. Subscription Id of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | | | Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | ### Parameter Usage: `managementGroupId` @@ -88,7 +88,7 @@ module roleassignment 'yourpath/arm/Microsoft.Authorization.roleAssignments/subs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | -| `resourceId` | string | The resource Id of the Role Assignment | +| `resourceId` | string | The resource ID of the Role Assignment | | `scope` | string | The scope this Role Assignment applies to | ## Considerations diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep index dfb355b6a3..f41551b5d0 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep @@ -1,21 +1,21 @@ targetScope = 'resourceGroup' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string @sys.description('Optional. Name of the Resource Group to assign the RBAC role to.') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') param description string = '' -@sys.description('Optional. Id of the delegated managed identity resource') +@sys.description('Optional. ID of the delegated managed identity resource') param delegatedManagedIdentityResourceId string = '' @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to') @@ -27,7 +27,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal Id.') +@sys.description('Optional. The principal type of the assigned principal ID.') @allowed([ 'ServicePrincipal' 'Group' @@ -38,7 +38,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') param cuaId string = '' var builtInRoleNames_var = { @@ -348,7 +348,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource Id of the Role Assignment') +@sys.description('The resource ID of the Role Assignment') output scope string = resourceGroup().id @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md index dd6f320961..613ba4a721 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md @@ -14,14 +14,14 @@ With this module you can perform role assignments on a resource group level | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. Name of the Resource Group to assign the RBAC role to. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription Id of the subscription to assign the RBAC role to. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | ## Outputs @@ -30,7 +30,7 @@ With this module you can perform role assignments on a resource group level | `name` | string | The GUID of the Role Assignment | | `resourceGroupName` | string | The name of the resource group the role assignment was applied at | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource Id of the Role Assignment | +| `scope` | string | The resource ID of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep index 9c47e57db5..5f3212bfbf 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep @@ -1,18 +1,18 @@ targetScope = 'subscription' -@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@sys.description('Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity)') +@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Subscription Id of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') param description string = '' -@sys.description('Optional. Id of the delegated managed identity resource') +@sys.description('Optional. ID of the delegated managed identity resource') param delegatedManagedIdentityResourceId string = '' @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to') @@ -24,7 +24,7 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal Id.') +@sys.description('Optional. The principal type of the assigned principal ID.') @allowed([ 'ServicePrincipal' 'Group' @@ -337,7 +337,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev @sys.description('The GUID of the Role Assignment') output name string = roleAssignment.name -@sys.description('The resource Id of the Role Assignment') +@sys.description('The resource ID of the Role Assignment') output scope string = subscription().id @sys.description('The scope this Role Assignment applies to') diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md index 676a288cc1..07431d18b4 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md @@ -14,12 +14,12 @@ With this module you can perform role assignments on a subscription level | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `principalId` | string | | | Required. The Principal or Object Id of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal Id. | -| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified Id in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription Id of the subscription to assign the RBAC role to. | +| `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | +| `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | +| `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | ## Outputs @@ -27,7 +27,7 @@ With this module you can perform role assignments on a subscription level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Assignment | | `resourceId` | string | The scope this Role Assignment applies to | -| `scope` | string | The resource Id of the Role Assignment | +| `scope` | string | The resource ID of the Role Assignment | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index fd9f7b9a11..22ccab9783 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -18,10 +18,10 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') +@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') param managementGroupId string = '' -@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') +@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') param subscriptionId string = '' @sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') @@ -33,7 +33,7 @@ param location string = deployment().location @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') param cuaId string = '' module roleDefinition_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { @@ -84,7 +84,7 @@ module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou @sys.description('The GUID of the Role Definition') output name string = !empty(managementGroupId) ? roleDefinition_mg.outputs.name : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.name : roleDefinition_sub.outputs.name) -@sys.description('The resource Id of the Role Definition') +@sys.description('The resource ID of the Role Definition') output resourceId string = !empty(managementGroupId) ? roleDefinition_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.resourceId : roleDefinition_sub.outputs.resourceId) @sys.description('The scope this Role Definition applies to') diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep index 9f417d0866..107e10adee 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep @@ -12,7 +12,7 @@ param actions array = [] @sys.description('Optional. List of denied actions.') param notActions array = [] -@sys.description('Required. The group Id of the Management Group where the Role Definition and Target Scope will be applied to.') +@sys.description('Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to.') param managementGroupId string @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') @@ -40,5 +40,5 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = tenantResourceId('Microsoft.Management/managementGroups', managementGroupId) -@sys.description('The resource Id of the Role Definition') +@sys.description('The resource ID of the Role Definition') output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/roleDefinitions', roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md index 73512671d9..274f2d8622 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md @@ -15,7 +15,7 @@ With this module you can create role definitions on a management group level | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | -| `managementGroupId` | string | | | Required. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. | +| `managementGroupId` | string | | | Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | @@ -24,7 +24,7 @@ With this module you can create role definitions on a management group level | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource Id of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index e9a1792495..99926c6326 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -14,16 +14,16 @@ This module deploys custom RBAC Role Definitions across the management group, su | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. Use when scope target is resource group. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group Id of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | +| `managementGroupId` | string | | | Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `resourceGroupName` | string | | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | +| `subscriptionId` | string | | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | ### Parameter Usage: `managementGroupId` @@ -88,16 +88,16 @@ module roledefinition 'yourpath/arm/Microsoft.Authorization.roleDefinitions/subs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource Id of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | | `roleDefinitionScope` | string | The scope this Role Definition applies to | ## Considerations This module can be deployed both at subscription or resource group level: -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription Id in the `subscriptionId` parameter. -- To deploy the module at the subscription level, provide an existing subscription Id in the `subscriptionId` parameter. -- To deploy the module at the management group level, provide an existing management group Id in the `managementGroupId` parameter. +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription ID in the `subscriptionId` parameter. +- To deploy the module at the subscription level, provide an existing subscription ID in the `subscriptionId` parameter. +- To deploy the module at the management group level, provide an existing management group ID in the `managementGroupId` parameter. ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep index a92721326b..3f26be34eb 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep @@ -18,7 +18,7 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') @@ -27,7 +27,7 @@ param resourceGroupName string = resourceGroup().name @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -@sys.description('Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered.') +@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -59,7 +59,7 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = resourceGroup().id -@sys.description('The resource Id of the Role Definition') +@sys.description('The resource ID of the Role Definition') output resourceId string = roleDefinition.id @sys.description('The name of the resource group the role definition was created at') diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md index 8b5992e675..6d1a05b397 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md @@ -14,14 +14,14 @@ With this module you can create role definitions on a resource group level | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | -| `cuaId` | string | | | Optional. Customer Usage Attribution Id (GUID). This GUID must be previously registered. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | ## Outputs @@ -29,7 +29,7 @@ With this module you can create role definitions on a resource group level | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | | `resourceGroupName` | string | The name of the resource group the role definition was created at | -| `resourceId` | string | The resource Id of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep index 0b46874a1f..7141c3330f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep @@ -18,7 +18,7 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription Id where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') @@ -48,5 +48,5 @@ output name string = roleDefinition.name @sys.description('The scope this Role Definition applies to') output scope string = subscription().id -@sys.description('The resource Id of the Role Definition') +@sys.description('The resource ID of the Role Definition') output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/roleDefinitions', roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md index 114d9c5b5e..b8e854491c 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md @@ -19,14 +19,14 @@ With this module you can create role definitions on a subscription level | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription Id where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The GUID of the Role Definition | -| `resourceId` | string | The resource Id of the Role Definition | +| `resourceId` | string | The resource ID of the Role Definition | | `scope` | string | The scope this Role Definition applies to | ## Template references From 5d3fd2b2d48106d62d1c8430a82c094af9f42ca1 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 14:14:05 +1100 Subject: [PATCH 31/43] updated dependency pipeline for role assignments --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 722e1c81c5..38fb478409 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1135,7 +1135,7 @@ jobs: - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: 'arm/${{ env.namespace }}/subscriptions/deploy.bicep' + templateFilePath: 'arm/${{ env.namespace }}/subscription/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' From 23c49b71da8e23bcead4b67df5f73fd866515019 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 15:18:21 +1100 Subject: [PATCH 32/43] added display name for dependency policy assignment --- .../policyAssignments/parameters/mg.parameters.json | 2 +- .../policyAssignments/parameters/sub.parameters.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json index 4cbf610055..2f885520e7 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/mg.parameters.json @@ -6,7 +6,7 @@ "value": "adp-<>-mg-pass-loc-rg" }, "displayName": { - "value": "Audit resource location matches resource group location (management group scope)" + "value": "[Depedency] Audit resource location matches resource group location (management group scope)" }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json index 158ceeb152..10b7caa757 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/policyAssignments/parameters/sub.parameters.json @@ -6,7 +6,7 @@ "value": "adp-<>-sb-pass-loc-rg" }, "displayName": { - "value": "Audit resource location matches resource group location (subscription scope)" + "value": "[Depedency] Audit resource location matches resource group location (subscription scope)" }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" From c2af34aa16c510b952a31721087cc7f8ce465a17 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:53:18 +1100 Subject: [PATCH 33/43] Update arm/Microsoft.Authorization/policyAssignments/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.Authorization/policyAssignments/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index ad22c4e1f2..65df3abb05 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -71,7 +71,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If would not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" From 2bd4c3f26990a21f0755869c9880785fa2d03956 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 17:04:43 +1100 Subject: [PATCH 34/43] updated policy assignments per feedback --- .../.parameters/mg.parameters.json | 3 --- .../policyAssignments/deploy.bicep | 20 ++++++++----------- .../policyAssignments/readme.md | 7 +++---- 3 files changed, 11 insertions(+), 19 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json index f140b8c7ed..0b82d7076c 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json @@ -51,9 +51,6 @@ "value": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ] - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index a9dba4cb84..7e5c1b1e83 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -39,8 +39,8 @@ param nonComplianceMessage string = '' ]) param enforcementMode string = 'Default' -@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment') -param managementGroupId string = '' +@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') param subscriptionId string = '' @@ -54,10 +54,7 @@ param notScopes array = [] @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') -param cuaId string = '' - -module policyAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -77,7 +74,7 @@ module policyAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managemen } } -module policyAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -97,7 +94,7 @@ module policyAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGr } } -module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -114,15 +111,14 @@ module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGr notScopes: !empty(notScopes) ? notScopes : [] subscriptionId: subscriptionId location: location - cuaId: !empty(cuaId) ? cuaId : '' } } @sys.description('Policy Assignment Name') -output name string = !empty(managementGroupId) ? policyAssignment_mg.outputs.name : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.name : policyAssignment_sub.outputs.name) +output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.name : policyAssignment_rg.outputs.name) @sys.description('Policy Assignment principal ID') -output principalId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.principalId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.principalId : policyAssignment_sub.outputs.principalId) +output principalId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.principalId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.principalId : policyAssignment_rg.outputs.principalId) @sys.description('Policy Assignment resource ID') -output resourceId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.resourceId : policyAssignment_sub.outputs.resourceId) +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.resourceId : policyAssignment_rg.outputs.resourceId) diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 65df3abb05..413afe5c35 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -13,13 +13,12 @@ With this module you can perform policy assignments across the management group, | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. This message will be part of response in case of policy violation. | | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The Target Scope for the Policy. The name of the management group for the policy assignment | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | @@ -40,7 +39,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -71,7 +70,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If would not set the scope to management group, this would be the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" From c12f9faec1179a35d56b4980cf4f6974e9d2b64e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 17:25:19 +1100 Subject: [PATCH 35/43] completed policy assignment --- .../policyAssignments/managementGroup/deploy.bicep | 4 ++-- .../policyAssignments/managementGroup/readme.md | 2 +- .../policyAssignments/resourceGroup/deploy.bicep | 4 ++-- .../policyAssignments/resourceGroup/readme.md | 4 ++-- .../policyAssignments/subscription/deploy.bicep | 2 +- .../policyAssignments/subscription/readme.md | 2 +- .../.parameters/mg.min.parameters.json | 3 --- .../policyDefinitions/deploy.bicep | 14 +++++++------- .../policyDefinitions/managementGroup/deploy.bicep | 4 ++-- .../policyDefinitions/managementGroup/readme.md | 2 +- .../policyDefinitions/readme.md | 6 +++--- 11 files changed, 22 insertions(+), 25 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep index 1c7d42b156..7cfbb78895 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/deploy.bicep @@ -40,8 +40,8 @@ param nonComplianceMessage string = '' ]) param enforcementMode string = 'Default' -@sys.description('Required. The Target Scope for the Policy. The name of the management group for the policy assignment') -param managementGroupId string +@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The policy excluded scopes') param notScopes array = [] diff --git a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md index 47dea3ecd4..1f527ccc17 100644 --- a/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/managementGroup/readme.md @@ -18,7 +18,7 @@ With this module you can perform policy assignments on a management group level. | `enforcementMode` | string | `Default` | `[Default, DoNotEnforce]` | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | `identity` | string | `SystemAssigned` | `[SystemAssigned, None]` | Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Required. The Target Scope for the Policy. The name of the management group for the policy assignment | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. | | `nonComplianceMessage` | string | | | Optional. The messages that describe why a resource is non-compliant with the policy. | diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep index 99ac551905..c6e25feff9 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/deploy.bicep @@ -50,10 +50,10 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId -@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment.') param resourceGroupName string = resourceGroup().name @sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') diff --git a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md index 49e46a91c9..57000e6618 100644 --- a/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/resourceGroup/readme.md @@ -25,9 +25,9 @@ With this module you can perform policy assignments on a resource group level | `notScopes` | array | `[]` | | Optional. The policy excluded scopes | | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | | `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | -| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. | | `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | ## Outputs diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep index b0fb8f6696..d13fbf2e89 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/deploy.bicep @@ -50,7 +50,7 @@ var nonComplianceMessage_var = { message: !empty(nonComplianceMessage) ? nonComplianceMessage : null } -@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment') +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId var identity_var = identity == 'SystemAssigned' ? { diff --git a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md index 9d7739e350..0214edc0c3 100644 --- a/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/subscription/readme.md @@ -25,7 +25,7 @@ With this module you can perform policy assignments on a subscription level. | `parameters` | object | `{object}` | | Optional. Parameters for the policy assignment if needed. | | `policyDefinitionId` | string | | | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | `roleDefinitionIds` | array | `[]` | | Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. | ## Outputs diff --git a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json index 4d6ac36de5..431a0f6f5e 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/.parameters/mg.min.parameters.json @@ -30,9 +30,6 @@ "type": "String" } } - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 1c6a9c8093..198a9be60f 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -30,8 +30,8 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') -param managementGroupId string = '' +@sys.description('Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @@ -39,7 +39,7 @@ param subscriptionId string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policyDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policyDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -54,7 +54,7 @@ module policyDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscripti } } -module policyDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policyDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyDefinition-Sub-Module' scope: subscription(subscriptionId) params: { @@ -70,10 +70,10 @@ module policyDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGr } @sys.description('Policy Definition Name') -output name string = !empty(managementGroupId) ? policyDefinition_mg.outputs.name : policyDefinition_sub.outputs.name +output name string = empty(subscriptionId) ? policyDefinition_mg.outputs.name : policyDefinition_sub.outputs.name @sys.description('Policy Definition resource ID') -output resourceId string = !empty(managementGroupId) ? policyDefinition_mg.outputs.resourceId : policyDefinition_sub.outputs.resourceId +output resourceId string = empty(subscriptionId) ? policyDefinition_mg.outputs.resourceId : policyDefinition_sub.outputs.resourceId @sys.description('Policy Definition Role Definition IDs') -output roleDefinitionIds array = !empty(managementGroupId) ? policyDefinition_mg.outputs.roleDefinitionIds : policyDefinition_sub.outputs.roleDefinitionIds +output roleDefinitionIds array = empty(subscriptionId) ? policyDefinition_mg.outputs.roleDefinitionIds : policyDefinition_sub.outputs.roleDefinitionIds diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep index f9bb25c103..2e0046ff26 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/deploy.bicep @@ -30,8 +30,8 @@ param parameters object = {} @sys.description('Required. The Policy Rule details for the Policy Definition') param policyRule object -@sys.description('Required. The group ID of the Management Group') -param managementGroupId string +@sys.description('Optional. The group ID of the Management Group. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { name: name diff --git a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md index 014c559462..ba5d7fe803 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/managementGroup/readme.md @@ -14,7 +14,7 @@ With this module you can create policy definitions on a management group level. | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters. | diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 9d6679bad7..96fb035315 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -15,7 +15,7 @@ With this module you can create policy definitions across the management group o | `description` | string | | | Optional. The policy definition description. | | `displayName` | string | | | Optional. The display name of the policy definition. Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `mode` | string | `All` | `[All, Indexed, Microsoft.KeyVault.Data, Microsoft.ContainerService.Data, Microsoft.Kubernetes.Data]` | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | | `name` | string | | | Required. Specifies the name of the policy definition. Maximum length is 64 characters for management group scope and subscription scope. | @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -49,7 +49,7 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" From a31bb9a89be15d3ba59f7b4c2f66397f2181f91c Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 22:59:01 +1100 Subject: [PATCH 36/43] updated policy sets --- .../.parameters/mg.min.parameters.json | 3 --- .../policyAssignments/.parameters/mg.parameters.json | 3 +++ .../.parameters/mg.min.parameters.json | 3 --- .../policySetDefinitions/deploy.bicep | 12 ++++++------ .../managementGroup/deploy.bicep | 4 ++-- .../policySetDefinitions/managementGroup/readme.md | 2 +- .../policySetDefinitions/readme.md | 6 +++--- 7 files changed, 15 insertions(+), 18 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json index c5094de728..7271e1d839 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.min.parameters.json @@ -7,9 +7,6 @@ }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json index 0b82d7076c..f140b8c7ed 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/.parameters/mg.parameters.json @@ -51,6 +51,9 @@ "value": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ] + }, + "managementGroupId": { + "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json index 65bdd565f6..92f9d4ac2f 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/.parameters/mg.min.parameters.json @@ -18,9 +18,6 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" } ] - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index 25515d0c4a..7aef6f5258 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -11,8 +11,8 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') -param managementGroupId string = '' +@sys.description('Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The subscription ID of the subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' @@ -32,7 +32,7 @@ param parameters object = {} @sys.description('Optional. Location for all resources.') param location string = deployment().location -module policySetDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policySetDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -47,7 +47,7 @@ module policySetDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscri } } -module policySetDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policySetDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicySetDefinition-Sub-Module' scope: subscription(subscriptionId) params: { @@ -63,7 +63,7 @@ module policySetDefinition_sub 'subscription/deploy.bicep' = if (empty(managemen } @sys.description('Policy Set Definition Name') -output name string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.name : policySetDefinition_sub.outputs.name +output name string = empty(subscriptionId) ? policySetDefinition_mg.outputs.name : policySetDefinition_sub.outputs.name @sys.description('Policy Set Definition resource ID') -output resourceId string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.resourceId : policySetDefinition_sub.outputs.resourceId +output resourceId string = empty(subscriptionId) ? policySetDefinition_mg.outputs.resourceId : policySetDefinition_sub.outputs.resourceId diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep index e72a36e57a..192012e44d 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep @@ -11,8 +11,8 @@ param displayName string = '' @sys.description('Optional. The description name of the Set Definition (Initiative)') param description string = '' -@sys.description('Required. The group ID of the Management Group') -param managementGroupId string +@sys.description('Optional. The group ID of the Management Group. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md index 4d75f039aa..17ed1856b0 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md @@ -14,7 +14,7 @@ With this module you can create policy set definitions on a management group lev | :-- | :-- | :-- | :-- | :-- | | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 5a425b9f67..4098dcb7ab 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -15,7 +15,7 @@ With this module you can create policy set definitions across the management gro | `description` | string | | | Optional. The description name of the Set Definition (Initiative) | | `displayName` | string | | | Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. '/') | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group (Scope). If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope. | | `parameters` | object | `{object}` | | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references. | @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -49,7 +49,7 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" From 6c3f4b880be4941a6d61c5bf864bcdc03e305f2a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 23:13:31 +1100 Subject: [PATCH 37/43] policy exemptions update --- .../.parameters/mg.min.parameters.json | 3 --- .../policyExemptions/deploy.bicep | 19 ++++++++----------- .../managementGroup/deploy.bicep | 4 ++-- .../managementGroup/readme.md | 4 ++-- .../policyExemptions/readme.md | 7 +++---- .../resourceGroup/deploy.bicep | 4 ++-- .../policyExemptions/resourceGroup/readme.md | 4 ++-- .../subscription/deploy.bicep | 2 +- .../policyExemptions/subscription/readme.md | 2 +- 9 files changed, 21 insertions(+), 28 deletions(-) diff --git a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json index 5a51d4ba59..f5816fcd6d 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/.parameters/mg.min.parameters.json @@ -7,9 +7,6 @@ }, "policyAssignmentId": { "value": "/providers/Microsoft.Management/managementGroups/<>/providers/Microsoft.Authorization/policyAssignments/adp-<>-mg-pass-loc-rg" - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 5c5a2801a9..5f89ad16f7 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -30,8 +30,8 @@ param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter.') -param managementGroupId string = '' +@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. Cannot use with management group ID parameter.') param subscriptionId string = '' @@ -42,9 +42,7 @@ param resourceGroupName string = '' @sys.description('Optional. Location for all resources.') param location string = deployment().location -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') -param cuaId string = '' -module policyExemption_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -60,7 +58,7 @@ module policyExemption_mg 'managementGroup/deploy.bicep' = if (!empty(management } } -module policyExemption_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-Sub-Module' scope: subscription(subscriptionId) params: { @@ -76,7 +74,7 @@ module policyExemption_sub 'subscription/deploy.bicep' = if (empty(managementGro } } -module policyExemption_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyExemption_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-PolicyExemption-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -90,15 +88,14 @@ module policyExemption_rg 'resourceGroup/deploy.bicep' = if (empty(managementGro expiresOn: !empty(expiresOn) ? expiresOn : '' subscriptionId: subscriptionId resourceGroupName: resourceGroupName - cuaId: !empty(cuaId) ? cuaId : '' } } @sys.description('Policy Exemption Name') -output name string = !empty(managementGroupId) ? policyExemption_mg.outputs.name : (!empty(resourceGroupName) ? policyExemption_rg.outputs.name : policyExemption_sub.outputs.name) +output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.name : policyExemption_rg.outputs.name) @sys.description('Policy Exemption resource ID') -output resourceId string = !empty(managementGroupId) ? policyExemption_mg.outputs.resourceId : (!empty(resourceGroupName) ? policyExemption_rg.outputs.resourceId : policyExemption_sub.outputs.resourceId) +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.resourceId : policyExemption_rg.outputs.resourceId) @sys.description('Policy Exemption Scope') -output scope string = !empty(managementGroupId) ? policyExemption_mg.outputs.scope : (!empty(resourceGroupName) ? policyExemption_rg.outputs.scope : policyExemption_sub.outputs.scope) +output scope string = empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? policyExemption_sub.outputs.scope : policyExemption_rg.outputs.scope) diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep index ae3ba11e10..c1f1169e93 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/deploy.bicep @@ -30,8 +30,8 @@ param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Required. The group ID of the management group to be exempted from the policy assignment.') -param managementGroupId string +@sys.description('Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { name: name diff --git a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md index 33383aabe6..3ac4570161 100644 --- a/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/managementGroup/readme.md @@ -16,9 +16,9 @@ With this module you can create policy exemptions on a management group level. | `displayName` | string | | | Optional. The display name of the policy assignment. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | -| `managementGroupId` | string | | | Required. The group ID of the management group to be exempted from the policy assignment. | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | -| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. | +| `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index 27c0c2c55b..c301768d38 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -12,13 +12,12 @@ With this module you can create policy exemptions across the management group, s | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `description` | string | | | Optional. The description of the policy exemption. | | `displayName` | string | | | Optional. The display name of the policy exemption. Maximum length is 128 characters. | | `exemptionCategory` | string | `Mitigated` | `[Mitigated, Waiver]` | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | | `expiresOn` | string | | | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the management group to be exempted from the policy assignment. Cannot use with subscription ID parameter. | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the management group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | | `metadata` | object | `{object}` | | Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group, subscription and resource group scopes. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | @@ -36,7 +35,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -67,7 +66,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep index b12dd8ec33..22caa4f38c 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/deploy.bicep @@ -30,10 +30,10 @@ param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId -@sys.description('Optional. The name of the resource group to be exempted from the policy assignment.') +@sys.description('Optional. The name of the resource group to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') param resourceGroupName string = resourceGroup().name @sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') diff --git a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md index c35eaaf7f9..57fedef4ee 100644 --- a/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/resourceGroup/readme.md @@ -21,8 +21,8 @@ With this module you can create policy exemptions on a resource group level. | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the resource group to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | ## Outputs diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep index 8b1f7a5f89..9d8678ebb4 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/deploy.bicep @@ -30,7 +30,7 @@ param policyDefinitionReferenceIds array = [] @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment.') +@sys.description('Optional. The subscription ID of the subscription to be exempted from the policy assignment. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { diff --git a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md index 428baf3dba..111d447838 100644 --- a/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/subscription/readme.md @@ -20,7 +20,7 @@ With this module you can create policy exemptions on a subscription level. | `name` | string | | | Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope. | | `policyAssignmentId` | string | | | Required. The resource ID of the policy assignment that is being exempted. | | `policyDefinitionReferenceIds` | array | `[]` | | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID of the subscription to be exempted from the policy assignment. If not provided, will use the current scope for deployment. | ## Outputs From d4221d90e8addf4a19ee0aa367ee273b23584a3f Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 23:44:56 +1100 Subject: [PATCH 38/43] updated role assignments --- .../.parameters/mg.min.parameters.json | 3 --- .../roleAssignments/deploy.bicep | 22 ++++++++----------- .../managementGroup/deploy.bicep | 4 ++-- .../roleAssignments/managementGroup/readme.md | 2 +- .../roleAssignments/readme.md | 9 ++++---- .../resourceGroup/deploy.bicep | 4 ++-- .../roleAssignments/resourceGroup/readme.md | 4 ++-- .../roleAssignments/subscription/deploy.bicep | 2 +- .../roleAssignments/subscription/readme.md | 2 +- 9 files changed, 22 insertions(+), 30 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json index 1bc735ba28..02a409875c 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/.parameters/mg.min.parameters.json @@ -7,9 +7,6 @@ }, "principalId": { "value": "<>" - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 090af9262a..01a069ea86 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -6,14 +6,14 @@ param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group.') param resourceGroupName string = '' @sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param subscriptionId string = '' -@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') -param managementGroupId string = '' +@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. Location for all resources.') param location string = deployment().location @@ -44,10 +44,7 @@ param conditionVersion string = '2.0' ]) param principalType string = '' -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') -param cuaId string = '' - -module roleAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -62,7 +59,7 @@ module roleAssignment_mg 'managementGroup/deploy.bicep' = if (!empty(managementG } } -module roleAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-Sub-Module' scope: subscription(subscriptionId) params: { @@ -77,7 +74,7 @@ module roleAssignment_sub 'subscription/deploy.bicep' = if (empty(managementGrou } } -module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -90,15 +87,14 @@ module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' - cuaId: !empty(cuaId) ? cuaId : '' } } @sys.description('The GUID of the Role Assignment') -output name string = !empty(managementGroupId) ? roleAssignment_mg.outputs.name : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.name : roleAssignment_sub.outputs.name) +output name string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.name : roleAssignment_rg.outputs.name) @sys.description('The resource ID of the Role Assignment') -output resourceId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.resourceId : roleAssignment_sub.outputs.resourceId) +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.resourceId : roleAssignment_rg.outputs.resourceId) @sys.description('The scope this Role Assignment applies to') -output scope string = !empty(managementGroupId) ? roleAssignment_mg.outputs.scope : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.scope : roleAssignment_sub.outputs.scope) +output scope string = empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? roleAssignment_sub.outputs.scope : roleAssignment_rg.outputs.scope) diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep index 4cda3097f5..1bc2e4ce88 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/deploy.bicep @@ -6,8 +6,8 @@ param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Required. Group ID of the Management Group to assign the RBAC role to') -param managementGroupId string +@sys.description('Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. Description of role assignment') param description string = '' diff --git a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md index 9d56228aa0..10e98eb01b 100644 --- a/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/managementGroup/readme.md @@ -16,7 +16,7 @@ With this module you can perform role assignments on a management group level | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | | `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | -| `managementGroupId` | string | | | Required. Group ID of the Management Group to assign the RBAC role to | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | | `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 7f73053f5c..3b04435502 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -14,14 +14,13 @@ This module deploys Role Assignments across the management group, subscription o | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. Group ID of the Management Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | | `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | -| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | +| `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided RBAC role to the resource group. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subscriptionId` | string | | | Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | @@ -35,7 +34,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -66,7 +65,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep index f41551b5d0..693661c13f 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep @@ -6,10 +6,10 @@ param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Name of the Resource Group to assign the RBAC role to.') +@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.') param resourceGroupName string = resourceGroup().name -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') diff --git a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md index 613ba4a721..aca00e1a3a 100644 --- a/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/resourceGroup/readme.md @@ -19,9 +19,9 @@ With this module you can perform role assignments on a resource group level | `description` | string | | | Optional. Description of role assignment | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | | `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | -| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. Name of the Resource Group to assign the RBAC role to. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | ## Outputs diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep index 5f3212bfbf..bf5f0fcd9b 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep @@ -6,7 +6,7 @@ param roleDefinitionIdOrName string @sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to.') +@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Description of role assignment') diff --git a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md index 07431d18b4..54917e3356 100644 --- a/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/subscription/readme.md @@ -19,7 +19,7 @@ With this module you can perform role assignments on a subscription level | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | | `principalType` | string | | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. | ## Outputs From bf8879f27ea2d82b9336652d7169022d2da089e4 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 1 Mar 2022 23:53:03 +1100 Subject: [PATCH 39/43] role definitions update --- .../.parameters/mg.min.parameters.json | 3 --- .../roleDefinitions/deploy.bicep | 20 ++++++++----------- .../managementGroup/deploy.bicep | 4 ++-- .../roleDefinitions/managementGroup/readme.md | 2 +- .../roleDefinitions/readme.md | 7 +++---- .../resourceGroup/deploy.bicep | 4 ++-- .../roleDefinitions/resourceGroup/readme.md | 4 ++-- .../roleDefinitions/subscription/deploy.bicep | 2 +- .../roleDefinitions/subscription/readme.md | 2 +- 9 files changed, 20 insertions(+), 28 deletions(-) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json index 6e503be0b7..c4a88ba9e8 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/mg.min.parameters.json @@ -10,9 +10,6 @@ "Microsoft.Compute/galleries/read", "Microsoft.Compute/galleries/images/read" ] - }, - "managementGroupId": { - "value": "<>" } } } diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 22ccab9783..2fed913ce9 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -18,8 +18,8 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') -param managementGroupId string = '' +@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') param subscriptionId string = '' @@ -33,10 +33,7 @@ param location string = deployment().location @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] -@sys.description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group.') -param cuaId string = '' - -module roleDefinition_mg 'managementGroup/deploy.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-MG-Module' scope: managementGroup(managementGroupId) params: { @@ -49,7 +46,7 @@ module roleDefinition_mg 'managementGroup/deploy.bicep' = if (!empty(managementG } } -module roleDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-Sub-Module' scope: subscription(subscriptionId) params: { @@ -64,7 +61,7 @@ module roleDefinition_sub 'subscription/deploy.bicep' = if (empty(managementGrou } } -module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { name: '${uniqueString(deployment().name, location)}-RoleDefinition-RG-Module' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -77,15 +74,14 @@ module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (empty(managementGrou assignableScopes: !empty(assignableScopes) ? assignableScopes : [] subscriptionId: subscriptionId resourceGroupName: resourceGroupName - cuaId: !empty(cuaId) ? cuaId : '' } } @sys.description('The GUID of the Role Definition') -output name string = !empty(managementGroupId) ? roleDefinition_mg.outputs.name : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.name : roleDefinition_sub.outputs.name) +output name string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.name : roleDefinition_rg.outputs.name) @sys.description('The resource ID of the Role Definition') -output resourceId string = !empty(managementGroupId) ? roleDefinition_mg.outputs.resourceId : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.resourceId : roleDefinition_sub.outputs.resourceId) +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.resourceId : roleDefinition_rg.outputs.resourceId) @sys.description('The scope this Role Definition applies to') -output roleDefinitionScope string = !empty(managementGroupId) ? roleDefinition_mg.outputs.scope : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.scope : roleDefinition_sub.outputs.scope) +output roleDefinitionScope string = empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_mg.outputs.scope : (!empty(subscriptionId) && empty(resourceGroupName) ? roleDefinition_sub.outputs.scope : roleDefinition_rg.outputs.scope) diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep index 107e10adee..b915817aa6 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/deploy.bicep @@ -12,8 +12,8 @@ param actions array = [] @sys.description('Optional. List of denied actions.') param notActions array = [] -@sys.description('Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to.') -param managementGroupId string +@sys.description('Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') param assignableScopes array = [] diff --git a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md index 274f2d8622..50dc65f01f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/managementGroup/readme.md @@ -15,7 +15,7 @@ With this module you can create role definitions on a management group level | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | -| `managementGroupId` | string | | | Required. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index 99926c6326..dacf96fa90 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -14,11 +14,10 @@ This module deploys custom RBAC Role Definitions across the management group, su | :-- | :-- | :-- | :-- | :-- | | `actions` | array | `[]` | | Optional. List of allowed actions. | | `assignableScopes` | array | `[]` | | Optional. Role definition assignable scopes. If not provided, will use the current scope provided. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. Use when scope target is resource group. | | `dataActions` | array | `[]` | | Optional. List of allowed data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | -| `managementGroupId` | string | | | Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | +| `managementGroupId` | string | `[managementGroup().name]` | | Optional. The group ID of the Management Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `resourceGroupName` | string | | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | @@ -35,7 +34,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. For example, you can trigger the initial deployment at the root management group, but the parameter file has another management group mentioned, hence the real target is the one in the parameter file. +> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. ### Parameter Usage: `subscriptionId` @@ -66,7 +65,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module. -The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module with other modules with lower scopes? This will not work as the [root](deploy.bicep) is defined at a higher scope (i.e. management group), hence the module can no longer be used. That is simply because you cannot have your own bicep file that has a target of subscription, and this root module is at a higher scope than that. This is the error that you can expect to face: +The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face: ```bicep Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup" diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep index 3f26be34eb..d55962d78e 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/deploy.bicep @@ -18,10 +18,10 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId -@sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') param resourceGroupName string = resourceGroup().name @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') diff --git a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md index 6d1a05b397..f42b3bab26 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/resourceGroup/readme.md @@ -19,9 +19,9 @@ With this module you can create role definitions on a resource group level | `description` | string | | | Optional. Description of the custom RBAC role to be created. | | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | -| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. | +| `resourceGroupName` | string | `[resourceGroup().name]` | | Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | ## Outputs diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep index 7141c3330f..abc70bc7f8 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/deploy.bicep @@ -18,7 +18,7 @@ param dataActions array = [] @sys.description('Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes') param notDataActions array = [] -@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to.') +@sys.description('Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment.') param subscriptionId string = subscription().subscriptionId @sys.description('Optional. Role definition assignable scopes. If not provided, will use the current scope provided.') diff --git a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md index b8e854491c..950830c0cd 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/subscription/readme.md @@ -19,7 +19,7 @@ With this module you can create role definitions on a subscription level | `notActions` | array | `[]` | | Optional. List of denied actions. | | `notDataActions` | array | `[]` | | Optional. List of denied data actions. This is not supported if the assignableScopes contains Management Group Scopes | | `roleName` | string | | | Required. Name of the custom RBAC role to be created. | -| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. | +| `subscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The subscription ID where the Role Definition and Target Scope will be applied to. If not provided, will use the current scope for deployment. | ## Outputs From 5bdb136d6926eed5ac580082c9aa54fe11a69e3f Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 2 Mar 2022 00:52:23 +1100 Subject: [PATCH 40/43] changed guidance message --- arm/Microsoft.Authorization/policyAssignments/readme.md | 2 +- arm/Microsoft.Authorization/policyDefinitions/readme.md | 2 +- arm/Microsoft.Authorization/policyExemptions/readme.md | 2 +- arm/Microsoft.Authorization/policySetDefinitions/readme.md | 2 +- arm/Microsoft.Authorization/roleAssignments/readme.md | 2 +- arm/Microsoft.Authorization/roleDefinitions/readme.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 413afe5c35..b7cc490356 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -39,7 +39,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 96fb035315..5190891a52 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md index c301768d38..6936706c51 100644 --- a/arm/Microsoft.Authorization/policyExemptions/readme.md +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -35,7 +35,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index 4098dcb7ab..f2f27209c0 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -33,7 +33,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 3b04435502..bbfb50fcc2 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -34,7 +34,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index dacf96fa90..5df05a8322 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -34,7 +34,7 @@ To deploy resource to a Management Group, provide the `managementGroupId` as an } ``` -> `managementGroupId` is an optional parameter. If not provided, the target management group will be the one used at the time of the deployment trigger. +> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`). ### Parameter Usage: `subscriptionId` From c8fdd966f62de00ec3ff1b61ecc39d93972aaeb1 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 1 Mar 2022 21:08:29 +0000 Subject: [PATCH 41/43] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Marius Storhaug --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 7d931b6740..e496f4ba8a 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -91,7 +91,7 @@ stages: - deploy_rg variables: resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/subscriptions/deploy.bicep + templateFilePath: $(modulesPath)/$(resourceType)/subscription/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml parameters: From 9ca1b9f2edcecaa011040692b5e8105f937fdd8c Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 1 Mar 2022 21:08:43 +0000 Subject: [PATCH 42/43] Update constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep Co-authored-by: Marius Storhaug --- .../.bicep/nested_rbac.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep index b2f641d5e4..4411343e9e 100644 --- a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep @@ -302,7 +302,7 @@ module roleAssignments_mg '../../../../arm/Microsoft.Authorization/roleAssignmen } }] -module roleAssignments_sub '../../../../arm/Microsoft.Authorization/roleAssignments/subscriptions/deploy.bicep' = [for principalId in principalIds: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleAssignments_sub '../../../../arm/Microsoft.Authorization/roleAssignments/subscription/deploy.bicep' = [for principalId in principalIds: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleAssignments_sub-${guid(deployment().name, location, principalId)}' scope: subscription(subscriptionId) params: { From 367516af62820c38a6909d37a226c66b4b0a6be7 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 1 Mar 2022 21:08:50 +0000 Subject: [PATCH 43/43] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Marius Storhaug --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index e496f4ba8a..14c2cda06d 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -800,7 +800,7 @@ stages: - deploy_msi variables: resourceType: 'Microsoft.Authorization/roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/subscriptions/deploy.bicep + templateFilePath: $(modulesPath)/$(resourceType)/subscription/deploy.bicep msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] jobs: - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml