diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 0668e824cc..88c41e929e 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -37,6 +37,14 @@ { "ipv4Address": "10.240.4.4" } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } ] } ] @@ -48,7 +56,15 @@ "ttl": 3600, "cnameRecord": { "cname": "test" - } + }, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] } ] }, @@ -62,6 +78,14 @@ "exchange": "contoso.com", "preference": 100 } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } ] } ] @@ -75,6 +99,14 @@ { "ptrdname": "contoso.com" } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } ] } ] @@ -92,7 +124,15 @@ "refreshTime": 3600, "retryTime": 300, "serialNumber": "1" - } + }, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] } ] }, @@ -108,6 +148,14 @@ "target": "test.contoso.com", "weight": 0 } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } ] } ] @@ -123,6 +171,14 @@ "test" ] } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } ] } ] diff --git a/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..35dd346b4e --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource A 'Microsoft.Network/privateDnsZones/A@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(A.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: A +}] diff --git a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep index 59ead85aec..f30ede4c7e 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep @@ -16,6 +16,9 @@ param ttl int = 3600 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -42,6 +45,17 @@ resource A 'Microsoft.Network/privateDnsZones/A@2020-06-01' = { } } +module A_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: A.id + } +}] + @description('The name of the deployed A record') output name string = A.name diff --git a/arm/Microsoft.Network/privateDnsZones/A/readme.md b/arm/Microsoft.Network/privateDnsZones/A/readme.md index 72f29b6622..5540dfea6a 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/A/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone A record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/A` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone A record. | `aRecords` | array | `[]` | The list of A records in the record set. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -43,6 +45,32 @@ This module deploys a Private DNS Zone A record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/A/version.json b/arm/Microsoft.Network/privateDnsZones/A/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/version.json +++ b/arm/Microsoft.Network/privateDnsZones/A/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..e1785e8ece --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(AAAA.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: AAAA +}] diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep index 1dd9efb231..82c92b85b2 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep @@ -16,6 +16,9 @@ param ttl int = 3600 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -42,6 +45,17 @@ resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2020-06-01' = { } } +module AAAA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSAAAA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: AAAA.id + } +}] + @description('The name of the deployed AAAA record') output name string = AAAA.name diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md index 66e69cb214..c218d5a07d 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone AAAA record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone AAAA record. | `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -43,6 +45,32 @@ This module deploys a Private DNS Zone AAAA record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/version.json b/arm/Microsoft.Network/privateDnsZones/AAAA/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/version.json +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..6117cc91ca --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep @@ -0,0 +1,58 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(CNAME.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: CNAME +}] + +output id string = roleAssignment[0].name diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep index 680f8d9ab6..b216e98cf9 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep @@ -13,6 +13,9 @@ param metadata object = {} @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2020-06-01' = { } } +module CNAME_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSCNAME-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: CNAME.id + } +}] + @description('The name of the deployed CNAME record') output name string = CNAME.name diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md index 092bd9cffd..ddcd5c4c08 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone CNAME record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/CNAME` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) | ## Parameters @@ -28,9 +29,36 @@ This module deploys a Private DNS Zone CNAME record. | `cnameRecord` | object | `{object}` | A CNAME record. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/version.json b/arm/Microsoft.Network/privateDnsZones/CNAME/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/version.json +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..cd6a41fab6 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource MX 'Microsoft.Network/privateDnsZones/MX@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(MX.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: MX +}] diff --git a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep index 49357b388d..466c8ee27b 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep @@ -13,6 +13,9 @@ param mxRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource MX 'Microsoft.Network/privateDnsZones/MX@2020-06-01' = { } } +module MX_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSMX-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: MX.id + } +}] + @description('The name of the deployed MX record') output name string = MX.name diff --git a/arm/Microsoft.Network/privateDnsZones/MX/readme.md b/arm/Microsoft.Network/privateDnsZones/MX/readme.md index fae5b78df4..7ba3cf9079 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/MX/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone MX record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/MX` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone MX record. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | | `mxRecords` | array | `[]` | The list of MX records in the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -44,6 +46,32 @@ This module deploys a Private DNS Zone MX record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/MX/version.json b/arm/Microsoft.Network/privateDnsZones/MX/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/version.json +++ b/arm/Microsoft.Network/privateDnsZones/MX/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..b84cc2e481 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource PTR 'Microsoft.Network/privateDnsZones/PTR@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(PTR.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: PTR +}] diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep index e7b066524e..74e5128657 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep @@ -13,6 +13,9 @@ param ptrRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -28,6 +31,17 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +module PTR_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSPTR-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: PTR.id + } +}] + resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { name: privateDnsZoneName } diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md index 21659321c1..445afd3e87 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone PTR record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/PTR` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone PTR record. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | | `ptrRecords` | array | `[]` | The list of PTR records in the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -43,6 +45,32 @@ This module deploys a Private DNS Zone PTR record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/version.json b/arm/Microsoft.Network/privateDnsZones/PTR/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/version.json +++ b/arm/Microsoft.Network/privateDnsZones/PTR/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..ae13be4128 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource SOA 'Microsoft.Network/privateDnsZones/SOA@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(SOA.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: SOA +}] diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep index 45079fc464..432c9d94df 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep @@ -13,6 +13,9 @@ param soaRecord object = {} @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource SOA 'Microsoft.Network/privateDnsZones/SOA@2020-06-01' = { } } +module SOA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSSOA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: SOA.id + } +}] + @description('The name of the deployed SOA record') output name string = SOA.name diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md index 70672df580..d03d498969 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone SOA record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/SOA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) | ## Parameters @@ -27,6 +28,7 @@ This module deploys a Private DNS Zone SOA record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `soaRecord` | object | `{object}` | A SOA record. | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -47,6 +49,32 @@ This module deploys a Private DNS Zone SOA record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/version.json b/arm/Microsoft.Network/privateDnsZones/SOA/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/version.json +++ b/arm/Microsoft.Network/privateDnsZones/SOA/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..1f48b538cd --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource SRV 'Microsoft.Network/privateDnsZones/SRV@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(SRV.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: SRV +}] diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep index ace6ab941e..a82295cb4e 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep @@ -13,6 +13,9 @@ param srvRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource SRV 'Microsoft.Network/privateDnsZones/SRV@2020-06-01' = { } } +module SRV_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSSRV-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: SRV.id + } +}] + @description('The name of the deployed SRV record') output name string = SRV.name diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md index 34106a4560..609221eb53 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone TXT record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/SRV` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) | ## Parameters @@ -27,6 +28,7 @@ This module deploys a Private DNS Zone TXT record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `srvRecords` | array | `[]` | The list of SRV records in the record set. | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -46,6 +48,32 @@ This module deploys a Private DNS Zone TXT record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/version.json b/arm/Microsoft.Network/privateDnsZones/SRV/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/version.json +++ b/arm/Microsoft.Network/privateDnsZones/SRV/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..81f4533f65 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource TXT 'Microsoft.Network/privateDnsZones/TXT@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(TXT.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: TXT +}] diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep index 23d7bf3dae..ac39012a6e 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep @@ -13,6 +13,9 @@ param ttl int = 3600 @description('Optional. The list of TXT records in the record set.') param txtRecords array = [] +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource TXT 'Microsoft.Network/privateDnsZones/TXT@2020-06-01' = { } } +module TXT_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSTXT-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: TXT.id + } +}] + @description('The name of the deployed TXT record') output name string = TXT.name diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md index 49d26971a1..43003f4bc6 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md @@ -12,6 +12,7 @@ This module deploys a Private DNS Zone TXT record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | ## Parameters @@ -27,6 +28,7 @@ This module deploys a Private DNS Zone TXT record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | | `txtRecords` | array | `[]` | The list of TXT records in the record set. | @@ -43,6 +45,32 @@ This module deploys a Private DNS Zone TXT record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/version.json b/arm/Microsoft.Network/privateDnsZones/TXT/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/version.json +++ b/arm/Microsoft.Network/privateDnsZones/TXT/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/deploy.bicep index 4a3f257cbe..fa7a207802 100644 --- a/arm/Microsoft.Network/privateDnsZones/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/deploy.bicep @@ -74,6 +74,7 @@ module privateDnsZone_A 'A/deploy.bicep' = [for (aRecord, index) in a: { aRecords: contains(aRecord, 'aRecords') ? aRecord.aRecords : [] metadata: contains(aRecord, 'metadata') ? aRecord.metadata : {} ttl: contains(aRecord, 'ttl') ? aRecord.ttl : 3600 + roleAssignments: contains(aRecord, 'roleAssignments') ? aRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -86,6 +87,7 @@ module privateDnsZone_AAAA 'AAAA/deploy.bicep' = [for (aaaaRecord, index) in aaa aaaaRecords: contains(aaaaRecord, 'aaaaRecords') ? aaaaRecord.aaaaRecords : [] metadata: contains(aaaaRecord, 'metadata') ? aaaaRecord.metadata : {} ttl: contains(aaaaRecord, 'ttl') ? aaaaRecord.ttl : 3600 + roleAssignments: contains(aaaaRecord, 'roleAssignments') ? aaaaRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -98,6 +100,7 @@ module privateDnsZone_CNAME 'CNAME/deploy.bicep' = [for (cnameRecord, index) in cnameRecord: contains(cnameRecord, 'cnameRecord') ? cnameRecord.cnameRecord : {} metadata: contains(cnameRecord, 'metadata') ? cnameRecord.metadata : {} ttl: contains(cnameRecord, 'ttl') ? cnameRecord.ttl : 3600 + roleAssignments: contains(cnameRecord, 'roleAssignments') ? cnameRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -110,6 +113,7 @@ module privateDnsZone_MX 'MX/deploy.bicep' = [for (mxRecord, index) in mx: { metadata: contains(mxRecord, 'metadata') ? mxRecord.metadata : {} mxRecords: contains(mxRecord, 'mxRecords') ? mxRecord.mxRecords : [] ttl: contains(mxRecord, 'ttl') ? mxRecord.ttl : 3600 + roleAssignments: contains(mxRecord, 'roleAssignments') ? mxRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -122,6 +126,7 @@ module privateDnsZone_PTR 'PTR/deploy.bicep' = [for (ptrRecord, index) in ptr: { metadata: contains(ptrRecord, 'metadata') ? ptrRecord.metadata : {} ptrRecords: contains(ptrRecord, 'ptrRecords') ? ptrRecord.ptrRecords : [] ttl: contains(ptrRecord, 'ttl') ? ptrRecord.ttl : 3600 + roleAssignments: contains(ptrRecord, 'roleAssignments') ? ptrRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -134,6 +139,7 @@ module privateDnsZone_SOA 'SOA/deploy.bicep' = [for (soaRecord, index) in soa: { metadata: contains(soaRecord, 'metadata') ? soaRecord.metadata : {} soaRecord: contains(soaRecord, 'soaRecord') ? soaRecord.soaRecord : {} ttl: contains(soaRecord, 'ttl') ? soaRecord.ttl : 3600 + roleAssignments: contains(soaRecord, 'roleAssignments') ? soaRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -146,6 +152,7 @@ module privateDnsZone_SRV 'SRV/deploy.bicep' = [for (srvRecord, index) in srv: { metadata: contains(srvRecord, 'metadata') ? srvRecord.metadata : {} srvRecords: contains(srvRecord, 'srvRecords') ? srvRecord.srvRecords : [] ttl: contains(srvRecord, 'ttl') ? srvRecord.ttl : 3600 + roleAssignments: contains(srvRecord, 'roleAssignments') ? srvRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -158,6 +165,7 @@ module privateDnsZone_TXT 'TXT/deploy.bicep' = [for (txtRecord, index) in txt: { metadata: contains(txtRecord, 'metadata') ? txtRecord.metadata : {} txtRecords: contains(txtRecord, 'txtRecords') ? txtRecord.txtRecords : [] ttl: contains(txtRecord, 'ttl') ? txtRecord.ttl : 3600 + roleAssignments: contains(txtRecord, 'roleAssignments') ? txtRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] diff --git a/arm/Microsoft.Network/privateDnsZones/version.json b/arm/Microsoft.Network/privateDnsZones/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/version.json +++ b/arm/Microsoft.Network/privateDnsZones/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" }