From 4d00d95029e2cfec5709933b61387db681f7bd12 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Thu, 28 Apr 2022 13:40:12 +0200 Subject: [PATCH 01/11] Private DNS records RBAC --- .../.parameters/parameters.json | 60 ++++++++++++++++++- .../A/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/A/deploy.bicep | 14 +++++ .../privateDnsZones/A/readme.md | 29 +++++++++ .../privateDnsZones/A/version.json | 2 +- .../AAAA/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/AAAA/deploy.bicep | 14 +++++ .../privateDnsZones/AAAA/readme.md | 29 +++++++++ .../privateDnsZones/AAAA/version.json | 2 +- .../CNAME/.bicep/nested_rbac.bicep | 58 ++++++++++++++++++ .../privateDnsZones/CNAME/deploy.bicep | 14 +++++ .../privateDnsZones/CNAME/readme.md | 29 +++++++++ .../privateDnsZones/CNAME/version.json | 2 +- .../MX/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/MX/deploy.bicep | 14 +++++ .../privateDnsZones/MX/readme.md | 29 +++++++++ .../privateDnsZones/MX/version.json | 2 +- .../PTR/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/PTR/deploy.bicep | 14 +++++ .../privateDnsZones/PTR/readme.md | 29 +++++++++ .../privateDnsZones/PTR/version.json | 2 +- .../SOA/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/SOA/deploy.bicep | 14 +++++ .../privateDnsZones/SOA/readme.md | 29 +++++++++ .../privateDnsZones/SOA/version.json | 2 +- .../SRV/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/SRV/deploy.bicep | 14 +++++ .../privateDnsZones/SRV/readme.md | 29 +++++++++ .../privateDnsZones/SRV/version.json | 2 +- .../TXT/.bicep/nested_rbac.bicep | 56 +++++++++++++++++ .../privateDnsZones/TXT/deploy.bicep | 14 +++++ .../privateDnsZones/TXT/readme.md | 29 +++++++++ .../privateDnsZones/TXT/version.json | 2 +- .../privateDnsZones/deploy.bicep | 8 +++ .../privateDnsZones/readme.md | 1 - .../privateDnsZones/version.json | 2 +- 36 files changed, 869 insertions(+), 12 deletions(-) create mode 100644 arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 0668e824cc..2dc2979095 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -37,6 +37,14 @@ { "ipv4Address": "10.240.4.4" } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } ] } ] @@ -48,7 +56,15 @@ "ttl": 3600, "cnameRecord": { "cname": "test" - } + }, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } + ] } ] }, @@ -62,6 +78,14 @@ "exchange": "contoso.com", "preference": 100 } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } ] } ] @@ -75,6 +99,14 @@ { "ptrdname": "contoso.com" } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } ] } ] @@ -92,7 +124,15 @@ "refreshTime": 3600, "retryTime": 300, "serialNumber": "1" - } + }, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } + ] } ] }, @@ -108,6 +148,14 @@ "target": "test.contoso.com", "weight": 0 } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } ] } ] @@ -123,6 +171,14 @@ "test" ] } + ], + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Contributor", + "principalIds": [ + "<>" + ] + } ] } ] diff --git a/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..35dd346b4e --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource A 'Microsoft.Network/privateDnsZones/A@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(A.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: A +}] diff --git a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep index 59ead85aec..f30ede4c7e 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep @@ -16,6 +16,9 @@ param ttl int = 3600 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -42,6 +45,17 @@ resource A 'Microsoft.Network/privateDnsZones/A@2020-06-01' = { } } +module A_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: A.id + } +}] + @description('The name of the deployed A record') output name string = A.name diff --git a/arm/Microsoft.Network/privateDnsZones/A/readme.md b/arm/Microsoft.Network/privateDnsZones/A/readme.md index 212bca2ad2..9281c1557a 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/A/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone A record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/A` | 2020-06-01 | ## Parameters @@ -29,6 +30,7 @@ This module deploys a Private DNS Zone A record. | `aRecords` | array | `[]` | The list of A records in the record set. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -44,6 +46,32 @@ This module deploys a Private DNS Zone A record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -55,3 +83,4 @@ This module deploys a Private DNS Zone A record. ## Template references - [Privatednszones/A](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/A/version.json b/arm/Microsoft.Network/privateDnsZones/A/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/version.json +++ b/arm/Microsoft.Network/privateDnsZones/A/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..e1785e8ece --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(AAAA.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: AAAA +}] diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep index 1dd9efb231..82c92b85b2 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep @@ -16,6 +16,9 @@ param ttl int = 3600 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -42,6 +45,17 @@ resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2020-06-01' = { } } +module AAAA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSAAAA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: AAAA.id + } +}] + @description('The name of the deployed AAAA record') output name string = AAAA.name diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md index 566e29d475..a07ff97d55 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone AAAA record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/AAAA` | 2020-06-01 | ## Parameters @@ -29,6 +30,7 @@ This module deploys a Private DNS Zone AAAA record. | `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -44,6 +46,32 @@ This module deploys a Private DNS Zone AAAA record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -55,3 +83,4 @@ This module deploys a Private DNS Zone AAAA record. ## Template references - [Privatednszones/AAAA](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/version.json b/arm/Microsoft.Network/privateDnsZones/AAAA/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/version.json +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..6117cc91ca --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep @@ -0,0 +1,58 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(CNAME.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: CNAME +}] + +output id string = roleAssignment[0].name diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep index 680f8d9ab6..b216e98cf9 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep @@ -13,6 +13,9 @@ param metadata object = {} @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2020-06-01' = { } } +module CNAME_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSCNAME-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: CNAME.id + } +}] + @description('The name of the deployed CNAME record') output name string = CNAME.name diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md index 665961ea97..4e2ac17b79 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone CNAME record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/CNAME` | 2020-06-01 | ## Parameters @@ -29,9 +30,36 @@ This module deploys a Private DNS Zone CNAME record. | `cnameRecord` | object | `{object}` | A CNAME record. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -43,3 +71,4 @@ This module deploys a Private DNS Zone CNAME record. ## Template references - [Privatednszones/CNAME](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/version.json b/arm/Microsoft.Network/privateDnsZones/CNAME/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/version.json +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..cd6a41fab6 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource MX 'Microsoft.Network/privateDnsZones/MX@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(MX.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: MX +}] diff --git a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep index 49357b388d..466c8ee27b 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep @@ -13,6 +13,9 @@ param mxRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource MX 'Microsoft.Network/privateDnsZones/MX@2020-06-01' = { } } +module MX_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSMX-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: MX.id + } +}] + @description('The name of the deployed MX record') output name string = MX.name diff --git a/arm/Microsoft.Network/privateDnsZones/MX/readme.md b/arm/Microsoft.Network/privateDnsZones/MX/readme.md index 76d901b929..38426834ed 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/MX/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone MX record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/MX` | 2020-06-01 | ## Parameters @@ -29,6 +30,7 @@ This module deploys a Private DNS Zone MX record. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | | `mxRecords` | array | `[]` | The list of MX records in the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -45,6 +47,32 @@ This module deploys a Private DNS Zone MX record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -56,3 +84,4 @@ This module deploys a Private DNS Zone MX record. ## Template references - [Privatednszones/MX](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/MX/version.json b/arm/Microsoft.Network/privateDnsZones/MX/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/version.json +++ b/arm/Microsoft.Network/privateDnsZones/MX/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..b84cc2e481 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource PTR 'Microsoft.Network/privateDnsZones/PTR@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(PTR.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: PTR +}] diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep index e7b066524e..74e5128657 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep @@ -13,6 +13,9 @@ param ptrRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -28,6 +31,17 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +module PTR_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSPTR-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: PTR.id + } +}] + resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { name: privateDnsZoneName } diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md index f57d6db674..cc67d7620a 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone PTR record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/PTR` | 2020-06-01 | ## Parameters @@ -29,6 +30,7 @@ This module deploys a Private DNS Zone PTR record. | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | | `ptrRecords` | array | `[]` | The list of PTR records in the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -44,6 +46,32 @@ This module deploys a Private DNS Zone PTR record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -55,3 +83,4 @@ This module deploys a Private DNS Zone PTR record. ## Template references - [Privatednszones/PTR](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/version.json b/arm/Microsoft.Network/privateDnsZones/PTR/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/version.json +++ b/arm/Microsoft.Network/privateDnsZones/PTR/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..ae13be4128 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource SOA 'Microsoft.Network/privateDnsZones/SOA@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(SOA.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: SOA +}] diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep index 45079fc464..432c9d94df 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep @@ -13,6 +13,9 @@ param soaRecord object = {} @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource SOA 'Microsoft.Network/privateDnsZones/SOA@2020-06-01' = { } } +module SOA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSSOA-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: SOA.id + } +}] + @description('The name of the deployed SOA record') output name string = SOA.name diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md index 14dfbc6742..da18d00756 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone SOA record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/SOA` | 2020-06-01 | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone SOA record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `soaRecord` | object | `{object}` | A SOA record. | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -48,6 +50,32 @@ This module deploys a Private DNS Zone SOA record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -59,3 +87,4 @@ This module deploys a Private DNS Zone SOA record. ## Template references - [Privatednszones/SOA](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/version.json b/arm/Microsoft.Network/privateDnsZones/SOA/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/version.json +++ b/arm/Microsoft.Network/privateDnsZones/SOA/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..1f48b538cd --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource SRV 'Microsoft.Network/privateDnsZones/SRV@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(SRV.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: SRV +}] diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep index ace6ab941e..a82295cb4e 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep @@ -13,6 +13,9 @@ param srvRecords array = [] @description('Optional. The TTL (time-to-live) of the records in the record set.') param ttl int = 3600 +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource SRV 'Microsoft.Network/privateDnsZones/SRV@2020-06-01' = { } } +module SRV_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSSRV-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: SRV.id + } +}] + @description('The name of the deployed SRV record') output name string = SRV.name diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md index d1dd271a00..43739336b1 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone TXT record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/SRV` | 2020-06-01 | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone TXT record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `srvRecords` | array | `[]` | The list of SRV records in the record set. | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | @@ -47,6 +49,32 @@ This module deploys a Private DNS Zone TXT record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -58,3 +86,4 @@ This module deploys a Private DNS Zone TXT record. ## Template references - [Privatednszones/SRV](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/version.json b/arm/Microsoft.Network/privateDnsZones/SRV/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/version.json +++ b/arm/Microsoft.Network/privateDnsZones/SRV/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..81f4533f65 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep @@ -0,0 +1,56 @@ +@sys.description('Required. The IDs of the prinicpals to assign to role to') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. Description of role assignment') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource TXT 'Microsoft.Network/privateDnsZones/TXT@2018-09-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(TXT.name, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: TXT +}] diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep index 23d7bf3dae..ac39012a6e 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep @@ -13,6 +13,9 @@ param ttl int = 3600 @description('Optional. The list of TXT records in the record set.') param txtRecords array = [] +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -42,6 +45,17 @@ resource TXT 'Microsoft.Network/privateDnsZones/TXT@2020-06-01' = { } } +module TXT_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name)}-PDNSTXT-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: TXT.id + } +}] + @description('The name of the deployed TXT record') output name string = TXT.name diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md index 71fab1d72f..d5c75ac0c3 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md @@ -13,6 +13,7 @@ This module deploys a Private DNS Zone TXT record. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Network/privateDnsZones/TXT` | 2020-06-01 | ## Parameters @@ -28,6 +29,7 @@ This module deploys a Private DNS Zone TXT record. | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | | `txtRecords` | array | `[]` | The list of TXT records in the record set. | @@ -44,6 +46,32 @@ This module deploys a Private DNS Zone TXT record. } ``` +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + ## Outputs | Output Name | Type | Description | @@ -55,3 +83,4 @@ This module deploys a Private DNS Zone TXT record. ## Template references - [Privatednszones/TXT](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/version.json b/arm/Microsoft.Network/privateDnsZones/TXT/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/version.json +++ b/arm/Microsoft.Network/privateDnsZones/TXT/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/deploy.bicep index 4a3f257cbe..fa7a207802 100644 --- a/arm/Microsoft.Network/privateDnsZones/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/deploy.bicep @@ -74,6 +74,7 @@ module privateDnsZone_A 'A/deploy.bicep' = [for (aRecord, index) in a: { aRecords: contains(aRecord, 'aRecords') ? aRecord.aRecords : [] metadata: contains(aRecord, 'metadata') ? aRecord.metadata : {} ttl: contains(aRecord, 'ttl') ? aRecord.ttl : 3600 + roleAssignments: contains(aRecord, 'roleAssignments') ? aRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -86,6 +87,7 @@ module privateDnsZone_AAAA 'AAAA/deploy.bicep' = [for (aaaaRecord, index) in aaa aaaaRecords: contains(aaaaRecord, 'aaaaRecords') ? aaaaRecord.aaaaRecords : [] metadata: contains(aaaaRecord, 'metadata') ? aaaaRecord.metadata : {} ttl: contains(aaaaRecord, 'ttl') ? aaaaRecord.ttl : 3600 + roleAssignments: contains(aaaaRecord, 'roleAssignments') ? aaaaRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -98,6 +100,7 @@ module privateDnsZone_CNAME 'CNAME/deploy.bicep' = [for (cnameRecord, index) in cnameRecord: contains(cnameRecord, 'cnameRecord') ? cnameRecord.cnameRecord : {} metadata: contains(cnameRecord, 'metadata') ? cnameRecord.metadata : {} ttl: contains(cnameRecord, 'ttl') ? cnameRecord.ttl : 3600 + roleAssignments: contains(cnameRecord, 'roleAssignments') ? cnameRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -110,6 +113,7 @@ module privateDnsZone_MX 'MX/deploy.bicep' = [for (mxRecord, index) in mx: { metadata: contains(mxRecord, 'metadata') ? mxRecord.metadata : {} mxRecords: contains(mxRecord, 'mxRecords') ? mxRecord.mxRecords : [] ttl: contains(mxRecord, 'ttl') ? mxRecord.ttl : 3600 + roleAssignments: contains(mxRecord, 'roleAssignments') ? mxRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -122,6 +126,7 @@ module privateDnsZone_PTR 'PTR/deploy.bicep' = [for (ptrRecord, index) in ptr: { metadata: contains(ptrRecord, 'metadata') ? ptrRecord.metadata : {} ptrRecords: contains(ptrRecord, 'ptrRecords') ? ptrRecord.ptrRecords : [] ttl: contains(ptrRecord, 'ttl') ? ptrRecord.ttl : 3600 + roleAssignments: contains(ptrRecord, 'roleAssignments') ? ptrRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -134,6 +139,7 @@ module privateDnsZone_SOA 'SOA/deploy.bicep' = [for (soaRecord, index) in soa: { metadata: contains(soaRecord, 'metadata') ? soaRecord.metadata : {} soaRecord: contains(soaRecord, 'soaRecord') ? soaRecord.soaRecord : {} ttl: contains(soaRecord, 'ttl') ? soaRecord.ttl : 3600 + roleAssignments: contains(soaRecord, 'roleAssignments') ? soaRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -146,6 +152,7 @@ module privateDnsZone_SRV 'SRV/deploy.bicep' = [for (srvRecord, index) in srv: { metadata: contains(srvRecord, 'metadata') ? srvRecord.metadata : {} srvRecords: contains(srvRecord, 'srvRecords') ? srvRecord.srvRecords : [] ttl: contains(srvRecord, 'ttl') ? srvRecord.ttl : 3600 + roleAssignments: contains(srvRecord, 'roleAssignments') ? srvRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] @@ -158,6 +165,7 @@ module privateDnsZone_TXT 'TXT/deploy.bicep' = [for (txtRecord, index) in txt: { metadata: contains(txtRecord, 'metadata') ? txtRecord.metadata : {} txtRecords: contains(txtRecord, 'txtRecords') ? txtRecord.txtRecords : [] ttl: contains(txtRecord, 'ttl') ? txtRecord.ttl : 3600 + roleAssignments: contains(txtRecord, 'roleAssignments') ? txtRecord.roleAssignments : [] enableDefaultTelemetry: enableDefaultTelemetry } }] diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md index bfa77e582c..f7d43bfd3a 100644 --- a/arm/Microsoft.Network/privateDnsZones/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/readme.md @@ -51,7 +51,6 @@ This template deploys a private DNS zone. | `txt` | _[txt](txt/readme.md)_ array | `[]` | | Array of TXT records. | | `virtualNetworkLinks` | _[virtualNetworkLinks](virtualNetworkLinks/readme.md)_ array | `[]` | | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. diff --git a/arm/Microsoft.Network/privateDnsZones/version.json b/arm/Microsoft.Network/privateDnsZones/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/privateDnsZones/version.json +++ b/arm/Microsoft.Network/privateDnsZones/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } From 4aba01197715e0494c77a0043acdff7b2499f253 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Thu, 28 Apr 2022 13:51:35 +0200 Subject: [PATCH 02/11] Blank spaces fix --- arm/Microsoft.Network/privateDnsZones/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md index f7d43bfd3a..bfa77e582c 100644 --- a/arm/Microsoft.Network/privateDnsZones/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/readme.md @@ -51,6 +51,7 @@ This template deploys a private DNS zone. | `txt` | _[txt](txt/readme.md)_ array | `[]` | | Array of TXT records. | | `virtualNetworkLinks` | _[virtualNetworkLinks](virtualNetworkLinks/readme.md)_ array | `[]` | | Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet. | + ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. From 180a39bacfd126e957e84aeebef4718da9977e79 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:01:40 +0200 Subject: [PATCH 03/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 2dc2979095..cfef42951d 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -174,7 +174,7 @@ ], "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 93ba143e47ec3f90160316002bb46ac46954a3b7 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:01:50 +0200 Subject: [PATCH 04/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index cfef42951d..4462e5aeb1 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -151,7 +151,7 @@ ], "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From ec2beadf3e1e2cd06956ec6c700e731eb9d84fef Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:01:57 +0200 Subject: [PATCH 05/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 4462e5aeb1..c3d89f8843 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -127,7 +127,7 @@ }, "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 8948908b91c9d1ac84b1c4738a704c31b92f6862 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:02:08 +0200 Subject: [PATCH 06/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index c3d89f8843..80dfa2ac3d 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -102,7 +102,7 @@ ], "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 54da135adf8290982e4f1121c9ddbc613c01f3b3 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:02:14 +0200 Subject: [PATCH 07/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 80dfa2ac3d..fb1e38eb5c 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -81,7 +81,7 @@ ], "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 10b8dddb527450c4d13adf06681096d134842109 Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:02:22 +0200 Subject: [PATCH 08/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index fb1e38eb5c..20d588272b 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -59,7 +59,7 @@ }, "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 952988c1f4f0023fc7254737ceac5db8dce6020e Mon Sep 17 00:00:00 2001 From: Simone Bertaccini Date: Fri, 29 Apr 2022 11:02:29 +0200 Subject: [PATCH 09/11] Update arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../privateDnsZones/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 20d588272b..88c41e929e 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -40,7 +40,7 @@ ], "roleAssignments": [ { - "roleDefinitionIdOrName": "Contributor", + "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" ] From 318d14172014bb0b9c89c5fea929cb6f9082a62a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 17:59:37 +0200 Subject: [PATCH 10/11] Update to latest --- .../privateDnsZones/A/readme.md | 17 ---------- .../privateDnsZones/AAAA/readme.md | 33 +++++++++---------- .../privateDnsZones/CNAME/readme.md | 17 ---------- .../privateDnsZones/MX/readme.md | 17 ---------- .../privateDnsZones/PTR/readme.md | 17 ---------- .../privateDnsZones/SOA/readme.md | 17 ---------- .../privateDnsZones/SRV/readme.md | 17 ---------- .../privateDnsZones/TXT/readme.md | 17 ---------- 8 files changed, 15 insertions(+), 137 deletions(-) diff --git a/arm/Microsoft.Network/privateDnsZones/A/readme.md b/arm/Microsoft.Network/privateDnsZones/A/readme.md index 5cec000611..5540dfea6a 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/A/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone A record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone A record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/A` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/A` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/A` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) | ->>>>>>> main - ## Parameters **Required parameters** @@ -86,12 +78,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed A record | | `resourceGroupName` | string | The resource group of the deployed A record | | `resourceId` | string | The resource ID of the deployed A record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/A](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/A) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md index 6501a8211f..e25c2d4ffc 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md @@ -5,9 +5,8 @@ This module deploys a Private DNS Zone AAAA record. ## Navigation - [Resource Types](#Resource-Types) -- [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) +- [Parameters](#Parameters) ## Resource Types @@ -16,17 +15,7 @@ This module deploys a Private DNS Zone AAAA record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/AAAA` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | ->>>>>>> main - -## Parameters - **Required parameters** -| Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the AAAA record. | | `privateDnsZoneName` | string | Private DNS zone name. | @@ -87,11 +76,19 @@ Create a role assignment for the given resource. If you want to assign a service | `resourceGroupName` | string | The resource group of the deployed AAAA record | | `resourceId` | string | The resource ID of the deployed AAAA record | -<<<<<<< HEAD +## Parameters -## Template references +**Required parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the AAAA record. | +| `privateDnsZoneName` | string | Private DNS zone name. | -- [Privatednszones/AAAA](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `metadata` | object | `{object}` | The metadata attached to the record set. | +| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. | diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md index 4857d8a087..ddcd5c4c08 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone CNAME record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone CNAME record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/CNAME` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/CNAME` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/CNAME` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) | ->>>>>>> main - ## Parameters **Required parameters** @@ -74,12 +66,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed CNAME record | | `resourceGroupName` | string | The resource group of the deployed CNAME record | | `resourceId` | string | The resource ID of the deployed CNAME record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/CNAME](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/CNAME) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/MX/readme.md b/arm/Microsoft.Network/privateDnsZones/MX/readme.md index 7e27dc5be3..7ba3cf9079 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/MX/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone MX record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone MX record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/MX` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/MX` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/MX` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) | ->>>>>>> main - ## Parameters **Required parameters** @@ -87,12 +79,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed MX record | | `resourceGroupName` | string | The resource group of the deployed MX record | | `resourceId` | string | The resource ID of the deployed MX record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/MX](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/MX) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md index e1b16fdf33..445afd3e87 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/PTR/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone PTR record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone PTR record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/PTR` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/PTR` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/PTR` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) | ->>>>>>> main - ## Parameters **Required parameters** @@ -86,12 +78,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed PTR record | | `resourceGroupName` | string | The resource group of the deployed PTR record | | `resourceId` | string | The resource ID of the deployed PTR record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/PTR](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/PTR) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md index c2d35f6d26..d03d498969 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SOA/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone SOA record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone SOA record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/SOA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/SOA` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/SOA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) | ->>>>>>> main - ## Parameters **Required parameters** @@ -90,12 +82,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed SOA record | | `resourceGroupName` | string | The resource group of the deployed SOA record | | `resourceId` | string | The resource ID of the deployed SOA record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/SOA](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SOA) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md index 1fa643ecd5..609221eb53 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/SRV/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone TXT record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone TXT record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/SRV` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/SRV` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/SRV` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) | ->>>>>>> main - ## Parameters **Required parameters** @@ -89,12 +81,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed SRV record | | `resourceGroupName` | string | The resource group of the deployed SRV record | | `resourceId` | string | The resource ID of the deployed SRV record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/SRV](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/SRV) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md index 77d45b24d4..43003f4bc6 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/TXT/readme.md @@ -7,7 +7,6 @@ This module deploys a Private DNS Zone TXT record. - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -- [Template references](#Template-references) ## Resource Types @@ -16,13 +15,6 @@ This module deploys a Private DNS Zone TXT record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | -<<<<<<< HEAD -| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/privateDnsZones/TXT` | 2020-06-01 | -======= -| `Microsoft.Network/privateDnsZones/TXT` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) | ->>>>>>> main - ## Parameters **Required parameters** @@ -86,12 +78,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed TXT record | | `resourceGroupName` | string | The resource group of the deployed TXT record | | `resourceId` | string | The resource ID of the deployed TXT record | - -<<<<<<< HEAD - -## Template references - -- [Privatednszones/TXT](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/TXT) -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -======= ->>>>>>> main From b04fa7692855a484cd797567e95f604cb29c8486 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 12:59:57 +0200 Subject: [PATCH 11/11] Update to latest --- .../privateDnsZones/AAAA/readme.md | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md index e25c2d4ffc..c218d5a07d 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/readme.md @@ -5,8 +5,8 @@ This module deploys a Private DNS Zone AAAA record. ## Navigation - [Resource Types](#Resource-Types) -- [Outputs](#Outputs) - [Parameters](#Parameters) +- [Outputs](#Outputs) ## Resource Types @@ -15,7 +15,10 @@ This module deploys a Private DNS Zone AAAA record. | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Network/privateDnsZones/AAAA` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-06-01/privateDnsZones/AAAA) | +## Parameters + **Required parameters** +| Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the AAAA record. | | `privateDnsZoneName` | string | Private DNS zone name. | @@ -75,20 +78,3 @@ Create a role assignment for the given resource. If you want to assign a service | `name` | string | The name of the deployed AAAA record | | `resourceGroupName` | string | The resource group of the deployed AAAA record | | `resourceId` | string | The resource ID of the deployed AAAA record | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the AAAA record. | -| `privateDnsZoneName` | string | Private DNS zone name. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `aaaaRecords` | array | `[]` | The list of AAAA records in the record set. | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `metadata` | object | `{object}` | The metadata attached to the record set. | -| `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `ttl` | int | `3600` | The TTL (time-to-live) of the records in the record set. |